Michigan suffered a 21st century nightmare earlier this week. It got hacked.
To the institution's credit, it's owning up to its mistakes and published a thorough breakdown (complete with graphics and timelines) of the devastating own.
From SocialMedia.UMich.edu:
After quickly establishing that this was not the work of a disgruntled employee, and confirming that we had lost all administrative access to the accounts, we began furiously flagging content, pages, and any Facebook organizational contacts we could find. As the owners of the sixth-largest higher-ed Facebook audience in the nation and the largest pages in collegiate athletics for football and basketball, one might think we have Facebook on speed-dial; however, that was not the case. Further complicating the situation was the fact that many of the contacts we did have were in a variety of time zones, and many were still sleeping. In the end, it was actually Facebook’s London (UK) team that came to our rescue, thanks to a connection made through a former agency peer who then reached out to a Facebook client partner at one of Michigan’s robust auto industry social teams.
[...]
Just after the noon hour, a second wave of attacks was triggered on the previously affected pages as a result of our efforts to alter delegated privileges on the remaining page administrators. It was at this point that we were able to determine the actions were linked to a specific employee’s personal account, and we relayed information to ITS and Facebook which allowed us to determine the original source of the security breach. Following an extensive investigation, Facebook determined that the hack was part of a sophisticated phishing scheme found within Facebook Messenger that has affected many other brands.
[...]
For us, the moral of the story was clear. Password security isn’t enough – even the most well-trained social media professionals are still subject to human error. The best we can do is take every necessary precaution to incorporate additional levels of security. Collectively, we have initiated the implementation of two-step authentication procedures, and are continuing to evaluate third-party security applications. Lastly, at Facebook’s recommendation, we are also researching Facebook Business Manager.
All in all, it's the most thorough documentation of a Michigan L this side of a Kyle Jones post-Game Xs and Os breakdown.
