Deleting passwords from the email log

Categorized News

The operation of the current ECCS Staff Email (@mail.ecc.u-tokyo.ac.jp) and MailHosting services began in August 2016. Unfortunately, email client passwords used before May 20, 2018 were saved in the email sending log and were decodable. Please note that temporary passwords sent when users failed to log in were saved as well.

• As email sending logs are saved in the storage locations where only the system administrator can view, there is no possibility for a third party to have accessed the password unless some vulnerability exists in the system.
• We have not confirmed of any incidents of possible leaks to a third party other than an administrator, or vulnerabilities in the current and the previous systems (Although a business computer terminal used in the Information Technology Center was infected by malware in July 2016 and some information leak occurred, no email logs were leaked.).
• The above mentioned problem regarding decodable passwords in email sending logs does not apply when emails are sent from the web interface or receiving emails through IMAP and POP.

As it is an unfavorable situation that system administrators of the mail server have access to the user’s passwords, we have modified the system to prevent retention of decodable passwords in the email sending logs on May 20, 2018. Following the modification, we have carried out masking of decodable passwords in the email sending logs during the period from August 2016 to May 20, 2018.

Although there is no imminent danger, we recommend that users who sent emails using mail client through ECCS Staff Email and MailHosting services during the period from August 2016 to May 20, 2018 and users who still use the same password or use the same password for other services (we do not recommend using the same password for different services) to change passwords.

We apologize to ECCS users for causing concern.