395,000 Compromised Credentials and Counting: How Texas A&M Leverages Flashpoint To Mitigate Risk

About Texas A&M

Created by the Texas Legislature in 1948, the Texas A&M University System (TAMUS) is one of the largest higher education networks in the nation: 11 statewide universities, a comprehensive health science center, eight state agencies, and the RELLIS Campus, a research and testing engineering facility.

The Texas A&M University System educates more than 153,000 students and each year makes more than 22 million additional educational contacts through service and outreach programs each year.

72 Hours

recouped identifying IOCs


compromised credentials identified
{2016 – 2021}


compromised credentials identified
{2021 to-date}
Table Of Contents

The Challenge

  • Internal networks
  • Ransomware and extortion
  • Hacktivism (e.g. website defacement)

One portal, lots of access

All TAMUS students use university portals to access homework assignments and their grades in the same way they do student loan data and other sensitive personal identification information (PII). The same is true of faculty, administrators, and other TAMUS employees, who may have access to confidential student and human resources-related data, including home addresses, phone numbers, paystubs, and personal health information (PHI).

Unlike corporate accounts, university emails are often used for personal matters. But colleges don’t always age off email addresses, giving them an extended chance of becoming compromised. 

“We’re a heavy user of SSO,” said McLarty. “And because of the pervasiveness of password reuse, one set of stolen credentials could open numerous risk apertures.”

Third-party risk

Stolen education credentials could be used by threat actors to access third-party apps used within the TAMUS ecosystem. 

The same stolen credentials can also grant a threat actor access to marketplaces that offer student, faculty, Veteran or alumni discounts as well as portals outside the university system, including banks and other accounts that may not have added security layers, such as two-factor authentication (2FA), set up. A threat actor could potentially access the TAMUS system with a set of credentials that was stolen elsewhere.

The Solution

“Flashpoint’s platform allows us to uncover stolen credentials, flag accounts, reset employee passwords, identify IOCs, filter false positives, understand password complexity and quality, restrict permissions, set up alerts to legitimate compromised accounts, and ultimately prevent account takeover faster than ever before,” said Cody Autrey, a Security Analyst on the front lines of the CTI team.

“Flashpoint has become an integral part of our security infrastructure and threat response workflows, impacting what we do day-in, day-out.”

Cody Autrey, Texas A&M University System SecOps Team

The Results

“Remember Me” policy changes

From a strategic level, the SecOps team changed its policy on multi-factor authentication (MFA); it now forces users to re-authenticate MFA every five days, down from legacy standards that in some cases exceeded 60-days.

Operational and tactical impact

The SecOps team has changed its specific intel requirements (SIRs) because they now know not only how they’ve been compromised but also where it has occurred: an end-user device, from within the network, or from compromised third-parties.

The SecOps team can leverage Flashpoint’s Technical Intelligence feeds to monitor for specific types of malware or info stealers, thereby focusing their efforts to identify threats they know to be a risk.  

“Our previous compromised credential discovery methods were not quick enough to efficiently prevent account takeover,” said McLarty.

“Flashpoint has allowed us to become more efficient in our investigations and provided us the ability to dedicate more time and focus to complex security challenges.”

Nick McLarty, Deputy CISO, Texas A&M University System SecOps

Getting started is easy!