If you believe someone has unauthorized access to your NCU account, every minute counts. Learn the immediate steps to stop the damage, secure your account, and report the incident to IT.
Immediate steps — do these first
Speed is the most important factor. The faster you act, the more you can limit what an attacker does with access to your account.
- Call IT immediately: 612.343.4170. IT can help lock down your account, review sign-in logs, check for unauthorized changes, and assess the scope of what happened. Don't wait until you've done everything else — call first.
- Change your NCU password immediately. Do not reuse your previous password. Do not use a password you use on any other site. Choose something entirely new.
- Review your active sessions and revoke any you don't recognize. Go to myaccount.microsoft.com → Security → Sign-in activity. Any unfamiliar device or location should be flagged and revoked.
- Review and remove any MFA devices or methods you didn't add. Go to myaccount.microsoft.com → Security info. If you see an authenticator app, phone number, or device you don't recognize, remove it immediately and call IT. An attacker who has added their own MFA method can maintain access even after you change your password.
- Submit an incident report: IT Security Incident Form. Even if you've already called, the written record helps IT investigate and track the incident.
Review and secure your account
Once your password is changed and your session is revoked, work through these checks. Attackers who access an email account often make changes designed to maintain persistence or collect information even after the password is changed.
Outlook / Microsoft 365
- Check Sent items and Deleted items for messages you didn't send or delete.
- Check Rules (Settings → Mail → Rules) — delete any you didn't create. Attackers commonly add forwarding rules to silently copy your email to an external address.
- Check Forwarding settings (Settings → Mail → Forwarding) — remove any external addresses you didn't set.
- Review Connected apps and services at myaccount.microsoft.com → Privacy → App permissions — revoke anything unfamiliar.
Gmail (student accounts)
- Check Sent, Trash, and all folders for messages you didn't send or delete.
- Go to Settings → Filters and blocked addresses — delete any filters you didn't create.
- Go to Settings → Forwarding and POP/IMAP — remove any forwarding addresses you didn't set.
- Go to Settings → Accounts → Grant access to your account — remove any accounts that shouldn't have access.
Check other accounts that use the same password
If you reused your NCU password on any other site, change those passwords too — immediately. Attackers who obtain one set of credentials will automatically try them against banking sites, other email accounts, Amazon, and anywhere else they can think of. This is called credential stuffing, and it works because password reuse is extremely common.
How accounts get compromised
Common causes
- Phishing. Entering your credentials on a fake login page — the most common cause. The page looks exactly like Microsoft's sign-in screen but sends everything you type to the attacker. See: Recognizing and Reporting Phishing at NCU.
- Password reuse. If your NCU password was also used on another site that was breached, attackers will try it against your NCU account automatically. Every account should have a unique password.
- MFA fatigue / prompt bombing. An attacker who has your password sends repeated MFA push notifications hoping you'll approve one out of frustration or confusion. Never approve an MFA prompt you didn't initiate.
- Malware / keyloggers. Software on a compromised device can capture your keystrokes as you type, collecting your password without you ever being tricked into sharing it directly.
- Password sharing. Sharing your credentials with anyone — even someone you trust — means your security is now dependent on their security practices and every device they use.
- Weak or guessable passwords. Short passwords, common words, and predictable patterns (birth years, sports teams, simple sequences) can be broken by automated guessing tools quickly.
Why even "empty" accounts matter to attackers
A compromised account has value even if there's nothing sensitive in it
It's tempting to assume your account isn't worth attacking if you don't handle sensitive data. That's not how attackers think about it. A compromised NCU account gives them:
- A trusted @northcentral.edu address to use for phishing attacks against your colleagues, students, and contacts — email from an internal address is far more convincing than one from a stranger
- Access to university computing resources and network infrastructure
- A foothold to move laterally — your account may have access to shared drives, systems, or contacts that lead to more valuable targets
- Your contact list and email history, which help them craft more convincing attacks against people you know
There is no such thing as an account too unimportant to secure.
Preventing it from happening again
The strongest defenses, in order of impact
- Use MFA — and only approve prompts you initiated. MFA blocks the vast majority of credential-based attacks. But it only works if you pay attention to when prompts arrive. An unexpected MFA push is an attack in progress.
- Use a unique password for every account. Password reuse is the single most common reason a breach of one site turns into a breach of your NCU account.
- Never enter your credentials on a page you reached through an email link. Navigate directly to NCU portals by typing the URL. Always check the address bar before logging in anywhere.
- Keep your devices updated and malware-free. A compromised device compromises every account you use on it, regardless of how strong your passwords are.
- Report anything suspicious immediately. The faster IT knows, the faster the threat can be contained.