Credentials Now Required for Access to Dartmouth Directory

The Dartmouth directory look-up function at lookup.dartmouth.edu is a quick and convenient way to find contact information for Dartmouth faculty, students, and staff. Since its inception, this function has been public-facing, with the included information published for everyone to see. However, starting on August 20, 2024, users will need to log in with their NetID and password through Dartmouth's SSO (Single Sign-On) authentication to access this function. Please note that this change will NOT apply to the following individuals

  • On-campus users
  • DHMC users

These individuals will NOT need to sign in to access this function.

 

Why is this change happening?

The Dartmouth Information Security Office has indicated that this function is being utilized by external/unauthenticated parties as a mechanism to query our directory. In fact, there is evidence to indicate that companies have already used dartmouth.edu databases to send emails to Dartmouth service accounts, regardless of whether or not the accounts subscribed to receive emails from these companies. 

For example, the directory is likely the source that companies and attackers use to launch unsolicited marketing campaigns and targeted phishing attacks, including the following: 

  • In April 2024, one company sent around 26,000 messages to Dartmouth addresses within 30 days.
  • Dartmouth students were the target of multiple phishing emails in May 2024 claiming to have an admin assistant job available. Students were instructed to send their full name to a phone number listed in an attachment. The emails included counterfeit signatures that listed actual Dartmouth professors as the person sending the email. 
  • Another phishing email was sent out to Dartmouth students, faculty, and staff in early May 2024. This email claimed to be from President Sian Beilock on behalf of a Dartmouth college student who was giving away her late father’s piano for free. Recipients were instructed to contact the Dartmouth student directly using their personal email address.

These changes are being made with the intention to increase the security of Dartmouth users by reducing the amount of unsolicited emails, which can lead to falling victim to spam and phishing attacks. Please contact information.security@dartmouth.edu if you have any questions or concerns about these changes.