Harvard Arts and Sciences Computing Services (HASCS) sent an e-mail yesterday to over 400 students who had registered to use houseSYSTEM—a student-created web portal that sparked controversy last week because of potential security vulnerabilities—instructing users to change their e-mail passwords because they “may have been compromised on a web server located off campus.”

Their Harvard network accounts were locked, and the users were unable to access them until they chose new passwords. As of yesterday, the site’s creator had modified houseSYSTEM to allow no new users to register.

The notice came two weeks after the initial launch of houseSYSTEM—which promised to allow students to trade textbooks, give feedback about classes and check e-mail—and followed a spate of e-mails over the Lowell House open e-mail list, debating the possible security risks of using the portal.

The debacle stemmed from houseSYSTEM’s requirement that any user provide his or her Faculty of Arts and Sciences (FAS) network password in order to use the site’s web-based e-mail function.

As of yesterday, 402 people had registered with the portal or with its predecessor, CriticalMass, according to Lowell House Senior Tutor Jay L. Ellison, though it is not known how many of those people had provided their actual FAS password.

Though it did not mention either CriticalMass or houseSYSTEM by name, the e-mail from HASCS yesterday afternoon warned students of the possibility that their accounts might have been tampered with.

“To protect the security of your FAS account and the privacy of your e-mail and data, we are asking you to change your password at this time,” the message read. “In the future we would also ask, for security reasons, that you never enter your FAS password on any website that is not officially endorsed or operated by FAS Computer Services.”

HASCS Director Franklin M. Steen said he had not heard of any specific instances in which users’ systems might have been compromised through contact with houseSYSTEM, but said that anyone whose password might have been recorded on a non-FAS website should take precautions.

“We don’t know if they were compromised or not, but if there’s a chance, we want to be sure people change them,” said Steen. “That’s just our policy, that anytime it appears that there might be a problem with a password to have people change them.”

Aaron J. Greenspan ’05, who designed houseSYSTEM along with the Harvard Student Entrepreneurship Club (SEC), maintained that no one’s password—whether their genuine FAS password or not—had ever been in jeopardy. It was partially for this reason, he said, that he initially balked when Ellison informed him that the College administration wanted him to turn over the usernames of every houseSYSTEM registrant.

“HASCS wanted to instruct everybody using houseSYSTEM to change their password,” said Greenspan. “I objected to this on the count that there was no security risk.”

The administration made other requests as well, according to Greenspan and Ellison. In addition to turning over a list of user names, he was asked to delete any FAS passwords—even if encrypted—that were in the houseSYSTEM database and to make sure that no project of his ever asked for FAS passwords again.

Greenspan consented and sent the College the list, but said he was uncomfortable with the idea of turning over any information pertaining to users of houseSYSTEM. Integrated in the portal are all users from the old CriticalMass website, a site Greenspan created last year to act as a venue for feedback about classes and professors. Greenspan worried that with enough information, a student might be linked to what he or she had said previously about a class or instructor.

“If they had other information from the database, it would be a simple matter,” Greenspan said. “They already have a lot of this information. It’s not likely that they would abuse it, but it still should not be in their hands.”

Greenspan said he had been threatened with “unspecified disciplinary action” if he did nor turn over the list of user names.