It's one thing for people to have their own passwords pwned. It's quite another when someone breaks in via support people's accounts. This is why you don't host your email on other people's servers without end-to-end encryption.
Since it's public institution I'm not sure why it's all not freely available to begin with, other than FERPA. On the bright side they also pushed a new 2FA program pretty aggressively (aka actually require it ;)) so hopefully much of what's reachable via those credentials is okay.