If you have a .edu e-mail address, beware: The account name, password and other personal information associated with that account may be listed online for cyber criminals to buy.
The Digital Citizens Alliance is reporting evidence showing threats of numerous kinds — including hacktivists, scam artists and terrorists — putting credentials including e-mails and passwords up for sale, trade, or even free giveaway.
It’s all happening on the dark web, a highly decentralized digital space where the buying and selling of goods, services and information is unregulated and often illegal.
Cyber criminals can sell or buy illicit and often stolen goods, like music, movies, drugs, weapons and even email information.
Why would buyers want university email account credentials? They can use them to take advantage of university discounts, such as computer software and Amazon Prime memberships, for example. They also can use them for phishing scams or gaining further access to university financial, research and other potentially sensitive information, according to researchers.
Eric Mason, a senior at Ohio State University, said he’s had issues with his university email credentials. After his school email account was recently hacked, he had to change his email and passwords associated with several accounts on websites like Adobe.com and iTunes out of fear that his credit card information could be compromised.
“Somehow, someone was able to get into my email account and wreak some havoc,” Mason said. “I’m not really sure how my account was hacked or what all has happened since, but it makes me nervous and a little concerned that it’s that easy to do.”
Many people reuse their campus username to establish accounts for online services for convenience, and they may or may not use their associated .edu password, according to the report.
Mason said he had gotten numerous phishing emails sent to his university account before, but he never clicked on the messages. Now, however, he’s concerned about what else could happen to other accounts associated with his university email address.
“I’ve had to go back and change my email and password to all of my accounts because I used to use the same login for everything,” he said. “I didn’t understand or realize how serious and how much of a headache this could be until it happened.”
The problem is widespread
Digital Citizens Alliance’s deputy executive director, Adam Benson, said the Washington, D.C. nonprofit wanted to demonstrate the scale of the problem and the complexity facing large organizations trying to protect e-mail users through the report.
“Higher education institutions have deployed resources and talent to make university communities safer, but highly skilled and opportunistic cyber criminals make it a challenge to protect large groups of highly desirable digital targets,” Benson said. “We shared this information from cybersecurity researchers to create more awareness of just what kinds of things threat actors are capable of doing with an .edu account.”
As part of the study, researchers from ID Agent also reviewed the email domains for the top 300 higher education institutions in the U.S. The researchers then determined which schools had the highest total of stolen email accounts — from faculty, staff, students and alumni — available to cyber criminals on the dark web.
And we’re talking about a lot of accounts here. During eight years of scanning the dark web, ID Agent researchers reported having found nearly 14 million email addresses and passwords belonging to people affiliated with U.S. colleges and universities — nearly 80% of which were discovered by researchers over the last 12 months alone.
Guess where most of those accounts are from? Large Midwestern schools, mostly. The University of Michigan topped the list, followed by Penn State, Minnesota, Michigan State, Ohio State, University of Illinois, New York University, Florida, Virginia Tech and Harvard.
It’s not clear why Michigan was number one or why Midwestern schools ranked so high, but it’s probably just a function of size, said Benson, an alumnus of the University of Michigan. “I don’t think there is a security issue unique to the Midwestern schools. Many threat actors just want to disrupt.”
The report also compared schools’ total population to stolen e-mail accounts. When researchers looked at those numbers, the Massachusetts Institute of Technology had the highest ratio of total stolen e-mail accounts to total current users, followed by Baylor, Cornell, Carnegie Mellon and Virginia Tech.
“Cyber criminals are motivated to be successful, so it’s not surprising to see a significant number of stolen .edu accounts attributed to large and prestigious technical schools,” said ID Agent managing partner Brian Dunn.
How you can protect yourself
The report suggests practices to provide more protection for academic email accounts. Password education is one key component of defense, researchers said.
Password complexity requirements differ. Being forced to use a unique password, for example, can be annoying, but it does help protect your account. Nothing can completely guarantee the security of a password, but researchers recommend these practices to reduce risk:
- Use a mix of uppercase, lowercase, numbers and special characters
- Make the password as long as the system allows
- Think in terms of passphrases instead of passwords
- Use a random password generator to avoid social engineering
- Do not re-use a university-provided password for other systems
- Change passwords at least annually or if exposure is suspected
- Consider using a password vault to store passwords
- Never share passwords with others
- Report any suspicious activity to local law enforcement or the institutional IT incident response team.
Casey Smith is a student at Ball State and a USA TODAY College correspondent.