Enable breadcrumbs token at /includes/pageheader.html.twig

Cyber Attack 101: Criminals Go After U.S. Universities

Hackers are sharing millions of .edu email addresses and passwords on the dark web.

Millions of student, staff and faculty email addresses and passwords from 300 of the largest universities in the United States have been stolen and are being circulated by cyber criminals on the dark web, according to a recent report.

Hacktivists, scam artists and even terrorists intend to sell, trade or just give away the addresses and passwords, said the Digital Citizens Alliance report.

During eight years of scanning the dark web—the portion of the Internet not indexed for open searches, where criminals covertly operate—researchers from the security firm ID Agent discovered nearly 14 million addresses and passwords belonging to faculty, staff, students and alumni available to cyber criminals. Of those, 79 percent of the credentials were placed there within the last year.

The nonprofit Digital Citizens Alliance, based in Washington, D.C., wanted to demonstrate in its recent report the scale and complexity of the problem facing large organizations that try to protect email users. "Higher education institutions have deployed resources and talent to make university communities safer, but highly skilled and opportunistic cyber criminals make it a challenge to protect large groups of highly desirable digital targets," the group's Deputy Executive Director, Adam Benson, says in a statement. "We shared this information from cybersecurity researchers to create more awareness of just what kinds of things threat actors are capable of doing with a .edu account."

ID Agent noted that large Midwestern institutions appear to be the most vulnerable, although it is not clear why they are targets. Topping the list is the University of Michigan, with 122,556 email addresses found on the dark web, followed by Penn State University, the University of Minnesota, Michigan State University, Ohio State University and the University of Illinois.

"Cyber criminals are motivated to be successful, so it's not surprising to see a significant number of stolen .edu accounts attributed to large and prestigious technical schools," Brian Dunn, ID Agent's managing partner, says in a statement.

Criminals and hacktivists can use the fake emails to scam others or take advantage of discounts offered to students and faculty on products such as software.

Higher education institutions have taken steps to beef up their cybersecurity postures, especially after the Research and Education Networking Information Sharing and Analysis Center last year alerted officials to compromised credentials. "Universities are aware of the reuse problem and have worked hard to educate members of the university community how to protect themselves," according to the Digital Citizens Alliance. "We saw examples of pages on [university-operated] websites explaining how to create effective passphrases and use two-factor authentication."