Cyber criminals sharing millions of .edu emails, passwords on dark web


Cyber criminals are aggressively sharing credentials to .edu email accounts — including stolen accounts, fake emails, and older e-mail accounts. The Digital Citizens Alliance saw evidence showing threat actors of all types — including hacktivists, scam artists, and terrorists — putting credentials (e-mails and passwords) up for sale, trade, or, in some cases, just given away.

For the new report, Cyber Criminals, College Credentials, and the Dark Web, Digital Citizens researchers talked with researchers at three cybersecurity companies about sales on dark web. Digital Citizens research also talked with a hacktivist who once publicly shared tens of thousands of HEI credentials. The report includes research on:

  • Rankings showing the total number of stolen credentials for the 300 largest university and college communities found within dark web sites.
  • Stes selling Higher Education Institutions (HEIs) credentials on the dark web. These emails include those stolen from faculty, staff, students, and alumni, as well as criminals who have created fake emails.
  • Clear web sites where vendors sell credentials.
  • Why fake emails are valuable and how they can be used in scams.

The Digital Citizens Alliance’s Deputy Executive Director Adam Benson said the Washington, DC nonprofit wanted to demonstrate the scale of the problem and the complexity facing large organizations trying to protect e-mail users. “Higher Education Institutions have deployed resources and talent to make university communities safer, but highly-skilled and opportunistic

cyber criminals make it a challenge to protect large groups of highly-desirable digital targets,” Benson said. “We shared this information from cybersecurity researchers to create more awareness of just what kinds of things threat actors are capable of doing with an .edu account.”

HEIs Most Commonly Found on Dark Web

Researchers from ID Agent, a Washington, DC based security firm reviewed the email domains for the top 300 Higher Education Institutions (HEIs) in the United States. Using their dark web ID technology, ID Agent researchers determined which schools had the highest total of stolen email accounts available to cyber criminals, which included fake e-mails and e-mails with domains designed to resemble those of the HEIs.

During eight years of scanning the dark web, ID Agent researchers have discovered 13,930,176 email addresses and passwords belonging to faculty, staff, students, and alumni at U.S. HEIs available to cyber criminals on dark web sites. 79 percent of the nearly 14 million credentials were discovered by ID Agent researchers over the 12 months.

Large, Midwestern schools dominated the top ID Agent rankings: The University of Michigan was number one, followed by Penn State University, the University of Minnesota, Michigan State University, The Ohio State University, the University of Illinois, New York University, University of Florida, Virginia Tech University, and Harvard University.

ID Agent’s Managing Partner Brian Dunn said “Cyber criminals are motivated to be successful, so it’s not surprising to see a significant number of stolen .edu accounts attributed to large and prestigious technical schools.”

Researchers did not find a reason why Michigan was number one or why Midwestern schools tended to be at the top of the list. “It could just a matter of the size of these HEIs,” said Benson, who is himself an alumnus of the University of Michigan. “I don’t think there is a security issue unique to the Midwestern schools. Many threat actors just want to disrupt and all HEIs offer something appealing to cyber criminals.”

To demonstrate how size of the university community matters, ID Agent compared the schools’ total population (faculty, staff, and students) to stolen email accounts. When ID Agent researchers looked at those numbers, The Massachusetts Institute of Technology (MIT) had the highest ratio of total stolen email accounts to total current users, followed by Baylor, Cornell, Carnegie Mellon, and Virginia Tech.

Credentials for Sale on Clear Web and Dark Web

A hacktivist who once posted thousands of .edus online showed Digital Citizens several sites where .edus are for sale right now. The hacktivist, who used the name “DeadMellox”, told Digital Citizens that “most people simply create and then sell them, instead of actually taking them from a site.” Fake emails can be used to scam others in the university and college communities. Criminals can also use fakes to take advantage of discounts offered to students and faculty on software and various other products.

The cybersecurity company GroupSense showed Digital Citizens researchers dark web sites where criminals either sold .edu emails (in one case for as much as $17-$19) or the ability to create emails. GroupSense also discovered shared an example of a post from a “vendor” who claimed to be affiliated with the Islamic State and to have emails from a major university. He shared hundreds of examples in his post.

Putting the Focus on the Bad Guys

HEIs security teams have taken dramatic steps to protect university communities. In 2016, the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) notified HEIs of more than 2,197,000 compromised credentials. Universities are aware of the reuse problem and have worked hard to educate members of the university community how to protect themselves. We saw examples of pages on HEIs-operated websites explaining how to create effective passphrases and use two-factor authentication.

However, that only shuts down the HEI email account, not another account in which the user used the HEI email address as a user ID or password. REN-ISAC notification does not directly reduce risks if you use your school’s password on social media accounts, e-commerce sites, or other email.