Report: University E-Mail Accounts Listed on Dark Web

• By Sri Ravipati
• 04/03/17

Image Credit: Digital Citizens Alliance.

If you are currently using or previously used an .edu e-mail address, your account name, password and other personal information may be listed online for cyber criminals to buy. 

That analysis comes from Digital Citizens Alliance (DCA), a nonprofit coalition that has been investigating the dark corners of the internet for the last eight years. DCA recently published a report surfacing evidence that cyber criminals are selling tens of thousands of higher ed e-mail accounts on the “Dark Web,” which is a highly decentralized digital space in which the sale and purchase of goods, services and information is unregulated and often illegal. Cyber criminals can sell or buy illicit, usually stolen goods, like weapons, drugs, malware, movies, music and this case e-mail information, in the Dark Web.

DCA, along with researchers at ID Agent, GroupSense and Terbium Labs, looked at the availability of credentials (i.e. e-mail accounts and passwords) for the largest 300 higher education institutions (HEIs) in the United States during the eight-year period. In the most recent scan, March 2, researchers uncovered nearly 14 million e-mail addresses and passwords belonging to faculty members, students and alumni available on the Dark Web. Of these, 79 percent (nearly 11 million) were discovered in the last 12 months.

While a library, computer lab or other academic setting might seem like the first places hackers would attack, researchers instead found that many of the credentials “are the result of one or more breaches in non-academic settings where .edu credential-holders used .edu user names, or the credentials could have been fraudulently created in the first place,” according to the report. 

To help understand why hackers go after academic communities, the DAC report cites expertise and work by the notorious hacker nicknamed “Dead-Mellox,” who leads Team GhostShell, the "hacktivist" organization that once publicly dumped data for tens of thousands of educational and governmental institutions online. Dead-Mellox, later revealed as 25-year-old Razvan Eugen Gheorghe who lives in Bucharest, Romania, offered the following insights to digital citizens:

• E-mail accounts with .edu domains are vulnerable to breaches in general;
• Higher ed institutions tend to have more data than leading commercial businesses or governmental entities; and
• Their assets, including intellectual property and research, offer bigger prizes for hackers.

The report also examines HEIs with the most credentials listed on the Dark Web. For the No. 1 spot, the University of Michigan-Ann Arbor had 122,556 credentials, followed by Pennsylvania State University (119,350), University of Minnesota-Twin Cities (117,604), Michigan State University (115,973), Ohio State University (114,032) and the University of Illinois (99,375). For currently active e-mail accounts,  Massachusetts Institute of Technology tops the list, followed by Baylor University, Cornell University, Carnegie Mellon and Virginia Tech. Ranked by state, California had the largest number of credentials available, followed by New York, Michigan, Texas and Pennsylvania.

View the full report here.