Millions of .edu email login credentials belonging to university students, staff, and alumni across the US are being sold on the dark web according to a new report by Digital Citizens Alliance.
The email addresses have reportedly been fished from staff, faculty, students, and alumni of the country’s 300 largest higher learning institutions for months now, and are not exactly data dumps from a single or a few data breaches.
According to the researchers, the emails were not even stolen from computer systems in the target schools – they are instead likely to have been fraudulently created and sold to the dark web vendors or obtained from multiple third-party, non-academic platforms where majority of the users are .edu email address holders.
The report underscores The University of Michigan as the single largest mine of the breached information of the Big Ten universities with 122,556 email addresses.
The University of Minnesota, Penn State University, the University of Illinois, Michigan State University, and Ohio State University are the other notable oblivious contributors to the dark web stash with at least tens of thousands of email addresses hewed from each.
On the whole, the biggest targets were universities based in California, Pennsylvania, Texas, New York, and Michigan.
According to the report, there are approximately 14 million .edu addresses listed in bunches on various dark web marketplaces, and are being sold on the primary market for prices that do not make allowances for any data that individual email addresses may contain.
With the dark web seemingly overflowing with the email addresses from the hack, one would think the listings do not command any demand anymore – but that’s not the case, according to Brian Dunn of ID Agent, the company that collected and provided the data for the research.
He reckons buyers can easily use the information to steal other people’s identity and use the information to log into accounts on social media, other websites, and even banks.
He also thinks the credibility of .edu extensions will be useful in the spread of computer viruses to unsuspecting victims.
“What can be more trusted than a mail from a .edu email address?” said Dunn. “They can be used to spread Trojan and malware because people are likely to be willing to click on a .edu email thinking it is real.”
The report pinpoints even more worrying probable uses of the emails obtained from the hack – access to University-conducted government-funded researches looking possible.
“While it is unlawful for university resources, including emails, to be used in conducting classified government researches,” the report states, “a rogue nation state could target a professor’s email to identify another that could actually be bearing the information.”
Of course numerable smaller uses such as purchasing at a discount at stores targeted for faculty and students or setting up fake accounts at universities exist, but fraud and spread of malware seem to be the more perturbing ones.
The conclusions on how the emails could be used were reached by Digital Citizens Alliance with the help of other dark web security research organizations such as ID Agent, Terbium Labs and Group Sense.
The researchers did not pinpoint any cases of negligence on the universities’ side and, accordingly, commended IT managers in colleges and universities for their good job.
That said, renowned hacker Razvan Eugen Ghoerghe, who goes by the pseudonym “DeadMellox” on the dark web, told the researchers that email addresses with .edu suffixes were the most vulnerable ones, claiming he had hacked into numerous higher learning institutions and leaked email addresses on the dark web with farfetched ease.
He was quick to distance himself from illegal data selling on dark web marketplaces, however, and instead put his heroics down to an impulse to raise awareness on the vulnerabilities in state university systems.
The researchers provided recommendations at the bottom of their report on the measures that should be taken by victims and potential victims, and hoped their publicized report would reach as many students and faculty across the country as possible.