Skip to content

Cybercriminals share millions of stolen university email ids

If you have a .edu email address, beware: the account name, password, and Other personal information associated with this account may be listed online. cybercriminals to buy.

The Digital Citizens Alliance reports evidence of threats of all kinds – including hacktivists, crooks and terrorists – selling identification information, including e-mails and passwords , or even free gifts.

Everything happens on the black web, a highly decentralized digital space where the buying and selling of goods, services and information is unregulated and often illegal.

Cyber ​​criminals can sell or buy illicit and often stolen goods, such as music, movies, drugs, guns and even e-mails.

Why do shoppers want university email account credentials? They can use them to take advantage of academic discounts, such as computer software and Amazon Prime subscriptions, for example. They may also use them for phishing scams or gain more access to financial information, research, and other potentially sensitive information from the university, according to researchers.

 Hack GIF - Find and Share on GIPHY "width =" 355 "height =" 200 "/> </p>
<!-- WP QUADS Content Ad Plugin v. -->
<div class=

Eric Mason, a senior from Ohio State University, said he had problems with his university credentials. After recently hacking his email account, he had to change his e-mail address and passwords associated with multiple accounts on websites such as and iTunes, for fear of compromising his account information. credit card.

"In one way or another, someone could get into my e-mail account and wreak havoc," Mason said. "I'm not really sure how my account was hacked or anything that has happened since then, but it makes me nervous and a little worried that it's so easy to do."

See also  Family claims that his Echo sent a private conversation to random contact

Many people reuse their campus user name to set up accounts for online services for the sake of convenience, and they may or may not use their associated .edu password, according to the report.

Mason said that he had received many phishing emails sent to his university account before, but he never clicked on the posts. Now, however, he is concerned about what could happen to other accounts associated with his university e-mail address.

"I had to go back and change my e-mail address and password for all my accounts because I had used the same identifier for everything, "he said. "I did not understand or realize how serious it could be until it happened."

The problem is widespread

Digital Citizens Alliance Deputy Executive Director, Adam Benson, said the nonprofit of Washington, DC wanted to demonstrate the scale of the problem and the complexity of large organizations trying to protect e-mail users .

"Higher education institutions have deployed resources and talents to make university communities safer, but highly skilled and opportunistic cyber criminals make it difficult to protect large groups of highly desirable digital targets." said Mr. Benson. "We have shared this information with cybersecurity researchers to better understand the types of threats that actors are able to do with a .edu account."

 Hacker GIF - Find and Share on GIPHY "width =" 500 "height =" 221 "/> </p>
<p> As part of the study, ID Agent researchers also examined the email domains of the 300 largest higher education institutions in the United States. The researchers then determined which schools had the largest number of stolen email accounts: teachers, employees, students and students. alumni – available for cyber criminals on the black web. </p>
<div style=

And we are talking about a lot of accounts here. For eight years, Agent ID researchers have found nearly 14 million e-mail addresses and passwords belonging to people affiliated with American universities – nearly 80% of which were discovered by researchers in the last 12 months. ]

Guess where most of these accounts come from? Midwestern schools, especially. The University of Michigan is at the top of the list, followed by Penn State, Minnesota, Michigan State, the Ohio State, the University of Illinois, the University of Michigan, the State of Michigan, the Ohio State, the University of Illinois, the University of Michigan. 39, New York University, Florida, Virginia Tech and Harvard.

It's unclear why Michigan was the number one or why Midwestern schools are so high-ranked, but it's probably just a size function, said Benson, a former student of the University of Michigan. University of Michigan. "I do not think there's a security problem peculiar to Midwestern schools – many threat actors just want to disrupt it."

The report also compares the total population of schools with stolen email accounts. When researchers looked at these numbers, the Massachusetts Institute of Technology had the highest ratio of stolen email accounts compared to the total number of current users, followed by Baylor, Cornell, Carnegie Mellon and Virginia Tech.

"Cyber ​​criminals are motivated to succeed, so it's not surprising to see a large number of stolen .edu accounts awarded to large and prestigious technical schools," said Brian Dunn, managing partner of the 39, agent of ID.

How to protect yourself

The report suggests practices to better protect university email accounts. According to the researchers, password education is a key part of the defense.

See also  Mysterious "green line of death" appears on some displays of the iPhone X

The password complexity requirements differ. Being forced to use a unique password, for example, can be boring, but it helps to protect your account. Nothing can totally guarantee the security of a password, but researchers recommend these practices to reduce the risks:

  • Use a mixture of uppercase, lowercase, numbers, and special characters
  • Make the password as long as the system allows
  • Think in terms of secret phrases instead of passwords
  • Use a random password generator to avoid social engineering
  • Do not reuse a university-provided password for other systems
  • Change passwords at least once a year or if an exhibition is suspected
  • Consider using a safe to store passwords
  • Never share passwords with others
  • Report any suspicious activity to the local police or the incident response team in the event of a computer incident at the facility.

Casey Smith is a Ball State student and USA Today College correspondent.