'Dark Web' Hacks, Sells Millions Of .Edu Email Addresses

A disturbing report released by the Digital Citizens Alliance Wednesday says a cabal of criminal entrepreneurs who hang out on a digital space known as the “Dark Web” have harvested millions of email addresses and passwords from faculty, students and alumni of the nation's 300 largest universities. The hacked email addresses ending in .edu have been used for “nefarious activity” on a decentralized, unregulated platform where goods, services and information are marketed, managed and moved quickly, the report said.

Once an email address and password has been hacked, the information can be sold to vendors who sell drugs and guns, are affiliated with international terrorist organizations or are with private marketplaces, the researchers said. Information grabbed from emails, including Social Security numbers and bank account and credit card data, can also be sold on the Dark Web.

In the last 12 months alone, researchers have discovered about 10,984,000 email addresses ending in .edu have ended up on the Dark Web. Many of those were hacked; others were newly created using the .edu suffix.

At the University of Michigan, some 122,556 email addresses ending in .edu were compromised, the largest number of any U.S. college or university analyzed in the sweeping report. U-M was followed on the list by five other large universities — Pennsylvania State University (119,360), the University of Minnesota (117,604), Michigan State University (115,973), Ohio State University (114,032) and the University of Illinois (99,375) — that saw their email addresses hijacked.

When broken down by state, the largest number of stolen email addresses were from schools in California, New York, Michigan, Texas and Pennsylvania.

The email addresses that ended up on the Dark Web weren’t necessarily obtained in a massive data breach at the universities and colleges but “as a result of one or more breaches in non-academic settings where .edu credential-holders used .edu user names, or the credentials could have been fraudulently created in the first place, not stolen,” the researchers wrote in the report, “Cyber Criminals, College Credentials and the Dark Web.”

The researchers from Digital Citizens Alliance said colleges and universities are generally doing a good job protecting data, but email addresses with the suffix .edu are among the most vulnerable on the internet.

The report noted:

“Our issue is not with the security, the school administrators, or university community population. Our hope is to shed light on how the activities of criminals who steal credentials and/or create fake credentials are putting innocents at risk. We want to show how bad guys profit, why they target academia, and how they use the clear web and Dark Web to share their merchandise. We’ve shared this publicly so everyone — the schools, the faculty, the staff, and the students — can all take extra measures to protect themselves.”

Razvan Eugen Ghoerghe, a 25-year-old living in Bucharest, Romania, told the researchers email addresses ending in .edu are “literally the most vulnerable domains on the internet.”

Known as “DeadMellox” on the Dark Web and regarded as one of the most talented hackers in the world, Ghoerghe told the researchers he has hacked the websites of higher education websites and leaked email addresses mainly to spark a global conversation about lapses in cyber security at institutions of higher learning. He claims never to have made any money on the sale of hacked email addresses.

“Each address and corresponding password should be thought of as a sort of informational gold mine,” the researchers wrote. “For their possessor, they offer an immense amount of opportunity to glean the types of personally identifiable information that can be packaged together and sold on the Dark Web.

“Additionally, the credentials are the gateway to the valuable research and intellectual property which is often targeted for corporate and governmental espionage. But we also found these records from the lives of our young people, our top thinkers and researchers, and the office workers who make universities great places to live, work, and prosper just dumped like trash on the side of road.”

To protect yourself, the report urges the following practices when creating passwords:

• Use a mix of uppercase, lowercase, numbers and special characters;
• Make the password as long as the system allows;
• Think in terms of passphrases instead of passwords;
• Use a random password generator to avoid social engineering;
• Do not reuse university-provided passwords for other systems;
• Change passwords at least annually or if exposure is suspected;
• Consider using a password vault to store passwords;
• Never share passwords with others;
• Report any suspicious activity to local law enforcement or the institutional IT incident response team.

Photo via Shutterstock