Cyber-criminals share millions of stolen higher-education email credentials

Large Midwestern universities most often victimized, new Digital Citizens Alliance study finds.

College and universities are facing a growing threat from cyber-criminals who are sharing credentials from millions of stolen or fake .edu email accounts on the dark web.

In a new study, “Cyber Criminals, College Credentials, and the Dark Web,” the Digital Citizens Alliance (DCA) found evidence that threat actors of all types — including hacktivists, scam artists and terrorists — increasingly are putting emails and passwords from higher-education accounts up for sale or trade, and in some cases, they are just giving them away.

“We’ve seen a giant spike in [stolen and fake credentials from] .edus,” Brian Dunn, managing partner at ID Agent, a Washington, D.C., cybersecurity company that provided data for the report, told EdScoop. “There isn’t the same correlation with the other domains that we track. We track a lot within the public sector — .us., .gov and .mil — and we see increases there but not anywhere above 100 percent. We’ve had a 540 percent increase in .edus, so there are definitely some tremors going on there.”

The report includes rankings of the total number of stolen credentials for the 300 largest university and college communities found within websites selling higher education credentials on the dark web, a subterranean part of the internet that requires special software to navigate and allows traffic to remain anonymous or untraceable. The email accounts included those stolen from faculty, staff, students and alumni. In some cases, cyber-criminals have created fake emails that look like they’re from a legitimate address but are used for scams.


“Higher Education Institutions have deployed resources and talent to make university communities safer, but highly-skilled and opportunistic cyber-criminals make it a challenge to protect large groups of highly desirable digital targets,” said DCA deputy executive director Adam Benson. In pursuing the study, he said, DCA wanted to demonstrate the scale of the problem and the complexity facing large organizations trying to protect email users.

As part of the study, researchers from ID Agent reviewed the email domains for the top 300 higher education institutions in the U.S. The researchers then determined which schools had the highest total of stolen email accounts available to cyber-criminals on the dark web. During eight years of scanning the dark web, ID Agent researchers have found 13,930,176 email addresses and passwords belonging to faculty, staff, students and alumni at U.S. colleges and universities. Nearly 80 percent of the credentials were discovered by ID Agent researchers over the last 12 months.

Large, Midwestern schools dominated the top ID Agent rankings. The University of Michigan topped the list, followed by Penn State, Minnesota, Michigan State, Ohio State, Illinois, New York University, Florida, Virginia Tech and Harvard.

“Cyber-criminals are motivated to be successful, so it’s not surprising to see a significant number of stolen .edu accounts attributed to large and prestigious technical schools,” Dunn said.

Researchers did not find a reason why Michigan was No. 1 or why Midwestern schools tended to be at the top of the list. “It could just a matter of the size of these [institutions],” said Benson. “I don’t think there is a security issue unique to the Midwestern schools. Many threat actors just want to disrupt and all [institutions] offer something appealing to cyber criminals.”


ID Agent researchers also compared the schools’ total population, including faculty, staff and students, to the number of stolen e-mail accounts. MIT had the highest ratio of total stolen e-mail accounts to total current users, followed by Baylor, Cornell, Carnegie Mellon and Virginia Tech.

Before releasing the report publicly, DCA officials made an effort to contact all 300 schools to inform them of the study.

A hacktivist who once posted thousands of .edus online showed DCA several sites where .edus are for sale right now. The hacktivist, who used the name “DeadMellox,” said that “most people simply create and then sell them, instead of actually taking them from a site.” Fake e-mails can be used to scam others in the university and college communities.

Student email accounts are especially vulnerable to threats. “Students are going to attractive to threat actors for the kinds of content that will have in their emails,” Benson said. “We’re talking about receipts, information about travel, medical information, sign-up information for other accounts and discount offers that threat actors can use not to just get items on the cheap but to create a new account for purchasing items in the name of somebody. A cyber criminal might view a student in terms of a commodity.”

The report offers advice on practices that colleges and universities can implement to provide more protection for student, faculty and staff email accounts. Password education, for example, is an important component of defense, researchers said.

Latest Podcasts