Researchers have found millions of US University emails (and passwords) for sale on the Dark Web.  The stolen email addresses/password combinations are selling for $3.50 – $10 each.

This is only a fraction of a lucrative underground market for stolen student, faculty, staff, and alumni email credentials, according to new research published by the nonprofit Digital Citizens Alliance (DCA) that searched the Dark Web for credentials from the top 300 US universities.

The research firm ID Agent, found approximately 14 million credentials for sale from various schools including:

University of Michigan – 122,556
Penn State – 119,350
University of Minnesota – 117,604
Michigan State – 115,973
Ohio State – 114,032
University of Illinois at Urbana-Champaign – 99,375
New York University – 91,372
University of Florida – 87,310
Virginia Polytechnic Institute and State University – 82,359
Harvard University – 80,100

ID Agent also noted that MIT had the biggest ratio of stolen/spoofed email addresses to the number of enrolled students and staff (2.81:1) with Carnegie Mellon University (2.41:1) and Cornell University (2.39:1) also leading the way.  According to ID Agent managing partner Brian Dunn, “There were 2.2 million .edu emails in 2015, 2.8 million in 2016, and now almost 14 million a year later. That’s a significant spike.”

Dunn suggested that the massive increase was likely to do with third-party website breaches, where university users register with their .edu email addresses with social media, e-commerce, and other websites that suffered breaches, either reported or unreported. “There have been significant third-party breaches in 2016,” he notes. ID Agent has seen a 547% increase in all types of credentials (including universities’) for sale in the Dark Web over the past three years. Think big breaches at Yahoo, DropBox, LinkedIn, and others.

Buyers use these stolen credentials to cash in on university discounts, such as Microsoft Office software, Amazon Prime memberships, as examples.  More importantly, they could be used for phishing or gaining further access to university financial, research, and other potentially lucrative information.

As we have noted in previous posts, breaches of all types begin with stolen user credentials. Dunn says one of his firm’s clients estimates that 94% of network login attempts are executive via automated scripts of reused credentials. “When you [an attacker] can automate that with a script, you can have tremendous amount of success.”

Hacked university emails and credentials have been in the spotlight many times before.  Research and Education Networking ISAC (REN-ISAC) last year notified universities about the compromise of some 2.2 million user credentials. In 2012, hacktivist group Team GhostShell dumped on Pastebin some 36,000 names, email usernames and passwords, phone numbers, and other personal online information of students, faculty, and staff from 53 of the largest universities in the world, including Michigan, Harvard, Stanford, Cornell, Johns Hopkins, and Carnegie Mellon.

The basic goal of the DCA report is to shed light on the abuse of .edu email accounts and credentials. “We wanted to give the [universities’] IT security teams something they can use and talk about with administrators and stakeholders on the scale of the problem … what kind of challenges they are facing,” says Adam Benson, deputy executive director of DCA.

University email accounts are easy targets for cyber criminals: “Some of these schools have thousands of people coming in every year with different levels of sophistication, and education about financial and medical records [for instance]” and may be using a credit card for the first time, he says.