Your college email account may be one of millions for sale on the dark web
Imagine you’re walking down a highway when you suddenly find the keys to a vault full of personal information. Now imagine you find nearly 14 million keys and vaults, all belonging to people who went to or worked at a college somewhere in the U.S.
That would be insane — but that is, in digital form, what a March report published by Digital Citizens Alliance says the group has found on the darker side of the information highway.
According to the report, “13,930,176 e-mail addresses and passwords belonging to faculty, staff, students, and alumni” at “higher education institutions” are available at sites on the dark web. The University of Michigan alone has 122,556 email addresses out there, and other Big Ten schools are right behind it.
Penn State University, the University of Minnesota, Michigan State University, Ohio State University, and the University of Illinois were also singled out by the report for having huge amounts of insecure information floating around.
“Stolen credentials can be the first step down the path to more sensitive personal information, access to valuable intellectual property, and potentially identity theft,” wrote the authors. “In other cases, individuals have no profit motive at all. Threat actors can be driven by revenge or just mayhem and destruction.”
Dark web actors can mine these accounts for any personal information their owners have divulged to the university, and sell that information along with the details of the actual account. They can also set up fake accounts at universities.
The creators can sell these accounts to anyone trying to get student discounts or looking to run phishing scams from .edu emails — which might be more likely to generate trust than a random email from a Gmail or Yahoo account.
Digital Citizens Alliance partnered with research organizations to figure out how dark web actors use these credentials, and reached several conclusions that ought to be alarming to anyone who’s ever had a college email address.
Groups that claim to be associated with extremist organizations were passing out credentials. Others were offering emails and passwords for no cost. Some groups had gleaned credit card information, social security numbers and more from these email accounts, and were selling that information as well.
“We’ve shared this publicly so everyone—the schools, the faculty, the staff, and the students—can all take extra measures to protect themselves,” wrote the authors of the report.
You can read more here.