Sep 19 2017

Millions of .Edu Email Credentials Are for Sale on the Dark Web

Universities can keep their data safe from bad actors without losing network openness.

By name alone, the dark web sounds like something out of a horror movie, but its reality is just as scary. This shadowy part of the internet is home to all kinds of cybercriminals — from hackers to those looking to make a profit from selling malware. It also could be home to login credentials from your higher education institution.

Researchers from the Digital Citizens Alliance found almost 14 million email addresses and passwords from faculty, staff, students and alumni at U.S. universities. About 79 percent of the credentials were put on the dark web in the last year alone.

SIGN UP: Get more news from the EdTech newsletter in your inbox every two weeks!

Why Universities Are Such a Big Target for Hackers

Though the Digital Citizens Alliance reports that some of the credentials were obtained by “hacktivists” looking to show higher ed IT how easy it is to access their information, universities are particularly vulnerable to cyberattacks because they store more data than leading businesses and have fewer resources to protect it.

The large tech infrastructure that many universities are adopting to support innovative learning can also play a part in their vulnerability.

“Because [higher education institutions] have large capacity internet connection links that serve all the students, and large capacity servers that are designed for many users, they are almost always on, and attackers never have to worry if a part of their infrastructure will be available for use,” says FireEye senior analyst Will Glass in the report.

The Digital Citizens Alliance also suggests the vast amounts of innovative intellectual property at universities can be a draw for hackers.

How to Keep University Data Safe

The first step of protection is an obvious one: better passwords. The Digital Citizens Alliance cites a survey that found large percentages of young people reusing a single password for multiple services, meaning if a hacker gets students’ credentials, they could access everything from school portals to bank accounts. By creating stronger passwords and making them different for different services, schools can take a small step toward safety.

While relatively open networks can sometimes be the blame for bad actors accessing credentials, some universities have found a way to balance openness and security.

After Arkansas State University suffered a data breach in 2012, the university’s IT staff had to shift their security practices for better protection. But that didn’t mean the network had to be any less open. Instead, ASU increased network visibility by installing a layered security system with a Palo Alto Networks firewall that provides real-time insight.

ASU is also using Carbon Black Protection, which can automatically block users from downloading unapproved applications or running malicious code sent through email attachments.

“We are constantly working to make sure that we incorporate layers of security, all working together to help protect the university’s data and assets,” says Timothy Cureton, ASU’s IT security coordinator, in an EdTech article. “At the same time, this approach still allows us to have that openness that we’ve always had and want to continue to have.”

LagartoFilm/Getty Images