Technology

14 Million Credentials Stolen from US Universities for Sale on Dark Web

Paul Ausick

Published: March 30, 2017 2:06 pm

Last Updated: January 12, 2020 1:27 pm

A single email address ending in the domain name suffix “.edu” sells for as much as $10 on the so-called “dark web,” that part of the internet that is inhabited by all sorts of people with all sorts of agendas, some good (whistleblowers) and some not so good (thieves and hackers selling malware). The “.edu” domain name is reserved for students, faculty, and staff at accredited U.S. post-secondary institutions.

Last year a cybercriminal offered credentials for 200 million Yahoo users stolen in 2012 on the dark web for just over $1,800. The data allegedly included user names, easily decrypted passwords, personal information like birth dates and other email addresses. Those credentials sold for $0.000009 per email address.

The price premium is based largely on the ability of U.S. college and university students, staff, and faculty to obtain substantial discounts on all sorts of popular products.

According to a study published this week by the Digital Citizens Alliance, nearly 14 million credentials from the 300 largest U.S. higher education institutions were available for sale on the dark web last year. In the last 12 months, nearly 11 million credentials with a login ID and an “.edu” suffix have been turned up by researchers.

The 10 institutions with the most credentials for sale on the dark web as of March 2017 are:

1. University of Michigan – Ann Arbor: 122,556 email accounts
2. Penn State University – main campus: 119,350
3. University of Minnesota – Twin Cities: 117,604
4. Michigan State University: 115,973
5. Ohio State University – main campus: 114,032
6. University of Illinois – Urbana-Champaign: 99,375
7. New York University: 91,372
8. University of Florida: 87,310
9. Virginia Tech: 82,359
10. Harvard University: 80,100

When the researchers examined the available credentials to determine the institutions with the most available credentials compared to the student, staff, and faculty population, the results were quite different and included some of the country’s best-known engineering schools. Here are ratios for the top five:

1. Massachusetts Institute of Technology: 2.81 to 1, credentials available compared to total population
2. Carnegie Mellon University: 2.4 to 1
3. Cornell University: 2.39 to 1
4. Baylor University: 2.27 to 1
5. Virginia Tech: 2.1 to 1

The full report is available from the Digital Citizens Alliance website.