Report Says Penn State Among Schools With Most Email Addresses For Sale On Dark Web
by Geoff Rushton
A report released last week says Penn State is among the top higher education institutions with email addresses and passwords being sold and shared on the Dark Web.
The report by the Digital Citizens Alliance said out of 300 institutions Penn State had the second most .edu emails and passwords being made available, behind the University of Michigan. The list of schools with the top total number of .edu addresses being sold and shared — including stolen, faked and old accounts — is dominated by large schools with Penn State followed by the University of Minnesota, Michigan State University, The Ohio State University, the University of Illinois, New York University, University of Florida, Virginia Tech University, and Harvard University.
When looking at the ratio of email addresses found to total number of students, faculty and staff at an institution, most of those universities were not among the top schools. The Massachusetts Institute of Technology topped the list from that perspective.
“It could just a matter of the size of these [higher education institutions],” said Adam Benson deputy executive director of the Digital Citizens Alliance, a Washington, D.C.-based nonprofit. “I don’t think there is a security issue unique to the Midwestern schools. Many threat actors just want to disrupt and all HEIs offer something appealing to cyber criminals.”
Michael Kubit, Penn State’s vice president for Information Technology and Chief Information Officer, agreed that the findings are likely due to the sheer volume of users at Penn State. Kubit said that for security reasons the university does not disclose the number of reports of stolen or faked email addresses it receives.
The report, however, doesn’t indicate a new risk to Penn State or other universities. According to a statement provided by a Penn State spokesperson, the report has been analyzed by information security at the university and at other Big Ten universities.
“Our Office of Information Security, and other Big Ten IT security organizations, have analyzed this report and determined there is no new risk or significant threat to the University’s systems or data,” the statement said. “There are some aspects of this report that are vague and there is no evidence that any of the accounts and credentials were valid at Penn State or elsewhere.
“It’s worth noting that this report was not written by an independent IT security or police agency, but we do take this information seriously — and will remain vigilant against these persistent threats.”
Digital Citizens Alliance worked with researchers from ID Agent, a Washington, D.C.-based security firm which has used its own technology to scan the Dark Web for eight years. According to the report “Cyber Criminals, College Credentials, and the Dark Web,” the researchers discovered 13.9 million .edu email addresses made available on Dark Web sites, with about 79 percent of those being found over the past 12 months.
The report said the .edu credentials are offered for free on Dark Web sites and for sale and trade on member-only sites and private marketplaces. Different types of actors, including hactivists and scam artists, acquire and make them available
“Each address and corresponding password should be thought of as a sort of informational gold mine,” the report says. “For their possessor they offer an immense amount of opportunity to glean the types of personally identifiable information that can be packaged together and sold on the Dark Web. Additionally, the credentials are the gateway to the valuable research and Intellectual Property which is often targeted for corporate and governmental espionage.”
Kubit said Penn State has a number of tools in place to protect accounts and limit the exposure of accounts that may have been compromised.
“There are multiple ways in which the university can protect against phishing — however, it is not in Penn State’s best interest from a security standpoint to share these approaches publicly,” Kubit said. “Generally speaking, there are ways to protect a large enterprise from various phishing attacks. These include staying informed regarding current phishing strategies, and aligning security policies and solutions to detect and eliminate threats. Additionally, helping faculty, students and staff understand the types of attacks they might encounter, and how to identify and respond accordingly, are all measures we incorporate.”
Benson said the report isn’t meant as a criticism of efforts by universities, but rather to illustrate the digital challenges face by large organizations.
“Higher Education Institutions have deployed resources and talent to make university communities safer, but highly-skilled and opportunistic cyber criminals make it a challenge to protect large groups of highly-desirable digital targets,” he said. “We shared this information from cybersecurity researchers to create more awareness of just what kinds of things threat actors are capable of doing with an .edu account.”
For individuals, strong passwords are a key preventative step. Digital Citizens Alliance advised long, randomly-generated passwords and changing passwords annually or as soon as exposure is suspected. Of course, suspicious activity should be reported to IT staff immediately.
“Many of the [higher education institutions] and the schools’ security professionals are doing great work under difficult circumstances, but they can’t do everything,” Benson added. “The bad guys are the threat actors sharing stolen or fake credentials. It is our hope that administrators don’t follow this report questions asking security pros ‘what are you doing wrong?’, but instead the security teams are empowered to ask stakeholders and members of the university community to do more to fight back against them cyber criminals exploiting friends and co-workers.”