Threat Management, Privacy

FBI warns of education credentials awash on dark web

The panther represents the looming threat of cybercrime. Pictured: FIU Golden Panthers take the field before the game against the Marshall Thundering Herd at Ricardo Silva Stadium on Nov. 24, 2018, in Miami. (Photo by Mark Brown/Getty Images)

The FBI issued an alert to the educational institutions warning that cybercriminal forums are worryingly full of their network credentials.

"It's not at all surprising and highlights the importance of MFA," said Brett Callow, a ransomware expert at Emsisoft.

It is unclear if any specific instance or instances led the FBI to issue the alert, though the recent ransomware boom has been problematic for educational institutions. Lincoln College in Illinois closed earlier this month after a ransomware attack, and other recent attacks have hit Florida International University, Austin Peay University of Tennessee and Howard University.

The alert itself cites findings dating as far back as 2017, when fake university login pages were used to harvest account information. The report cites a 2020 incident where a seller listed 2,000 pairs of U.S.-based .edu usernames and passwords, noting that the site the seller had posted to was no longer online. In 2021, 36,000 pairs of .edu usernames and passwords — potentially including duplicates — were available on a messaging app. And as recently as January, initial access brokers on Russian criminal networks were selling access to universities.

Schools make attractive targets for criminals because they have large stores of personal and research data, often across sprawling networks without the same level of defense as profit-driven industries.

"Educational institutes, whether it's a university or if it's public education, they tend to have a lot of data," said Nicole Hoffman, senior threat intelligence analyst with Digital Shadows. "It's a treasure trove of personally identifiable information, which can be used by a variety of threat actors."

Brokers selling usernames and passwords and other forms of network access play a supply chain role in the cybercrime economy. Hacked usernames and passwords are nothing new for education or, really, for any industry.

"I can't say it's not something new; this is going on for a long time. But it's a good thing to be brought to light because this does happen and it does cause secondary attacks," said Hoffman. Secondary attacks may occur, for example, due to password reuse.

Whether the alert reinvents the wheel, it offers what Hoffman described as universally good advice for any security: standard account and password management practices, multi-factor authentication and good network hygiene among them.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.