The FBI issued an alert to the educational institutions warning that cybercriminal forums are worryingly full of their network credentials.
"It's not at all surprising and highlights the importance of MFA," said Brett Callow, a ransomware expert at Emsisoft.
It is unclear if any specific instance or instances led the FBI to issue the alert, though the recent ransomware boom has been problematic for educational institutions. Lincoln College in Illinois closed earlier this month after a ransomware attack, and other recent attacks have hit Florida International University, Austin Peay University of Tennessee and Howard University.
The alert itself cites findings dating as far back as 2017, when fake university login pages were used to harvest account information. The report cites a 2020 incident where a seller listed 2,000 pairs of U.S.-based .edu usernames and passwords, noting that the site the seller had posted to was no longer online. In 2021, 36,000 pairs of .edu usernames and passwords — potentially including duplicates — were available on a messaging app. And as recently as January, initial access brokers on Russian criminal networks were selling access to universities.
Schools make attractive targets for criminals because they have large stores of personal and research data, often across sprawling networks without the same level of defense as profit-driven industries.
"Educational institutes, whether it's a university or if it's public education, they tend to have a lot of data," said Nicole Hoffman, senior threat intelligence analyst with Digital Shadows. "It's a treasure trove of personally identifiable information, which can be used by a variety of threat actors."
Brokers selling usernames and passwords and other forms of network access play a supply chain role in the cybercrime economy. Hacked usernames and passwords are nothing new for education or, really, for any industry.
"I can't say it's not something new; this is going on for a long time. But it's a good thing to be brought to light because this does happen and it does cause secondary attacks," said Hoffman. Secondary attacks may occur, for example, due to password reuse.
Whether the alert reinvents the wheel, it offers what Hoffman described as universally good advice for any security: standard account and password management practices, multi-factor authentication and good network hygiene among them.