There are millions of .edu e-mail addresses circulating on the Dark Web, harvested by hackers and waiting to be bought by others, who can use the e-mails in a variety of ways -- none good -- a new report shows. The e-mail addresses ending with .edu come from colleges and universities.
The report, issued this morning by the Digital Citizens Alliance, found more than 120,000 University of Michigan e-mail addresses available in the far reaches of the Internet, the most from any U.S. college or university.
Researchers said the e-mail addresses aren't from a massive data breach at U-M, but more likely from data breaches at other sites where people have used their .edu addresses and passwords, such as social media sites or online shopping. Researchers said university IT departments are generally doing a good job of protecting information.
The hacked e-mail addresses can be used for a variety of purposes, Brian Dunn, managing partner of ID Agent, the company that gathered the data for the report. That includes using it to piece together other information about a person to steal identity.
If someone has your e-mail address and password, they can use it to get access to other sites you might be logged into -- from social media sites to your bank.
The hacked e-mails to be used as spoofed e-mails to trick other people into giving up information.
"What is more trusted than an e-mail coming from a .edu address?" Dunn told the Free Press. "They can be used to launch malaware or Trojan horse attacks, because people might be more willing to click on an e-mail coming from an .edu e-mail address, thinking it's real."
There could also be national security concerns.
"University faculty are often recruited to do important government-funded research," the report said. "While it is illegal for university resources (including e-mail) to be used for classified research, a rogue nation-state could first target a professor’s college e-mail to pinpoint another account where those classified communiques might reside."
The hacked e-mail addresses could also be used for something as simple as getting discounts at online businesses targeted for students and faculty.
The problem is exploding, the report notes. About 10,984,000 credentials with login IDs that had the .edu suffix have been discovered within the past 12 months.
So what can society do? Universities can continue to spend money on IT departments, even in tough times, to make sure data is well protected.
And people themselves? They should practice "good password hygiene," said Adam Benson, deputy executive director at the Digital Citizens Alliance. That includes using password managers and making sure old passwords are cleaned up.
►Make it easy to keep up to date with more stories like this. Download the WZZM 13 app now.
Contact David Jesse: 313-222-8851 or firstname.lastname@example.org. Follow him on Twitter: @reporterdavidj