University emails at high risk of hacking

A new report from the Digital Citizens Alliance called Cyber Criminals, College Credentials, and the Dark Web demonstrates the enormous challenge that arises from unsecure higher education emails and the damage they can cause.

Over the past eight years, researchers have discovered 13,930,176 e-mail addresses and passwords belonging to faculty, staff, students, and alumni at the 300 largest higher education institutions in the United States available to cyber criminals on Dark Web sites. Anyone can purchase the data and use the emails to enact their fraudulent schemes.

While many of the accounts are hacked from staff and students, some of the emails available for sale in the digital underground are fake emails. While not attributed to a real person, these addresses utilize the institution’s domain name, taking advantage of the credibility often associated with a .edu address.

The non-profit’s press release notes that “fake e-mails can be used to scam others in the university and college communities. Criminals can also use fakes to take advantage of discounts offered to students and faculty on software and various other products.”

The University of Michigan-Ann Arbor led the pack with 122,556 credentials for sale on the dark web, but the Massachusetts Institute of Technology (MIT) ranked highest in terms of corrupt email ratio. For every legitimate email with an MIT domain name, there are 2.81 fake emails – a truly staggering number.

The report recommends universities share the following tips to reduce the risk of compromising emails:

  • Use a mix of uppercase, lowercase, numbers, and special characters
  • Make the password as long as the system allows
  • Think in terms of passphrases instead of passwords
  • Use a random password generator to avoid social engineering
  • Do not re-use university provided password for other systems
  • Change passwords at least annually or if exposure is suspected
  • Consider using a password vault to store passwords
  • Never share passwords with others
  • Report any suspicious activity to local law enforcement or the institutional IT incident response team

These are fine recommendations, but ignore the fact that there are still plenty of other ways to access the accounts. Email is an inherently flawed form of communication, and it’s time to look for safer and more advanced alternatives.

One of these alternatives is Evizone Secure Communications (ESC), our proprietary technology that offers the strongest commercially available system for the secure exchange and compliance archiving of electronic communications.

The Digital Citizens Alliance report should concern educational institutions everywhere. If they’re serious about their cybersecurity, they should reach out to us or sign up for a free trial at