A report issued by the Digital Citizens Alliance revealed, to the public, a data collection some called “a national security threat.” ID Agent, a company that helped collect data and publish the report, said that researchers found 120,000 University of Michigan e-mail addresses accessible on the darknet (Scribd). (Original PDF available here.) The problem increased over a 12-month period; although researchers found 10,984,000 breached .edu accounts that year, 120,000 accounts set a record for breached or leaked accounts per school. The biggest fear here, a researcher explained, is that the unknowing public is more likely to open .edu emails than an unknown name and a Gmail address, especially since spoofed Gmail emails land in the spam folder by default on many mail systems.
Researchers who analyzed the information explained that the emails originated from various internet sources. Often, in large dumps such as this one, hackers or simply malicious entities obtain a database of email address credentials in a single attempt. Not every occurrence, too, comes from a hack. Internal sources accidentally leak information, or maybe that intentionally sell it to data brokers on the Darknet. Sometimes these situations are nothing more than the result of mis-handled data.
Researchers from several organizations created the Digital Citizens Alliance report, and specifically pointed out the connection between this listing and young prove. Researchers from the Digital Citizens Alliance worried with ID Agent and used their tool called the Dark Web ID. “The team at ID Agent monitors more than 2,000 distinct Internet Relay Chat forums and 650,000 private web-sites,” the report explained.
Additionally, they collaborated similarly with GroupSense, a clearnet and darknet early warning company that claims to notify clients of attacks, fraud, and breaches prior to the surfacing of the data. And Terbium Labs, last but not completely unknown, runs “Matchlight.” They claim the software autonomously monitors the Deep Web for data breaches.
The various sources, for the most part, originated from other beached sources like social networks or websites where the student or facility used their .edu email address and password pair. Many students lost two email addresses in the beach, an indication that the schools (in 2016 and 2017) stood out as worthwhile targets and consequently paid the price.
The researchers spoke with “Dead-Mellox,” leader of a so-called hacktivist group known as Team GhostShell. They said “no one person” drew as much information to the having of .Edu and reinvent information from the same sector. Team GhostShell, the Digital Citizens Alliance said, gathered the most media attention after a 2012 attack called Project West Wind. He posted 36,000 emails with matching names, usernames, passwords, addresses, phone numbers. All to Pastebin. The information came from 53 schools across the US.
Nearly every major University in the US received similar treatment at one time or another. He, or GhostShell, hacked “Harvard, Stanford, Cornell, Johns Hopkins, Carnegie Mellon, and the University of Michigan.”
He explained that he hacked schools to encourage communication about the lack of security schools used to protect student and staff information. Unlike some vendors on today’s markets, he explained that his primary goal never included financial gain. He said that he had several more schools to upload and choose not to.
He ended his conversation by revealing his thoughts on the status of cyberdefense in the US. “They’re [universities are] all vulnerable, even after all these years, I can breach them all over again.” Electronic healthcare records were high value targets over the past few years. School email accounts might be next.