The FBI Cyber Division released a notification in May 2022 that they discovered stolen login credentials from higher education institutions readily available on public forums and for sale on the dark web. 

The notification also warned that the exposure of the stolen login credentials could put universities and colleges at risk of more cyber attacks in the future.

What is the dark web?

The dark web consists of hidden sites that use specialized browsers to keep internet activity anonymous, making illegal activities hard to track.

Here are some notable higher education cyber attacks in recent years, according to the FBI’s notification document:

  • 2020: Roughly 2,000 .edu usernames and passwords were listed for sale on the dark web.
  • 2021: Over 36,000 .edu email and password combinations were available on a publicly available messaging platform. The group that listed the credentials appears to have ties to credential trafficking in the past. 
  • 2022: In January, US-based higher education institutions’ network credentials and VPN access information were listed for sale on Russian cyber criminal forums. The fact that VPN credentials were stolen makes the vulnerability to cyber attacks even higher. 

How do cybercriminals get access to these credentials?

Cybercriminals primarily get initial access to utilizing social engineering (most commonly phishing).

What is phishing?

Phishing refers to fraudulent communications that pretend to be sent from a trusted source. The goal of phishing is to trick the receiver into revealing personal information in order to gain access to information such as credit card numbers and login credentials.

Consider this phishing situation and the impact it could have on the students, faculty, and institution

Initially a cybercriminal gets access to a student’s email login credentials. They can now begin reconnaissance and build their attack.  

Now that they have access to previous email conversations, they could use those topics in the phishing email they’ll send to the professor and other students. In the email, they can mention the relevant topics and include a malicious hyperlink.

In this situation, the receiver may be more likely to click the malicious link because it’s from a familiar person and their guard is down. 

FBI cybersecurity recommendations for higher education institutions

The notification document provided an extensive list of cybersecurity recommendations universities and colleges that we’ve consolidated and summarized:

  • Ensure that all operating systems and software are updated with security patches and automated scanning
  • Segment networks to help prevent the spread of malware and unauthorized access 
  • Use multi-factor authentication as often as possible, this way if credentials are compromised attackers would still need another factor to authenticate. 
  • Employ network monitoring tools to detect abnormal network activity
  • Prepare and educate students and faculty to recognize phishing attacks with training programs and real-world testing
  • Require strong password policies and lockout rules
  • Establish role-based accounts that exercise the principle of least privilege

Assessing the security of your technology partners

In addition to the FBI recommendations to protect against cyber threats, colleges and universities should also assess the security of their technology partners. This includes all online learning technologies and all additional course software, such as:

Remember, vendor security is your security. 

Here’s a high-level list of what to look for and questions to ask when vetting technology partners:

Data security

  • What data is collected and why?
  • How is data collected and maintained?
  • Who owns the data?
  • Is the data encrypted in transit and at rest?
  • Where is the data stored?
  • What is the data classification policy and how are employees trained to handle different classifications?

Proactive defense

  • How often are vulnerability scans and penetration tests performed?
  • How is security integrated into the vendor’s Software Development Life Cycle (SDLC)?

Incident response plan

  • What is the incident response plan?
  • How often does the company run through the plan in practice and simulation?

Company practices and employee security training

  • How are employees trained on security best practices? 
    • How often are employees trained and what does their training include?
  • How are employees trained to report a security incident?
  • Is the organization FERPA compliant? 
  • Has the organization had a security breach in the last five years?
  • Will contractors have access to the data?
    • If so, what controls are in place to ensure security? 
  • Can you provide a public-facing privacy policy?

Vendor Security Cheat Sheet

For a comprehensive look at vendor security, download our Vendor Security Cheat Sheet. It provides a detailed look at questions to ask technology vendors, software and technologies needed, and important definitions to know.