David Jesse

Detroit Free Press

There are millions of ".edu" e-mail addresses circulating on the Dark Web, harvested by hackers and waiting to be bought by others who can use them in a variety of ways — none good — a new report shows. The e-mail addresses ending with ".edu" come from colleges and universities.

The report, issued this morning by the Digital Citizens Alliance, found more than 120,000 University of Michigan e-mail addresses available in the far reaches of the Internet, the most from any U.S. college or university. Researchers said the e-mail addresses aren't from a massive data breach at U-M, but more likely from data breaches at other sites where people have used their ".edu" addresses and passwords, such as social media sites or online shopping. Researchers said university IT departments are generally doing a good job of protecting information.

Related:

Pro-Israel web site hacked with anti-Semitic message

‘Dark Web’ of cybercrime carries risks for businesses

Did a scammer already file a tax return for you?

The hacked e-mail addresses can be used for a variety of purposes, said Brian Dunn, managing partner of ID Agent, the company that gathered the data for the report. They include using the addresses to piece together information about a person to steal his or her identity.

If someone has your e-mail address and password, he or she can use it to get access to other sites you might be logged into — from social media sites to your bank. The hacked e-mails can also be used as spoofed e-mails to trick other people into giving up information.

"What is more trusted than an e-mail coming from a '.edu' address?" Dunn said. "They can be used to launch malaware or Trojan horse attacks, because people might be more willing to click on an e-mail coming from an '.edu' e-mail address, thinking it's real."

There could also be national security concerns.

"University faculty are often recruited to do important government-funded research," the report said. "While it is illegal for university resources (including e-mail) to be used for classified research, a rogue nation-state could first target a professor’s college e-mail to pinpoint another account where those classified communiques might reside."

The hacked e-mail addresses could also be used for something as simple as getting discounts at online businesses targeted for students and faculty.

The problem is exploding, the report notes. About 10,984,000 credentials with login IDs that had the ".edu" suffix have been discovered within the past 12 months.

So what can society do? Universities can continue to spend money on IT departments, even in tough times, to make sure data is well protected.

And people themselves? They should practice "good password hygiene," said Adam Benson, deputy executive director at the Digital Citizens Alliance. That includes using password managers and making sure old passwords are cleaned up.

Contact David Jesse: 313-222-8851 or djesse@freepress.com. Follow him on Twitter: @reporterdavidj