The Federal Bureau of Investigation has warned US universities and colleges that it has found banks of login credentials and other data relating to VPN access circulating on cybercriminals forums.
The fear is that such data will be sold and subsequently used by malicious actors to orchestrate attacks on other accounts owned by the same students, in the hope they've reused the same credentials.
The news is the latest reminder of the importance of having long, unique passwords, and equally, why using technology like password managers is the safest way forward.
Stolen VPN Credentials on Criminal Forums
“The FBI has observed incidents of stolen higher education credential information posted on publically accessible online forums or listed for sale on criminal marketplaces,” the intelligence service said in a briefing on the issue.
As of January 2022, the document reads, Russian criminals have been posting network credentials and VPN accesses relating to a long list of different US education institutions on online forums. According to the FBI, they’ve been fetching “multiple thousands” of US dollars.
This wouldn’t be the first case of this either – the FBI notes that in 2017, “cybercriminals targeted universities to hack .edu accounts by cloning university login pages and embedding a credential harvester link in phishing emails.”
More recently, in May 2021, “over 36,000 email and password combinations (some of which may have been duplicates) for email accounts ending in .edu were identified on a publically available instant messaging platform.”
There were additional incidents from 2020 referenced in the same report.
Why Are These Credentials Valuable?
If you’re a hacker, once you’re able to obtain the credentials for a single account belonging to one individual, the chances you’re able to access other private accounts belonging to the same person drastically increased.
Cybercriminals are banking on the fact that some of the college students they have stolen credentials from will have recycled the same login details for use on other accounts.
In this case, cybercriminals are banking on the fact that some of the college students they have stolen credentials from will have recycled the same login details for use on other accounts.- which forms the basis for brute force and credential stuffing attacks.
This is not a bad bet to place either, from their perspective – the whole reason those attacks exist in the first place is the high prevalence of repeated passwords.
How do I protect my Business from this Sort of Threat?
Although this attack seems to be orientated around students’ personal accounts, businesses are much more likely to be targeted simply because it's a more profitable endeavor for cybercriminals to pursue.
The FBI’s list of recommended steps to take include all the classics – keeping your systems up to date, implementing multi-factor authentication, and using strong and unique passwords.
The safest way to store passwords – whilst ensuring they’re long enough to be secure – is using a password manager. That way, you’ll only have to remember a single password to your account with your chosen password manager (as well as a couple of other bits of security information), yet you’ll be protected on all of your accounts.
There are password managers for both Businesses and consumers, and making sure you’re protected at work and at home is the smartest thing to do.