If there were ever a doubt that cyber criminals are targeting you as a member of the education community, the Digital Citizens Alliance (DCA) recently found 52,510 stolen credentials on the dark web that are linked to the @ncsu.edu email domain. The dark web is an area of the World Wide Web that requires specific software to access.
In the DCA’s recent report, Cyber Criminals, College Credentials and the Dark Web, NC State is ranked 37 out of 300 of the largest U.S. universities and colleges that had stolen credentials found on the dark web. The report, which includes findings compiled from 2009 to March 2017, revealed that cyber criminals are selling, trading and even giving away emails and passwords of accounts from higher education institutions (HEIs) to exploit benefits and discounts reserved for members of the HEIs community and to serve as a gateway to the institutions’ most valuable resources — the intellectual property and research of its members.
According to the DCA, the .edu email accounts belong to either current or former students and employees of the HEIs in the report or were fraudulently-created credentials. The DCA also reports that the passwords may not pertain to the active networks or resources of the HEIs in this report, but to third-party networks or resources, where .edu credential holders used their .edu names to register.
In North Carolina, there is a reported total of 267,705 stolen credentials on the dark web from eight HEIs, including NC State, UNC-Chapel Hill, UNC-Charlotte, and Duke University, according to the DCA.
While the university has not confirmed if the reported stolen credentials are active, to thwart the use of compromised credentials, the university is:
- encouraging students and employees to change their Unity passwords in accordance with the Password Standard.
- employing a number of security measures, including two-factor (2FA) authentication.
All employees, including faculty, staff, student employees, and no-pay employees/retirees, are required to enroll by Oct. 31 in both of the university’s 2FA solutions:
- Google 2-Step Verification for NC State G Suite accounts, including Google generic accounts for which they are listed as an administrative or technical contact.
- Duo Two-Factor Authentication for university web applications that use Shibboleth authentication, including the MyPack Portal, Moodle and PeopleAdmin.
Students will be required to enroll in 2FA at a later date.
Both Google 2-Step and Duo “double check” your identity when you sign in to an account by requiring you to log in with a password and an additional security measure, including a security code that is delivered to a mobile device via text or mobile app, a USB security key or backup codes. This two-step login process makes it extremely difficult for a hacker to breach your account and alleviates up to 98 percent of all phishing attacks.
Have you enrolled in 2FA?
It is important that you enroll now to protect your personal and university data assets. As of April 10:
- 19 percent (4,745) of all employees have enrolled in Duo Authentication.
- 23 percent (5,788) of all employees have enrolled in Google 2-Step Verification.
Approximately 25,000 NC State employees will have to enroll in 2FA by Oct. 31. To learn more about 2FA and to self-enroll now, visit Two-Factor Authentication at NC State. Training opportunities are also available.
Please consider using 2FA for your personally-owned accounts, including your personal email and banking and social media accounts. You can find out more about other websites and services that offer two-factor authentication at Two-Factor Auth (2FA).