FBI warns US colleges of widespread VPN credential leaks on cyber crime forums.

International cyber crime forums now play host to a wealth of network credentials and Virtual Private Network (VPN) access opportunities. The credentials and access pathways largely belong to employees from US colleges and universities, according to a news alert from the FBI.

The exposure of credentials and network access information can result in cyber attacks against individuals or organizations, says the alert.

The threat: Explained

Cyber criminals haven’t reduced attacks on US colleges and universities. In recent months and years, spear-phishing, ransomware or other cyber intrusion tactics have led to credential harvesting.

As an example of a past attack, hackers managed to spoof a series of .edu login pages, embedding a credential harvester link in phishing emails. In turn, hackers successfully obtained credentials, which were then delivered to the criminals via an automated email from their servers.

In the wake of the coronavirus pandemic, similar attacks designed to harvest university login credentials have posed a substantive threat to university security.

FBI observations

In the alert, the FBI highlighted a number of incidents involving stolen higher education credentials. Cyber criminals have since posted the credentials on publicly accessible online forums or listed them as available for purchase.

  • In January of 2022, cyber criminals placed the network credentials and VPN access information belonging to several US-based universities and colleges on the dark web. In some cases, the information was posted publicly. Elsewhere, the information was offered for sale. Hackers included screenshots to demonstrate proof of access.
  • In May of 2021, more than 36,000 email and password combinations for email accounts ending in .edu were found on a publicly available instant messaging platform. The cyber criminals who posted the data appeared involved with the trafficking of stolen login credentials and other cyber criminal heists.

Credential theft danger

The availability, sale, and use of harvested credentials can result in credential stuffing computer network attacks. If attackers successfully access college or university systems, they gain the ability to drain bank accounts, leverage or resell credit card numbers or personally identifiable information, submit fraudulent transactions, or conduct subsequent attacks targeting affiliated organizations.

US colleges and universities’ response

When contacted about cyber criminal theft and ransomware events, US colleges and universities commonly state that no evidence exists of data theft or data sale. However, ransomware experts say that 10 of the 13 college-focused attacks in 2022 involve data exfiltration.

Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, National University College, North Carolina A&T University, and Florida International University represent just a handful of the educational institutions that have faced ransomware in the past year.


The FBI recommends for all academic institutions and entities to establish and maintain connections with the FBI Field Office in their respective regions. Such partnerships can enable the FBI to assist with vulnerability identification, threat mitigation and incident response.

Further, the FBI recommends that academic groups review and, as appropriate, update incident response and communication plans in preparation for a potential cyber attack.

More best practices

Colleges and universities are also encouraged to adhere to the following best practices in order to reduce risk of compromise:

  • Ensure that all operating systems and software is up-to-date. Patching and patch management are strongly recommended as a preventative measure. Read CyberTalk.org’s strategic patch management solutions brief here.
  • Implement educational awareness programming and utilize phishing exercises for both students and faculty. This helps raise awareness regarding the risks associated with suspicious websites, suspicious links and suspicious attachments. Get educational programming ideas here.
  • Mandate strong, unique passwords for all accounts that require password logins. Create lock-out rules for incorrect password attempts. Stop password reuse through security program implementation.  See the latest password security insights here.
  • Create network segmentation to help prevent unauthorized access by bad actors and to reduce potential for the spread of malware. Read more about network security solutions here.
  • Ensure that network monitoring tools can identify, detect, and investigate abnormal activity. This includes lateral movement on a network.
  • To detect anomalies, use special identification tools that can provide alerts about traffic increases and failed authentication attempts. Get intrusion prevention system insights here.
  • Use authorization policies to enforce principles of least privilege. Account privileges need to have clear definitions, narrow scopes, and must see regular audits against usage patterns.
  • Secure and monitor remote desktop protocol (RDP) use.

For more cyber security recommendations tailored to academic institutions’ specific security needs, see the FBI alert. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.