Russian crooks are selling network credentials and virtual private network access for a “multitude” of US universities and colleges on criminal marketplaces, according to the FBI.

According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

“The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services,” the Feds’ alert [PDF] said.

In May 2021, more than 36,000 email and password combinations for email accounts ending in “.edu” were listed for sale on a “publically available instant messaging platform,” according to the bureau, although it did note that some of these may have been duplicates. 

Regardless, it’s high time to button down — and stop reusing — passwords and implement multi-f