It is definitely a possibility. Our Security team have a quite rigourous follow-up process and that's never been raised but absolutely not out the realms of possibility. However some accounts for users in non academic departments have been used previously too. I can guarantee Sandra in HR has no interest in open science :-D
I should note that I am a huge advocate for OA and thinks the who journal ecosystem is a rotten house of cards waiting to tumble. I just see the direct impact of phished accounts at my institution..
I'm not sure if you caught the above comment but I can be certain that professonal services staff (HR, admin etc) who's accounts have been used by Scihub definitely did not give their credentials voluntarily. They have zero interest in Scihub or access to material.
I should note that I am a huge advocate for OA and thinks the who journal ecosystem is a rotten house of cards waiting to tumble. I just see the direct impact of phished accounts at my institution..