15 Billion Logins and Passwords Listed For Sale

A new report has indicated that there are more than 15 billion private login, passwords and personally identifiable information currently on sale in cybercriminal marketplaces. 

The numbers come from Digital Shadows, whose research has noted a 300% jump in the number of private data listed for sale on marketplaces frequented by cyber criminals on the darkweb. 

Digital Shadows says that there are now more than 15 billion for sale, stemming from around 100,000 data breaches around the globe. Included in this trove of data are logins for social media accounts, video streaming platforms and even financial institution logins. 

Also noted is the premium price attached to “access to an organisations’ key systems,” which the researchers say could fetch up to $120,000 for domain administrator access being auctioned off. 

The researchers are Digital Shadows say that 5 billion of these credentials are unique, meaning they haven’t been listed online before on other criminal marketplaces, and will more than likely work. 

Considering that the average person uses around 191 online services, in the words of the authors of the report, “that’s a lot to keep on top of, and it presents a huge problem if a compromise occurs… particularly if a person uses the same credentials across multiple services.” 

Rick Holland, Chief Information Security Officer and VP of Strategy at Digital Shadows has said that “the sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them.” 

“Some of these exposed accounts can have (or have access to) incredibly sensitive information,” he says. “Details exposed from one breach could be reused to compromise accounts used elsewhere.” 

Major findings of the report include the fact that the majority of login and password details are given away by hackers completely free. For the logins that are priced, however, details for something like a social media account are priced on average USD $15.43. 

Bank account and other financial institution logins are more expensive, priced on average at $70.91. Authors of the report say that financial logins account for around 25% of the listings they studied. 

Somewhat ironically, credentials for antivirus logins are the second most expensive listing, priced at around $21.67. 

Prices for media streaming services, virtual private networks (VPNs) and adult content are priced around $10. 

Grab Your Free ISO Gap Analysis Checklist

information security ISO 27001

The authors wrote that “cybercriminals are obviously ging after the ‘purse strings’ in organisations: we found 2 million accounting email addresses exposed. Email addresses with invoice or invoices were, by far, the most commonly advertised.” 

Brute-force account compromises, whereby a hacker attempts to enter someone’s account with tools and account checkers are cheaper than ever, according to the researchers. Devices for as little as $4 were providing hackers access to people’s accounts, with on-demand ‘hire a hacker’ services being advertised for just $10. 

In terms of protecting accounts, Digital Shadows writes that multi-factor authentication (MFA) still represents one of the best means of ‘imperfect steps’ to mitigate a cyber attack or account takeover.

Mr Holland added that “the message is simple – consumers should use different passwords for every account and organisations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.” 

Security researcher, Troy Hunt has told Infosecurity Magazine that he wasn’t “overly surprised by the numbers.” 

“It’s one of those things that’s very easy to propagate and I often see the same data represented in difference derivatives, for example, expressed by the domain of the email account or the geographic location of the account holder.” 

In terms of the possible impact of the pandemic on additional identity theft and online fraud, Hunt said “personally, I think it’s too early to see an impact on credential stuffing lists due to the pandemic.” 

“Yes, there’s a lot more people working remotely, but these lists are curations of previous data breaches bundled up and passed around as sources for brute forcing login pages. These lists are also dependent on having passwords accessible in either plain text or with weak cryptographic protection which fortunately, is becoming increasingly uncommon.”

For the latest in industry-relevant news, how-to guides and ISO-explainers, keep an eye out on our News section

Subscribe to our Newsletter

Share This Post With Your Network

Share on linkedin
Share on facebook
Share on twitter