At this very moment there are over 15bn stolen credentials available for sale on the Dark Web according to new research from Digital Shadows.
The firm’s new study, titled “From Exposure to Takeover“, found that the number of stolen credentials currently available for purchase is equivalent of more than two for every person on the planet. In fact, the number of stolen and exposed credentials has risen by 300 percent since 2018 as a result of more than 100,000 separate breaches.
Of the 15bn stolen credentials Digital Shadow’s study found, more than 5bn of them were assessed to be ‘unique’ as they have not been advertised more than once on cybercriminal forums. The study also found that the majority of exposed credentials belong to consumers and include usernames and passwords from bank accounts to streaming services for video and music.
While many account details are offered for free on the Dark Web, the average price of those on sale is $15.43. Bank and financial accounts are the most expensive though, averaging at $70.91 but some trade for more than $500 depending on the quality of the account.
Digital Shadows has alerted clients to 27.3m username and password combinations in the last 18 months. However, account takeover has never been easier or cheaper to do for cybercriminals. This is because a large variety of brute force tools and account checkers are available on Dark Web marketplaces for an average of $4 which can be used with little technical expertise.
While conducting its study, Digital Shadows also observed the growth of account takeover-as-a-service. Instead of buying credentials, cybercriminals can rent an identity for a given period for less than $10 on sites such as the Genesis Market. For the price, these services collect fingerprint data from an individual as this makes it considerably easier to perform account takeovers and transactions that go unnoticed.
In a press release announcing the news, CISO and VP of Strategy at Digital Shadows, Rick Holland provided further insight on the rise in account takeovers, saying:
“The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them. Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere. The message is simple – consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”
- We’ve also highlighted the best VPN services