Security researchers have discovered more than 15 billion sets of usernames and passwords, taken from 100,000 separate data breaches or obtained by other means, that are being sold or given away free online.
According to a new report from German information-security firm Digital Shadows (opens in new tab), many of the compromised credentials were duplicates, but the total number of unique account credentials was still more than 5 billion.
- The best antivirus software to keep you and your devices safe
- VPN: add an extra layer of security with a virtual private network
- Just In: Nearly 600 online retailers hit with credit card-stealing malware
The researchers said the credential sets had been obtained in “more than 100,000 different violations of data protection regulations, cyber hacks and other data leaks”, adding that the “number of stolen and disclosed access data has increased by around 300% since 2018”.
Digital Shadows found that most of the the stolen credentials belonged to "private individuals and consumers", with the login information of bank accounts, streaming services like Netflix and Spotify, and other platforms being sold on the dark web.
Netflix accounts, for example, went for between $3 and $5, except for a supposedly "lifetime cracked" account that was being sold for $10.
Much of the information came from data breaches, but some was undoubtedly obtained through other methods of stealing account credentials, such as phishing attacks on account holders and "credential-stuffing" attacks that test for reused usernames and passwords.
How to keep your account passwords safe
Given that the number of stolen account credentials discovered by Digital Shadows is twice the number of human beings on Earth, it's fairly likely that anyone reading this story has at least one set of stolen credentials in the mix. If you're skeptical, then plug your email addresses into the HaveIBeenPwned (opens in new tab) website to see if anything's been compromised.
You can't help it if a service with which you have an account gets breached, but if it does and you've already taken the above steps, then you can rest easy knowing that the password you created for that breached account can't be used anywhere else.
This data was often available free of charge or flogged at “bargain prices”. The average price for a compromised consumer account was $15.43 (13.68 euros).
However, prices varied based on the type of account. For example, accounts for a financial service would fetch a higher price of around $70.91 (62.86 euros).
Meanwhile, login details for antivirus applications would be sold for $21.67 (19.21 euros), and for under 10 dollar or euros, cyber criminals could purchase logins for streaming services and social media platforms.
"In the past 18 months alone, the Photon Research team at Digital Shadows has identified around 27.3 million user-password combinations among our customers," explains Stefan Bange, Country Manager DACH [Germany, Austria, Switzerland] at Digital Shadows.
“Of course, not every leaked login is followed by a successful cyber attack," Bange added. "Nevertheless, many of these accounts contain personal and very sensitive information that can be exploited by cybercriminals - be it for phishing, social engineering, extortion or the infiltration of the network.
"The risk for individuals is great, but organizations and companies are also directly and indirectly affected by their employees and customers.”
Corporations also targeted
The researchers also found two million email addresses and usernames of corporate departments being sold on these marketplaces.
Compared to consumer data, domains for lucrative companies and industries could sell for prices ranging between 500 and 120,000 dollars or euros on the dark web.
Digital Shadows said these include “large corporations and global players as well as different government and government agencies”.
Bange said the issue is that it is easy for cyber criminals to hack into user accounts, noting that “force cracking tools and account checkers are available on the Dark Web from just 4 euros”.
He added: “In addition, we have been seeing an increase in so-called “as-a-service” offers for some time now, in which criminals no longer have to do their own work, but simply have access to an account and thus the identity of the user for less than 10 euros can rent.
“Multi-factor authentication (MFA) makes ATO attacks more difficult, but not impossible. We keep seeing new methods that bypass 2FA and that are discussed and acted on in cybercriminal forums. ”
- More: Protect your company and employees with a business VPN