15B Credentials Available On Dark Web Selling Price Below $16
There are more than 15 billion stolen account credentials being sold or even shared for free on the dark web, with individual entries selling for an average of $15.43, a new research report states. The average person uses some 191 services that require them to enter passwords or other credentials. That’s a lot to keep on top of, and it presents a huge problem if compromise occurs, particularly if a person uses the same credentials across multiple services. Over the past 18 months the Digital Shadows Photon Research team has been analyzing how cybercriminals conspire to prey upon users of online services by “taking over” the accounts they all use on an everyday basis for banks, to stream videos or music, for work the list goes on.
Of the various categories of stolen credentials, bank and financial account passwords were found to be the most expensive advertised on the dark web for an average of $70.91, with some prices set upwards of $500. Those seeking to score admin credentials for the purpose of a corporate account takeover (ATO) must pay an especially high premium. These privileged accounts cost an average of $3,139 but can go as high as $140,000.
Cybercriminals who don’t want to spend too much or harvest credentials themselves have the option of renting compromised accounts via ATO-as-a-service offerings for $10. Meanwhile, tools to crack accounts, including brute-force tools and account checkers, are being advertised for as little as $4, the report notes.
The researchers also noted the growth of “account takeover as a service” where rather than buying a credential, criminals can rent an identity for a given period, often for less than $10.
The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials which could directly affect them,” Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, said in a statement. “Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere.
The message is simple, he added: “Consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”
Ben Goodman, certified information systems security professional and senior vice president of global business and corporate development at digital identity firm ForgeRock Inc., told SiliconANGLE that passwords have been the primary authentication method for decades and most users have an average of more than 130 online accounts.
It’s unlikely that users can remember 130 unique sets of login credentials and as a result, most opt to reuse the same passwords and usernames across most if not all of their accounts,” he said. “In fact, 57% of people who have already been scammed in phishing attacks still haven’t changed their password, enabling fraudsters to leverage compromised login credentials from one account to access additional profiles with more critical data, including banking and healthcare information.
The message is simple: Consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.