Study finds 15B stolen credentials for sale of the dark web

Barely a day passes without new reports of sites and services being hacked or companies exposing customer data through unsecured databases, but how many account credentials have been stolen in total is a mystery.

Although it doesn’t answer how many account credentials have been stolen, a new study out today from Digital Shadows Ltd. puts a figure on the number of account credentials being offered for sale on the dark web, the shady part of the internet reachable with special software: 15 billion.

The figure, published in a new white paper “From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover,” came about through 18 months of Digital Shadows’ security researchers auditing criminal marketplaces across the dark web. The research found that the number of stolen usernames and passwords in circulation has increased 300% since a previous audit in 2018, with the 15 billion records coming from 100,000 data breaches.

Of the 15 billion records, 5 billion are said to be unique. Most of the records were found to belong to consumers, with an individual record selling for an average of $15.43. Records that included bank or other financial accounts were found to be the most valuable, averaging $70.91 apiece, with about 25% of all dark web advertisements offering these types of records.

Accounts with access to antivirus programs were also popular with account details, averaging $21.67 apiece while access to media streaming accounts, social media, file sharing, virtual private networks and adult-content sites were all found to be offered for under $10. Access to organizations’ key systems trade at a significant premium, while dozens of advertisements for domain administrative access were also found to be advertised. In many cases, they’re being auctioned to the highest bidder at prices ranging from $500 to $120,000, with an average of $3,139.

The researchers also noted the growth of “account takeover as a service” where rather than buying a credential, criminals can rent an identity for a given period, often for less than $10.

“The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them,” Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, said in a statement. “Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere.”

The message is simple, he added: “Consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”

Ben Goodman, certified information systems security professional and senior vice president of global business and corporate development at digital identity firm ForgeRock Inc., told SiliconANGLE that passwords have been the primary authentication method for decades and most users have an average of more than 130 online accounts.

“It’s unlikely that users can remember 130 unique sets of login credentials and as a result, most opt to reuse the same passwords and usernames across most if not all of their accounts,” he said. “In fact, 57% of people who have already been scammed in phishing attacks still haven’t changed their password, enabling fraudsters to leverage compromised login credentials from one account to access additional profiles with more critical data, including banking and healthcare information.’

His advice: Organizations must recognize the security risks of passwords and usernames and adopt technology to enable passwordless and usernameless logins.