Over 15 billion credentials for sale on dark web

More than 15 billion username and password credentials to online digital services, including bank and social media accounts, are openly for sale on the dark web – over three times the amount available to cyber criminals just two years ago – according to new research from risk prevention specialist Digital Shadows.

This is the equivalent of more than two compromised accounts for every single person on the planet, and is the result of about 100,000 different data breaches, said Digital Shadows. It estimated that more than five billion of the credential sets it found were “unique”, in that they had not been advertised more than once on the cyber criminal underground, and were therefore considered more valuable.

“The sheer number of credentials available is staggering,” said Rick Holland, CISO and vice-president of strategy at Digital Shadows. “In just the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials which could directly affect them.

“Some of these exposed accounts can have, or have, access to incredibly sensitive information. Details exposed from one breach could be reused to compromise accounts used elsewhere. The message is simple – consumers should use different passwords for every account and organisations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”

Most of the exposed credentials caught in Digital Shadows’ nets were for consumer services rather than enterprise ones, but credentials that could give access to corporate systems tended to trade at a premium – those including words such as “invoice”, “invoices”, “partners” or “payments” being particularly prized.

Digital Shadows said many basic account details were offered free of charge, but for those on sale, the average account traded for $15.43 (€13.43/£12.15), rising to an average of $70.91 for a bank account.

The firm’s researchers said they also found dozens of adverts for domain admin access, and in many cases these were being auctioned for anything between $500 and $120,000, with an average selling price of $3,139. It found listings for many large enterprises and public sector bodies.

Holland warned that, unfortunately, all indications suggested that account takeover has never been easier or cheaper for criminals, with myriad brute-force tools and account checkers also available, for an average of $4 a pop, many of them very simple to use.

The firm also pointed to the growth of account takeover as-a-service, where instead of buying a name and password, a cyber criminal effectively rents someone else’s ID for a while. Such services collect target data including cookies, IP addresses and timezones, making it easier to perform account takeovers and transactions that the target will not notice.

This sort of service is becoming much more popular, said Digital Shadows, which claimed many people on dark web forums were “desperate” to get invite codes to this market.

Concerningly, Digital Shadows also reported that cyber criminals are increasingly turning their attention to methods that bypass two-factor authentication. For example, one user on the Exploit Russian-language forum was recently seen trying to sell a method designed to get around two-factor authentication systems at a major US bank. The actor claimed their system could access 70-90% of accounts without requiring SMS verification.