The report was compiled after gathering advertisements from different dark web marketplaces in the last 2.5 years.
It is a fact that fraud and hacking guides are the most sold item on the dark web but now the IT security researchers from Digital Shadows have published the findings of their recent study in a white paper titled “From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover.”
The report reveals startling details of the extent to which sensitive banking and social media credentials are selling on the Dark Web nowadays.
According to the report [PDF], over 15 billion usernames and passwords belonging to online digital services such as social media accounts, and banks are selling openly on the underground internet marketplace. These records come from 100,000 data breaches.
Digital Shadows thoroughly audited shady marketplaces for over 18 months and identified that this number is three times higher than the number of credentials cybercriminals owned about two years back.
The stolen usernames/passwords exchange had increased 300% since the firm’s previous audit in 2018. The number is equivalent to over two compromised accounts for every single person in the world.
The company claim that five billion credentials, a quarter of which comprises of financial and banking accounts, are identified to be unique as these haven’t been advertised more than once on any criminal or hacking forum.
Hence, this is valuable data up for sale on the dark web. Moreover, researchers identified that among the accounts selling on the dark web, there are credentials that offer access to systems of large-scale organizations. Their research also revealed that online tools used for targeting user accounts are also selling for at less than £3.50.
CISO and VP of strategy at Digital Shadows, Rick Holland, stated that the number of credentials selling on the illegal forums is staggering.
“In just the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials which could directly affect them,” added Holland.
An individual record is up for sale at an average price of $15.43 (€13.43/£12.15), while banking or financial institute’s records sell at $70.91 per account. Accounts containing terms like invoices, payments, or partners are much in demand.
There are dozens of advertisements for domain admin access availability. Such credentials rake in between $500 to $120,000, with an average $3,139 per account.
Accounts offering access to antivirus programs are sold at an average of $21.67 per record. Other accounts, such as media streaming profiles, file sharing, social media, adult websites, and virtual private network credentials, are sold for under $10.
Some of the accounts either contain or offer access to highly sensitive information, which can help hackers compromise more accounts if the same passwords are used to access different services. That’s why it is essential to keep unique passwords for every service you use.
Most of the exposed credentials were related to customer services, not enterprises. But, using the information, cybercriminals can access corporate systems. Holland believes that account takeover has become relatively easier for cybercriminals in the past one year.
The emergence of advanced brute-forcing tools could be blamed for that. Moreover, account checkers are also available for an average price of $4. Account takeover service is also quite popular among cybercriminals as they can rent an identity for as low as $10 and don’t need to buy the credentials.