Stolen, Sold, and Exploited:This Could Be the Story of Your Passwords

What do cybercrooks do with your password once they get their filthy hands on it? It's a question you might not have asked yourself, but for many Instagram users that are currently locked out of their accounts, this information is especially important. Someday, you too could find yourself in their position, so we might as well tell you the answer right now: with your login credentials, hackers can do enough damage to make your head spin.

That's why security experts say that passwords are a really poor authentication protocol. For a variety of different and complicated reasons, stealing a password often isn't as difficult as it should be, and the theft of a single set of login credentials can enable all manner of illegal activities. Because people reuse passwords, for example, the crooks can use a single stolen record to crack open multiple accounts in an automated credential stuffing attack. And once they break into an account, they can impersonate the victim, use the profile for spreading spam, malware, or political propaganda, and many, many more nasty things. Alternatively, they might not bother with that at all.

Why do hackers trade stolen login credentials?

Some criminals hack things for the fun of it, some do it to spread their political opinions, and some do it just because they're bad people. Most of the hackers are in it for the cold hard cash, though, and they've created more than a few clever ways of monetizing on their abilities to defeat computers' defenses. The thing is, sometimes, launching a profitable illegal operation based on stolen passwords alone is either impossible or a lot of hard work.

Sometimes it's easier to just sell the passwords and let other people worry about what they should do with them. There's certainly no shortage of interest which means that a lot of people are more than happy to fork out some digital coins in exchange for your username and password. By selling them on, the hackers that stole them get to pocket a quick and easy profit. In other words, everyone's happy. Everyone, that is, except you.

How big is the credential trading business?

There's a bit of a misconception that passwords are only bought and sold on the so-called Dark Web – the hidden part of the Internet that's not accessible via Google or a regular browser. The truth is, there are a few websites on the Clearnet where anyone can go and buy some stolen passwords. Blueliv, a security company that did some research on the subject, said that hackers even use legitimate payment processors like Selly and Rocketr sometimes.

The truth is, however, the majority of the serious trading does indeed happen on the Dark Web. Usernames and passwords are sold on online stores along with all manner of other tools for making illegal profits, including guns, drugs, and malware. There are many scammers which proves that there really is no honor among thieves, and the criminals that get conned out of their money can't just call the police. Speaking of which, marketplaces often change their domain names to avoid getting brought down by law enforcement. As a result of all this, saying how big the industry is with any degree of accuracy is just not possible. There's no doubt in anyone's mind, however, that it's a hugely profitable business.

What are criminals interested in, and how much are they willing to pay for it?

Blueliv did a pretty extensive analysis in their report, and they did come up with some interesting findings. Streaming platforms like Netflix and Spotify, for example, might want to know that quite a few people deem their services too expensive and are willing to splash out about $9 on a stolen username and password combination. Facebook accounts are bought and sold for pretty much the same price, but curiously enough, buyers can get Instagram or Twitter accounts for just $2 a pop. Amazon and eBay credentials usually go for around $9, and profiles for adult websites change hands for about $5.

When it comes to banking usernames and passwords, Blueliv's report suggests that before attaching a price tag, the criminals first check the account balance. The prices vary both on the amount of money the victim has and on the marketplace.

On the Dark Web, buyers need just $10 to get access to an account that has less than $1,000 in it. Accounts priced at $300 have more than $10,000 in them, and for $25,000, buyers can get access to an account with $500,000 in it. On the Clearnet, hackers sell accounts at a much cheaper rate: about $35 for balances of up to $50,000, and between $50 and $100 for more substantial amounts. Bear in mind that these are the sums as advertised by the sellers – a bunch of hackers who are too lazy to earn their living the legal way, so taking them with a pinch of salt is probably not a bad idea.

Regardless of how much money you've got in your bank account, you don't want any other people around it. You also don't want people reading your emails, chatting with your friends or even watching your favorite TV shows at your expense. That's why, it's important to do everything you can to protect your strong, unique passwords.