The Usernames and Passwords of 15 Billion Accounts Have Been Exposed

15 Billion Usernames and Passwords Exposed

Your login credentials can get compromised. You can fall victim to a phishing scam, the service provider you're using may suffer a data breach, and if your passwords are not strong enough, cybercriminals could have no problems guessing them. But what happens after your login data falls into the wrong hands?

Researchers from Digital Shadows decided to find out. Yesterday, they issued a report in which they track a total of 15 billion credentials leaked during more than 100 thousand data breaches registered over the last two years.

Login credentials are sold all the time

It's easy to assume that once they've stolen your username and password, the first thing a cybercriminal would do is log into your account. More often than not, however, the crooks try to monetize the compromised data by selling it to other crooks. As you'll now see, it's a pretty profitable business.

Login credentials for all sorts of accounts and services are bought and sold on hacking forums and dark web marketplaces. Not surprisingly, some of the 15 billion username and password pairs were also offered for sale, and Digital Shadows' researchers kept a close eye on the listings in order to find out more about the nature of the stolen data and the profits it could bring.

About a quarter of the credentials offered for sale unlock accounts at banks or other financial institutions, which proves, as if proof was needed, that cold hard cash is the main motivation for most cybercriminal activities.

13% of the offered credentials protect accounts at streaming services like Netflix, which, once again, is hardly shocking. Compared to paying for a subscription, using a stolen password is much cheaper, and often, the owner of the compromised account remains none the wiser for an extended period of time.

Roughly the same percentage of advertised passwords give buyers access to proxy and VPN services. These could be useful if the crooks want to cover their tracks during or after a cyberattack.

Hackers also sell millions of other passwords that open anything from social media profiles to accounts at file sharing-platforms and adult websites.

How much does your password cost?

The pricing of the stolen credentials is based on rock-hard logic. The older a password is, for example, the more likely it is to become invalid soon (if it hasn't already), and therefore, the cheaper it is. The price of a set of compromised credentials is also dependent on the type of account they unlock.

On one end of the scale, you have hackers selling network administrator passwords for anything between $3 thousand and $140 thousand. These prices look astronomic, but according to the adverts, with the sold credentials, the buyer could get unabridged access to the internal networks of some pretty large organizations. The damage and the subsequent profits that can be made after such an attack are truly enormous. The majority of the compromised accounts, however, are personal and are therefore much cheaper.

Predictably, online banking passwords command a higher price. Once again, it is dependent on a number of different factors, but Digital Shadows estimated that, on average, a set of login credentials for a bank or a financial institution goes for about $71.

Somewhat surprisingly, compromised subscriptions for anti-virus products take the second place. On average, they are sold at around $21 per account, which goes to show that the hackers are willing to pay for security.

The rest of the credentials are either sold in bulk at less than $10 per set or are shared for free, and their affordable price makes them perfect for hackers trying to launch credential stuffing attacks.

Digital Shadows' report is a very grim reminder of the state of cybersecurity. Your login credentials are compromised on a daily basis, and your identity is traded on the underground markets for peanuts. It doesn't look like things are about to change any time soon, either. Apparently, in just two years, the number of usernames and passwords in circulation has registered a 300% jump, and the constant stream of data breaches and leaks we read about every day doesn't suggest that the trend is about to be bucked.

July 9, 2020

Leave a Reply