Computer hacker in handcuffs. Cyber crime

Billions of personal account details for sale on the dark web

Image credit: Andranik Hakobyan/Dreamstime

Billions of stolen usernames and passwords, including logins to bank accounts, are being offered to cyber criminals on the dark web, new research has warned.

According to a report by London-based cyber-security firm Digital Shadows, more than 15 billion credentials are in circulation on online marketplaces used by criminals.

It said account details for internet services, ranging from bank accounts to video and music streaming services, were among those on offer at an average price of around £12. Meanwhile, bank and financial service accounts were found to be on sale for an average of £56 – although they could be sold for £400 or more depending on the “quality” of the account. 

Five billion of the identified credentials were assessed to be unique in that they had not been advertised more than once on a criminal forum. Banking and financial accounts made up around a quarter of those advertised, the research suggests. 

“The sheer number of credentials available is staggering and in just over the past one-and-a-half years we’ve identified and alerted our customers to some 27 million credentials which could directly affect them,” said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows. 

He added that some of the exposed accounts can have – or have access to – incredibly sensitive information. “Details exposed from one breach could be reused to compromise accounts used elsewhere,” he explained. 

The cyber-security firm revealed the number of stolen credentials available had quadrupled since 2018 as a result of over 100,000 data breaches. 

The research also warned that many online tools, which could be used to target accounts, were available to buy online for less than £3.50 and can be used with little technical expertise. It also warned that as well as individuals, credentials providing access to large organisations and their systems were also being advertised.

To prevent account details from being sold to cyber criminals, the firm has urged the public and businesses to follow basic cyber-security principles. This includes using different passwords for different accounts and activating additional layers of security for log-in, such as two-factor authentication.

“The message is simple: consumers should use different passwords for every account and organisations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised,” Holland said.

In April, Digital Shadows found many unregistered Covid-19 test kits and hard-to-acquire face masks were being sold on the dark web as criminals looked to take advantage of people’s concerns about the virus.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles