New Report Reveals 15 Billion Stolen Accounts Are Available On The Dark Web

A recent report published by Digital Shadows, a German-based information-security firm, has revealed just how much stolen account details are circulation amongst cybercriminals on dark web forums. Their Photon Research team audited criminal forums and marketplaces on the dark web for 18 months. It concluded that the number of stolen user credentials in circulation had increased by a whopping 300% since 2018.

The researchers reported that they had discovered more than 15 billion sets of passwords and usernames, stolen in 100 thousand separate data breaches, or obtained by a variety of other methods, being sold or given away for free on online forums. Considering the world population, it's relatively easy to assess that there are duplicate accounts. Out of the 15 billion total accounts, 5 billion appear to be unique, having no duplicate credential pairs.

This Week In Malware Episode 19 Part 3: Over 15 Billion Stolen Logins Credentials from Data Breaches For Sale on Dark Web

According to Digital Shadows, the majority of the stolen credentials belonged to private individuals and consumers. The login information available online includes audio and video streaming services such as Spotify and Netflix, other platforms and social media, and, most importantly, bank accounts.

The data's prices depended on the type of account, with Netflix credentials going from $3 to $5, except a supposedly ''lifetime cracked'' account that was up for sale with a price of $10. However, the average cost of a consumer account is around $15, with antivirus accounts selling for about $20, and financial service accounts fetching as much as $70.

Corporate Accounts

The researchers came across far fewer corporate email addresses, usernames, and passwords, with a total of around two million credential pairs. As expected, these accounts sold for higher prices than the consumer ones, with offers ranging from 500 to 120,000 dollars or euros. The amount depended on a number of factors, including the size of the breached organization and the privileges of the account. The average price of a corporate account is around $3,100, which is no spare change. Still, the kind of access an administrator account could grant would allow cybercriminals to pay their investment back many times over.

Protection Against Credential Theft

Given the sheer number of compromised accounts available for purchase, or even for free, on the dark web, it's highly likely that the majority of people reading this would have at least one set of stolen credentials out there. If anyone wants to check their email address, they can do it at the HaveIbeenPwned website and check a record of breaches that their email was a part of.

The safest thing that a person could do to keep their credentials as safe as possible is never to use the same password twice. Some people use password manager software to generate and manage a large number of login credentials. Multi-factor authentication is another step that users can take to protect their accounts. Still, security experts warn that new methods to bypass such measures are continually being discussed and acted on in online cybercriminal forums.