Billions of stolen usernames and passwords discovered for sale on the Dark Web – with bank accounts being flogged for as little as £56
- Cybersecurity firm Digital Shadows said it found more than 15 billion credentials
- Bank account details were available for between £56 and £400 apiece
- Five billion of the identified credentials were assessed to be unique
Billions of stolen usernames and passwords, including log-ins to bank accounts, are being offered to cybercriminals on the dark web, new research suggests.
Cybersecurity firm Digital Shadows said it found more than 15 billion credentials in circulation on online marketplaces used by criminals.
It said account details were available for a variety of accounts, ranging from bank details to music streaming services.
For the latter, details were available, on average, for around £12.
Bank and financial service accounts are on sale for an average of £56. But the price can spike to more than £400 for access to ‘high-quality accounts’.
Cybersecurity firm Digital Shadows said it found more than 15 billion credentials in circulation on online marketplaces used by criminals (stock)
Five billion of the identified credentials were assessed to be unique in that they had not been advertised more than once on a criminal forum.
According to the research, banking and financial accounts made up around a quarter of those advertised.
The cybersecurity firm said the number of stolen credentials available had quadrupled since 2018 as a result of more than 100,000 data breaches.
Rick Holland, chief information security officer and vice president of strategy at Digital Shadows said: ‘The sheer number of credentials available is staggering and in just over the past one-and-a-half years we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them.
Account details were available for a variety of account, ranging from bank details to music streaming services. For the latter, prices were available, on average, for around £12. However, bank and financial service accounts are on sale for an average of £56 (stock)
‘Some of these exposed accounts can have – or have access to – incredibly sensitive information.
‘Details exposed from one breach could be reused to compromise accounts used elsewhere.
It urged the public and businesses to follow basic cybersecurity principles, such as using different passwords for different accounts and activating additional layers of security for log-in such as two-factor authentication.
The research warned that many online tools which could be used to target accounts were available to buy online for less than £3.50 and can be used with little technical expertise.
Digital Shadows’ research also warned that as well as individuals, credentials providing access to large organisations and their systems were also being advertised.
Kate Bevan, Which? Computing Editor, said: ‘The huge market for stolen data goes to show why banks and other firms that hold their customers’ sensitive information must do more to protect it from hackers, such as using two-factor authentication as standard.
‘Anyone worried about their personal data being compromised can take steps to protect themselves online, such as using strong and unique passwords across different sites, using a password manager to keep on top of them, and ensuring their computer is protected with regularly updated antivirus software.
‘If you believe your data has been hacked, watch out for any suspicious emails or attempted scams, update your passwords and keep an eye on your accounts for any unauthorised activity.’
Using different password for accounts can keep you safe online
Hackers can obtain breached credentials, like usernames and passwords, on the Dark Web – often for free.
Or, they can obtain them by tricking people to signing up to new websites through a phoney system.
Most people reuse the same credentials for multiple accounts they hold online, which means that once one account is breached, others may be vulnerable.
Or, they use the same general password and tweak it slightly for different sites to meet various criteria.
Popular methods include adding a number at the end, adding capital letters or inserting a ‘special character’, such as an underscore.
Cyber criminals can use software tools to test combinations of credentials in a highly automated bulk effort.
For example, if a victim enters a password ‘DerbyRam95’, the software will try variations, such as ‘DerbyRams_95’, ‘derbyram2020’, or ‘DCFCRams95’.
If they get lucky, the password entered to access a harmless TV streaming service will be very similar to one used to access online banking.
Hackers will try to use this to see if they can access financial services, and deplete a person’s money.
The best defence against this type of attack is to use a unique password for each site you have an account with.
There are various password management applications that can help you to keep track of all of these details in a secure manner.
You can also check whether any of your accounts have been breached using the website Have I Been Pwned.