According to a new report from Digital Shadows, more than 15 billion usernames and passwords are available on the dark web. The stolen login details belong to various accounts ranging between network administrators, social media platforms, banking services, and streaming websites. To put it in a different perspective, this staggering number of credentials is equivalent to two sets of passwords for every person on the planet. It has increased by 300% since 2018 and comes as a result of 100,000 data breaches.
The Digital Shadows Photon Research team spent 18 months scavenging the dark web and underground forums to analyze how cybercriminals steal your credentials and take over your account. They found that password theft has increased by 300% since 2018, caused by 100,000 data breaches. The reason behind this significant leap is the fact that many consumers use weak passwords, which can be obtained with a brute force attack.
Most of the stolen login credentials are shared several times, which means that victims aren’t even aware of any hack that may have taken place. However, around five billion unique logins are up for sale on the dark web, the report found. As for most of the duplicates, cybercriminals were giving them away for free.
Prices for commercially traded logins varied depending on the account’s importance. Streaming services, VPNs, and social media platforms all cost under $10. Antivirus program logins had a higher average fee of $21.67 but were still below the legitimate subscription price. Online banking and financial accounts, meanwhile, cost $70.91 on average. These credentials were more expensive because the buyer has access to the victim’s bank account, which could contain thousands of dollars. In fact, the research team reported that some banking logins were sold for $500.
But the most valuable usernames and passwords pertained to network administrators, which give hackers access to company grids. Researchers found that the stolen data was auctioned off to cybercriminals, reaching $120,000 in some cases. The average cost, though, was $3,139. But even if attackers pay a sum of six figures for these credentials, they could still make a lot of money. For example, they can install ransomware on the network, encrypt files, and demand millions of dollars in exchange for the data.