15 Billion Credentials Currently For Sale on Hacker Forums
Fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. This sheds a light on the sheer scope of compromised credentials on the internet. A report released Wednesday by the Digital Shadows Photon Research Team, found that 100,000 separate data breaches over a two-year period have yielded a 300 percent increase in stolen credentials. This is a treasure trove of account details on dark-web hacker forums up for sale. Most of the credentials are from consumers, and while many are sold on forums, many also are given away for free by hackers.
Hackers steal these credentials in a number of ways, including phishing, credential-stealing malware and credit card skimmers. it's never been easier to steal sensitive data from user accounts. Brute-force cracking tools and account checkers are available on hacking marketplaces for about $4, as well as new service options that allows criminals to "rent" an identity for less than $10. The number of credentials available is staggering.
The report also highlights the persistent problem that people aren't even taking even the simplest security measures such as changing their passwords frequently, and using the same password across multiple places. The credentials being sold online vary in access and price, according to the report. They include usernames and passwords for everything from financial accounts to video and music-streaming services, to antivirus programs. Unsurprisingly, bank and other financial accounts are the most expensive to purchase, selling for over $70 a piece. Data that puts potential financial gain on the table tends to be the most valuable to hackers.
Credentials to access antivirus programs earned the second-highest price on hacker forums, coming in over $20 a pop. Hackers value access to media streaming, social media, file sharing and adult sites less valuable, which sells for less than $1. While consumer credentials comprised the bulk of those researchers tracked, organizations are also at risk of credential theft and potential reuse for malicious purposes, particularly if financial gain is involved. The report uncovered 2 million accounting email addresses exposed online.
Consumers should use different passwords for every account and organizations should stay ahead by tracking where the details of their employees and customers could be compromised. The password problem has plagued the security industry for years. Poor passwords, including reusing passwords or picking easy to guess passwords, increased issues that plague security. Passwords are appearing everywhere online as part of major data breaches. Even with those public breaches, victims aren't changing their passwords at all across various platforms. Businesses should monitor for leaked credentials of their employees, and look for mentions of their company and brand names across cracking forums and educate their staff about the dangers of password reuse.