Fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums – shedding light on the sheer scope of compromised credentials that are fueling account takeovers on the internet.
A report released Wednesday — “From Exposure to Takeover” by the Digital Shadows Photon Research Team — found that 100,000 separate data breaches over a two-year period have yielded a 300 percent increase in stolen credentials, leaving a veritable bonanza of account details on dark-web hacker forums up for grabs.
Most of the credentials are from consumers, and while many are sold on forums—for an average price of $15.43—many also are given away for free by hackers, researchers found.
Threat actors gain access to these credentials in a number of ways—among them phishing, credential-stealing malware and credit-card skimmers–and it’s never been easier for them to lift this type of sensitive data from user accounts, said Rick Holland, CISO and vice president of strategy at Digital Shadows, in a press statement.
Brute-force cracking tools and account checkers are available on criminal marketplaces for an average of $4, as well as new options for account takeover “as-a-service” that allows criminals to “rent” an identity for less than $10, he said.
“The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials –which could directly affect them,” Holland said.
The report also highlights the persistent problem that people aren’t taking even the simplest of proper security measures — such as changing their passwords frequently, which many still don’t do — when they use some 191 services that require them to enter their credentials online, Holland noted.
“The message is simple–consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised,” he said.
The credentials being flogged online vary in access and price, according to the report. They include usernames and passwords for everything from bank or financial accounts–which comprised 25 percent of the credentials analyzed–to video- and music-streaming services, to antivirus programs.
Unsurprisingly, credentials for bank and other financial accounts are also the most expensive to purchase, selling for an average of $70.91 a piece, researchers found. Indeed, data that puts potential financial gain on the table tends to be the most valuable to threat actors.
Data for accessing antivirus programs earned the second-highest price on hacker forums, at an average of $21.67. Threat actors apparently find access to media streaming, social media, file sharing, virtual private networks (VPNs) and adult-content sites far less valuable, with these credentials traded “for significantly under $1” on forums, according to the report.
While consumer credentials comprised the bulk of those researchers tracked, organizations are not immune to the risk of credential theft and potential reuse for nefarious purposes, particularly if financial gain is involved. The report uncovered 2 million accounting email addresses exposed online, with those referencing “invoice” or “invoices” the most commonly advertised on hacker forums, researchers said.
The big “password problem” has plagued the security industry for years. Poor password hygiene, including reusing passwords or picking easy-to-guess passwords, is greatly exacerbating many of the major issues that plague the cybersecurity landscape, security experts like Troy Hunt have said in the past. Making matters worse, passwords are appearing left and right online as part of major data breaches – yet victims aren’t changing their passwords at all across various platforms. The Collection #1 data dump, which included 773 million credentials, and subsequent Collection #2-5 dumps, show exactly how many passwords are available on the Dark Web and underground forums.
Digital Shadows researchers for their part recommend that businesses monitor for leaked credentials of their employees, keep an eye out for mentions of their company and brand names across cracking forums and educate their staff about the dangers of password reuse.
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.