There are more than 15 billion stolen account credentials being sold or even shared for free on the dark web, with individual entries selling for an average of $15.43, a new research report states.
Roughly one-third of the credentials, or about 5 billion, are unique, according to Digital Shadows, whose researchers reached these totals following an analysis of two-and-a-half years of advertised account credentials found across nine active and defunct dark web marketplaces.
Of the various categories of stolen credentials, bank and financial account passwords were found to be the most expensive -- advertised on the dark web for an average of $70.91, with some prices set upwards of $500.
Those seeking to score admin credentials for the purpose of a corporate account takeover (ATO) must pay an especially high premium. These privileged accounts cost an average of $3,139 but can go as high as $140,000.
Cybercriminals who don't want to spend too much or harvest credentials themselves have the option of renting compromised accounts via ATO-as-a-service offerings for $10. Meanwhile, tools to crack accounts, including brute-force tools and account checkers, are being advertised for as little as $4, the report notes.
Digital Shadows says the total number of credentials available for account takeovers come from approximately 100,000 separate breaches. Additional details can be found in the report and Digital Shadows' corresponding blog post and press release.
“The sheer number of credentials available is staggering..." said Rick Holland, CISO and VP of strategy at Digital Shadows. "Some of these exposed accounts can have, or have access to, incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere. The message is simple: Consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”
