There are more than 15 billion credentials available for purchase on cybercriminal marketplaces—the equivalent of more than two for every person on the planet. This according to new research from Digital Shadows on how cybercriminals exploit stolen credentials for accounts, including bank accounts, social media and video streaming services.
The study finds the number of stolen and exposed credentials has risen 300 percent from 2018 as the result of more than 100,000 separate breaches. Of these, more than 5 billion were assessed to be "unique," meaning they have not been advertised more than once on criminal forums.
Digital Shadows researchers said the majority of exposed account credentials belong to consumers and include usernames and passwords for online accounts ranging from bank accounts to video and music streaming services. Many account details are offered free of charge but of those on sale the average account trades for $15.43. Bank and financial accounts are the most expensive, averaging $70.91, but they can go for more than $500 depending on the ‘quality’ of the account, said researchers.
“Unfortunately for both consumers and businesses, account takeover has never been easier (or cheaper) for cybercriminals. A myriad of brute-force tools and account checkers are available on criminal marketplaces—and can be used with little technical expertise—for an average of $4,” said Digital Shadows in a summary of the report.
The firm is also seeing a rise in "account takeover-as-a-service" where, rather than buying a credential, criminals can rent an identity for a given period, often for less than $10. For this price, the service collects fingerprint data (such as cookies, IP addresses, time zones) from a victim, which makes it considerably easier to perform account takeovers and transactions that go unnoticed.