CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Bunch of rough shape keys showing user credentials sold on dark web
Cyber SecurityNews
·4 min read

Over 24 Billion Compromised User Credentials Circulating on the Dark Web Market

Alicia Hope·June 22, 2022

Threat intelligence and cyber risk firm Digital Shadows discovered a 65% increase in compromised user credentials circulating on the dark web market.

The Account Takeover in 2022 report found more than 24 billion username and password combinations on sale on the dark web, up from 15 billion in 2020.

Two years earlier, the number of leaked credentials was just 5 billion, representing a 300% increase from 2018 to 2020. According to the firm, the number of leaked credentials was growing annually and would continue to increase in the coming years.

Digital Shadows also found that state-sponsored attackers, hacktivists, and ransomware gangs have leveraged account takeover (ATO) attacks using stolen credentials.

Easily guessable and exploitable user credentials are still widely popular

The mid-June 2022 report by Digital shadows found that the top 50 most common passwords were easy to guess. Some include combinations of the name ‘password’ with some unforgettable numbers.

Similarly, the use of ‘123456’ as a password was very common, accounting for 0.46% or at least once in every 200 passwords. Keyboard combinations such as ‘qwerty’ or ‘1q2w3e’ were also prevalent.

Subsequently, the top 100 most common passwords accounted for 2% of the leaked user credentials.

Additionally, 49 out of 50 most common passwords could be cracked in less than a second in offline attacks using free or affordable exploitation tools available on the dark web.

However, adding a special character (@,_,#) to a simple 10-character password increased the offline crack time by 90 minutes, while adding two special characters increased the time by 2 days and 4 hours.

Additionally, the Digital Shadows Photon Research team found a staggering amount of plaintext passwords accounting for 88.7% of stolen passwords in the database.

However, they did not explain the percentage of the leaked passwords stolen in hashed format and decrypted by the attackers before listing. Consequently, they suggested that the total number of stolen passwords might be higher than reported.

The report posited that increasing the effort and time required to breach an account would make it less worthwhile to attackers, forcing them to focus on other weaker accounts.

Social engineering and malware are common sources of stolen user credentials

The researchers listed malware, phishing, and social engineering as common methods for stealing user credentials.

Automated credential harvesting involves info stealers such as the Redline malware that can run in the background. According to the researchers, phishing could also spread infostealers such as Redline malware.

However, the easiest method to obtain user credentials was to buy them from dark web forums. The report noted that the price of stolen credentials depends on the age of the account, the file size, the buyer’s reputation, and account type. For example, cryptocurrency-related accounts attracted higher prices.

The effects of stolen user credentials are immense. According to the 2022 Verizon Data Breach Investigations Report, attackers gained access using stolen user credentials in 50% of the 20,000 security incidents analyzed.

Attackers regularly leverage stolen user credentials as the initial attack vector to deploy malware and exploitation tools before a ransomware attack.

“Identities are the true hackers’ objective,” Garret Grajek, CEO at YouAttest. “A username/password tuple can be attempted at not just the resource that is discovered but at multiple targets: banks, credit cards, health care, and business accounts.”

Grajek says that attackers could pivot a username with OSINT and discover the compromised workplace.

“From there it’s just a matter of logging onto the users’ account in some form, dropping in a RAT (Remote Access Trojan), and then begin the cyber kill chain of lateral movement and privilege escalation. It is imperative that an enterprise practice Zero Trust and strong identity governance which help identify anomalies in user privileges,” Grajek said.

Dark web marketplaces expanded in size and sophistication

Cybercriminals depend on the dark web to dispose of their stolen user credentials. The Digital Shadows report found that dark web marketplaces continue expanding and offering more exploitation tools, malware, and services.

Additionally, the dark web marketplaces introduced various subscription models, including premium services to facilitate the sale and purchase of stolen user credentials.

However, the attackers advertised many stolen user credentials on several dark web forums to increase the customer base. This practice introduced duplication in the user credentials listed for sale.

Digital Shadows accounted for replication and recorded 6.7 billion unique records after removing the duplicates. Even then, the number of stolen credentials had increased by 1.7 billion from 2020, representing a 34% increase.

The report stated that the firm had warned its customers about advertised compromised credentials at least 6.7 million times in the last 18 months.

How to protect user credentials from data leaks

Digital Shadows advised users to store their passwords using a password manager. Using a password manager allows them to use strong passwords without remembering them.

Additionally, they should enable multi-factor authentication, which could replace passwords and other authentication methods.

Similarly, using an Authenticator App to generate temporary authentication codes would render exposed credentials useless.

“We will move to a ‘passwordless’ future, but for now, the issue of breached credentials is out of control,” Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, said. “Criminals have an endless list of breached credentials they can try, but adding to this problem is weak passwords, which means many accounts can be guessed using automated tools in just seconds.”

Morgan said leaked user credentials include those of staff, customers, servers, and IoT devices. He added that the breaches could have been mitigated by stronger passwords and avoiding password reuse across different accounts.

Digital Shadows attributed increasing ATO attacks to an increase in the average user’s digital footprint, authentication blind spots by the lack of consistency in authentication, and the failure to secure compromised accounts on time.

Kim DeCarlis, CMO at PerimeterX, noted that the cyber threat landscape had changed, with web attacks being part of an integrated cybercrime cycle, with each propagating the other prolonging the attack cycle.

“The front door to a web app is a valid user name and password, and it is eye-opening to learn the number of credential pairs available on the dark web,” DeCarlis said. “Stopping the theft, validation, and fraudulent use of account and identity information should be a prime focus for all online businesses.”

 

Tags
Account TakeoverDark WebUser Credentials
Alicia Hope
Staff Correspondent at CPO Magazine
Alicia Hope has been a journalist for more than 5 years, reporting on technology, cyber security and data privacy news.
Related
Hacker talking on the phone showing bank staff impersonated in account takeover
Cyber SecurityNews

FBI Warns Bank Staff Impersonation Is on the Rise, Over 5,100 Account Takeover Cases in 2025

November 28, 2025
Hacker pointing to code on a monitor showing data breach and posted on dark web
Cyber SecurityNews

Toys “R” Us Canada Data Breach Leaks Customer Information on the Dark Web

November 4, 2025
Hacker in handcuffs in front of laptop showing law enforcement raid on dark web site
Cyber SecurityNews

Law Enforcement Raid on RagnarLocker Leads to Seizure of Dark Web Site, Arrest of Leader

October 23, 2023
ChatGPT on phone screen showing OpenAI credentials sold on dark web
Cyber SecurityNews

Over 200,000 Compromised OpenAI Credentials Available for Purchase on the Dark Web

July 31, 2023
Backlit hand using tablet with abstract glowing digital skull showing bad bots and account takeover and API attacks
Cyber SecurityNews

Bad Bots Account For 30% Of Internet Traffic and Are More Frequent in Account Takeover and API Attacks

May 30, 2023
Facebook screen in the hands of a woman showing account takeover of Facebook profiles
Cyber SecurityNews

An Effective Account Takeover Trick Is Helping Scammers Steal Thousands of Facebook Profiles

May 3, 2023
Hands of hackers typing on keyboard showing data breach of user credentials
Cyber SecurityNews

American Bar Association’s Data Breach Exposes User Credentials of 1.4 Million Members

April 28, 2023
Mobile phone on a computer keyboard with the WhatsApp logo showing data leak sold on dark web
Cyber SecurityNews

Nearly 500 Million WhatsApp Records Allegedly Stolen in Data Leak, Offered on Dark Web for a Few Thousand Dollars

December 5, 2022
- Advertisement -
- Advertisement -

Latest

Hacker working on a code showing security breach

Security Breach at Tata Electronics Affects Apple, Tesla, and Other Technology Giants

Rio de Janeiro downtown showing breach of emergency alert system

Hackers Breach Brazil’s Emergency Alert System, Triggering Millions of False Alerts

Code and numbers showing quantum-safe

Products That Are Not “Quantum-Safe” May Soon Be Ineligible for Cybersecurity Certification in France

Crowded soccer stadium showing API vulnerability for FIFA World Cup streams

API Vulnerability Could Have Let Attackers Hijack FIFA World Cup Broadcast Streams

- Advertisement -
- Advertisement -
- Advertisement -
- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Categories

Data Privacy
Data Protection
Cyber Security
Tech
Digital
Insights
News
Resources
Press Releases

© 2025 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    Data Breach U.S. Cyber Attack Regulations Ransomware Attack
    See all results