Hacker using laptop with password field on computer screen showing stolen passwords circulating on the dark web

Digital Shadows Researchers Say Over 15 Billion Stolen Passwords Are Circulating on the Dark Web

The Digital Shadows Photon Research found that the number of stolen usernames and passwords combinations circulating on the dark web was more than twice the number of humans on the planet. The “From Exposure to Takeover” research also found that the number of stolen passwords increased by 300% within the last two years. Over 15 billion stolen account credentials stemming from over 100,000 data breaches were available in the black markets. A third of the credentials did not have duplicates and were obtained from recent exploits. The most frequently exposed account details originated from online services such as online banking, social media accounts, and music streaming services.

Nature of the stolen passwords problem on the dark web

The researchers found that among the 15 billion credentials circulating on the dark web, 5 billion consisted of unique records. Such records have been advertised only once in the hacking forums. Duplication is caused by the lack of honor among thieves, where some cybercriminals resell stolen details to more than one buyer.

Cybercriminals also developed tools to bypass SMS-based two-factor authentication (2FA), according to the researchers. An example was a Russian hacker group that was selling exploit kits that could bypass 2FA of a major US bank.

The largest proportion of the stolen details belonged to consumers. Unlike corporate users, most consumers ignore strong password policies and are more vulnerable to personalized phishing attacks.

Price of the stolen passwords on the black market

Most of the stolen passwords on the dark web were accessible for free, according to the Digital Shadows researchers. For those on sale, the average cost of the stolen passwords was $15.43. However, 25% of the stolen account credentials commanded a premium price on the dark web. Premium account details included active bank accounts, and online financial services account login credentials that fetched an average of $70.91.

Usernames containing the word “invoice” were very popular in the dark web market place and attracted a higher price. Some bank accounts authentication details sold for up to $500. The determining factor for the high price was the amount of funds available in the account and the freshness of the breach.

Newer breaches guarantee that the stolen login details have not been widely shared or sold to multiple buyers. Additionally, the affected account owners are less likely to be aware of the breach, hence unlikely to have changed their login details.

Stolen passwords belonging to antivirus and security solutions ranked second. A single combination of usernames and passwords for security solutions service accounts cost an average of $21.67 on the dark web.

Login details of adult content sites, social media accounts, virtual private networks, file-sharing services, and music and video streaming service sold for about $10 each.

Cybercriminals auctioned the domain administrator authentication login details for an average price of $3,139. Such accounts could fetch up to $120,000 on the dark web, depending on the status of the breached organization. Stolen passwords from such organizations allowed threat actors to access sensitive data and companies’ critical IT infrastructure and therefore commanded a special price.

Price of stolen passwords has plummeted

Digital Shadows researchers found that the 300% increase in the availability of stolen passwords and usernames combinations was because of falling prices. The influx of free stolen credentials reduced the value of account login details on sale on the dark web.

Additionally, the price of the tools used in breaching accounts has become cheaper while the tools have become widely available. For example, brute-force password crackers and account checkers sold for as little as $4 on the dark web. Consequently, it has become easier for individual cybercriminals to obtain account login details independently.

Cybercriminal gangs have also learned to cooperate in exploiting systems and decrypting passwords. For example, stolen databases were shared with the community to help decrypt the hashed passwords into plaintext. Such passwords were shared freely with all participants, hence liberating the criminals from paying for the stolen passwords.

Account takeover mitigation efforts

Because most users recycle passwords across various sites, exposure of one account could lead to a chain reaction. The researchers advised consumers to use unique passwords for each online account they operate.

However, managing different passwords across various sites is not a trivial undertaking. Users should, therefore, seek the services of any reputable password manager to consolidate all passwords.

Ben Goodman, senior vice president of global business and corporate development, ForgeRock, says most users recycle passwords because of the fear of forgetting.

“Passwords have been the primary authentication method for decades, and most users have an average of over 130 online accounts. It’s unlikely that users can remember 130 unique sets of login credentials, and as a result, most opt to reuse the same passwords and usernames across most (if not all) of their accounts.”

The researchers also advised individuals to use two-factor authentication in protecting online accounts.

The use of complex passwords also increases the effort required to brute-force an online account. System administrators should enforce these rules to prevent workers from using simple passwords that put the companies’ information at risk.

They should also conduct regular checks to determine if users’ accounts belonging to their organizations have been leaked. Various tools such as HaveIBeenPwned allow people to find out if their emails were found in a major breach.

James McQuiggan, Security Awareness Advocate, KnowBe4, says financial institutions should apply more robust authentication methods instead of 2FA and usernames and passwords combinations.

“There are certain capabilities where hardware tokens are plugged into a computer to authenticate an account, but this isn’t easy with mobile devices. Soft tokens or authenticators are starting to be utilized more for applications, like Microsoft and Google, which makes logging into the accounts easier.”