Billions of passwords now available on underground forums, say security researchers

Usernames and passwords for everything from network administrator accounts and bank details to streaming services and anti-virus software are up for grabs on the dark web - and many are being distributed for free.
Written by Danny Palmer, Senior Writer

Usernames and passwords for over 15 billion accounts, including network administrator accounts, bank accounts and streaming services are in circulation online, according to security company researchers.

Cybersecurity researchers at Digital Shadows spent 18 months analysing how hackers gain access to and use stolen account details and have detailed how account takeover has never been easier or cheaper for cyber criminals.

Such is the proliferation of stolen account credentials that large numbers are simply available for free when they're shared on underground forums or pasted to the open web.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Many breached accounts are shared multiple times – suggesting that despite being hacked, the user remains unaware of what has happened. But despite that duplication, researchers say there's still over five billion 'unique' accounts up for sale on the cyber-criminal underground, providing buyers access to hacked online services.

The most valuable leaked credentials are those that provide administrator-level access to organisations, with the most valuable being offered for up to $120,000, the company said. The average cost is $3,139, which is still a significant amount, but with the kind of access offered by administrator credentials, cyber criminals could make what they pay for the information back many times over. Even if attackers are paying a six-figure sum for credentials, if they use that access to disrupt an entire network with a ransomware attack and demand millions of dollars in exchange for returning access, the criminals might consider the cost worth it.

For consumer accounts, it's bank login credentials that sell for the highest value, with researchers noting that the average price stands at $70.91. The value for purchasing a bank account comes from the criminal being able to access any funds the victim has saved up – which could be thousands – as well as the ability to apply for credit cards, loans and other financial packages.

Perhaps surprisingly, the second highest costs for hacked accounts are for antivirus programs, which access can be purchased to for an average cost of $21.67 – which is much less than the cost of a legitimate yearly subscription.

"Much like with streaming accounts, it's likely that many buyers are simply of the mindset that they do not wait to pay for a subscription to an antivirus service," Alex Guirakhoo, threat research team lead at Digital Shadows told ZDNet.

Accounts form media-streaming services, VPNs, file-sharing accounts and social media all trade for under $10. In cases like streaming services, the user could potentially provide their account credentials to a friend or family member anyway, so might not even notice their account is being used, let alone compromised.

Researchers warn that the reason that so many account credentials are available online – be they administrator passwords, bank details or a login for Netflix – is because people are using weak passwords that can easily be taken over with brute force cracking tools.

"These attacks are typically automated login attempts that use a predetermined list of access credentials – often, combinations of usernames or email addresses and plaintext passwords – sourced from previous data breaches or leaks," said Guirakhoo.

"Credential stuffing tools are inexpensive to purchase and use, even offering some level of automation to make gaining account access a trivial task," he added.

SEE: Is it OK to use your browser's built-in password manager?

One way people – and businesses – can make it harder for their online accounts to be taken over is by using a unique password for each service, something which the use of a password manager could help with.

Users should also apply multi-factor authentication for an extra layer of protection, because even if the password is breached, there's an alert that informs you that someone tried to get into your account.

But with over 15 billion accounts already compromised, it's highly possible that yours could be among them. Anyone worried that their account might have been hacked should look to change their password.

"If you suspect your account has been compromised, you should immediately change your passwords – and for any other services where you have used the same password – and check for any fraudulent activity. This is where unique passwords come in handy," said Guirakhoo.


Editorial standards