What Thieves Pay For Passwords -- And Brands' Responsibility To Protect Them

The measures that brands should take to protect consumers as they click on search and display ads and shop on their ecommerce sites are not often discussed, though consumers are required to have a password to sign in and track their purchases and deliveries or stream content from a music site.

Digital Shadows, a risk protection company, identified more than 15 billion exposed credentials and passwords in circulation -- user names and passwords for internet services floating around the dark web -- up 300% since 2018, from more than 100,000 discrete breaches. This is the equivalent of more than two for every person on the planet.

The data is part of the findings from a report titled Exposure to Takeover from the company's research team. It explores account takeover fraud and the criminal networks behind it. The findings explain how cybercriminals conspire to prey on users of online services -- particularly banking and video and music streaming services -- by “taking over” accounts used daily, generating serious personal and business cyber risks.



Rick Holland, CISO and vice president of strategy at Digital Shadows, says that in the past one-and-a-half years, the company has identified and alerted its customers to some 27 million stolen credentials -- which could directly affect them.

How much does this information sell for?

  • Most consumer credentials are sold, but cybercriminals give away many for free. Those that are sold go for an average of $15.43 each.
  • Bank and other financial accounts go for 25% of credential advertisements analyzed and sell for an average of $70.91 each. They account for 25% of all the advertisements that Digital Shadows analyzed.
  • Access to organizations’ key systems is being sold at a significant premium. Dozens of advertisements offer domain administrator access through auctions, selling to the highest bidder for up to $120,000 (with an average of $3,139).

The average person uses about 191 services that require them to enter passwords or other credentials, from retail websites to music streaming services, according to the report. Five billion of the more than 15 billion credentials that are now in circulation are “unique,” without any repeated credential pairs.

The research also found that access to organizations’ key systems trades at a significant premium. Usernames with “invoice” or “invoices” were by far the most common advertised, and comprise 66% of the two million usernames assessed. The research also found 2 million accounting email addresses exposed. 

“Partners” and “payments” came in at a distant second and third place, both with 10% each.

Dozens of advertisements for domain admin access are also advertised, and in many cases are being auctioned to the highest bidder with prices ranging from $500 to $120,000 – with an average $3,139.


Next story loading loading..