15 Billion Compromised Credentials Available for Sale on Hacker Forums

There are currently 15 billion compromised credentials and passwords for sale on hacker forums, stolen from more than 100,000 separate data breaches in the last two years, according to a new report from Digital Shadows. Five billion of these are unique credentials sets, without repeated data. 

The number of stolen credentials for sale on the dark web have increased by a whopping 300 percent since 2018. The concern is that the average user employs 191 services that require usernames and passwords, and many reuse passwords across both personal and business accounts. 

The insights follow recent reports from the Department of Homeland Security on a ransomware campaign, in which hackers use stolen credentials to gain access through remote access systems. The attacks are highly successful given the frequency of password reuse and users failing to update passwords after a breach, as well as a lack of multi-factor authentication. 

For its latest report, Digital Shadows sought to address the risk posed by password reuse and the risks posed by stolen credentials by analyzing data from its SearchLight service, which maintains a database of breached credentials and monitors criminal forums for hacker trends, tools, and advertisements. 

The researchers found that many cybercriminals give away stolen credentials for free. Those that are sold cost about $15.43, on average. Bank and financial accounts account for 25 percent of all advertised credentials and are the most valuable, selling for about $70.91 each. 

Credentials for antivirus programs are the second most expensive, selling for about $21.67 on the dark web, followed by Virtual Private Network (VPNs), social media, media streaming, and file sharing, credentials, which are sold for about $10 each. 

The researchers also detected a significant number of administrator addresses, including login details, credentials, or sensitive data. And US-based accounts were the most frequently advertised. 

However, direct access into an organization’s key systems is sold at a “significant premium.” The researchers found dozens of dark web postings that offered access through auctions and selling to the highest bidder for as much as $140,000 and an average of $3,139. 

Notably, enterprise accounting emails were highly sought after with more than 2 million exposed, and email addresses boasting “invoices” were the most commonly advertised.  

Further, the report showed it’s never been easier or more affordable for an attacker to successfully takeover an account. Brute-force cracking tools and account checkers sell for an average of $4.00, while account takeover “as-a-service" sells for a little as $10 – allowing hackers to “rent” identities for cheap. 

“Criminal operations using brute-force cracking tools or account checkers may also take advantage of IP addresses, VPN services, botnets, or proxies to maintain anonymity or improve the likelihood of accessing an account,” researchers wrote. 

“Once they’re in, they can use the account for malicious purposes or extract all of its data (potentially including payment-card details or PII) to monetize it,” they added. 

Overall, account accesses are relatively inexpensive, as buyers aren’t guaranteed the purchase will actually provide access to their victims’ accounts. Also, vendors can obtain effectively obtain account accesses, as “many are also byproducts of another crime.” 

For Digital Shadows, the issue is that “initially compromised accounts can become pivot points that lead to more sensitive accounts.” Hackers typically acquire stolen credentials through stolen databases, credential-stealing malware and phishing campaigns, and dark web postings. 

To improve an organization’s defense against account takeover attacks, researchers stressed that it requires a shift in behavior and practices. Administrators should monitor for leaked employee credentials by leveraging resources like “HaveIBeenPwned” or code repositories. 

Security teams can also monitor for references to their enterprise on cracking forums, as “configuration files for websites that are being actively shared and downloaded are a good indication of impending account takeover attacks. For this, researchers recommended the use of Google alerts to identify the risks to the organization. These methods should also be employed for all customer or client accounts.  

Digital Shadows also recommended organizations deploy an inline web application firewall to identify and block credential stuffing attacks, while increasing user awareness. Research shows phishing education and training can reduce the risk to the healthcare sector. 

Lastly, researchers reminded enterprises of the importance of multi-factor authentication, especially as MFA blocks 99.9 percent of automated cyberattacks, according to Microsoft.  

For healthcare, these recommendations are especially important in light of reports of an increase in password spraying attacks. Advanced persistent threat (APT) actors have been targeting the healthcare sector and essential services with brute force attacks, leveraging stolen or commonly used passwords to gain a foothold into the network.