Over 15 billion sets of credentials in circulation on criminal marketplaces
New research from risk prevention specialist Digital Shadows finds there are more than 15 billion sets of usernames and passwords in circulation in cybercriminal marketplaces -- the equivalent of more than two for every person on the planet.
The number of stolen and exposed credentials has risen 300 percent from 2018 as the result of more than 100,000 separate breaches. Of these, more than 5 billion were assessed as 'unique' -- that is not advertised more than once on criminal forums.
The majority of exposed account credentials belong to consumers and include usernames and passwords from bank accounts as well as video and music streaming services. Many account details are offered free of charge but of those on sale the average account trades for $15.43. Unsurprisingly, bank and financial accounts are the most costly, averaging $70.91, however they can trade for upwards of $500, depending on the 'quality' of the account. In addition to being the most expensive, banking, and financial accounts account for 25 percent of all the advertisements analyzed.
Accounts relating to key business systems are highly prized. Usernames with 'invoice' or 'invoices' in them were by far the most common advertised and make up 66 percent of the two million usernames assessed. 'Partners' and 'payments' come in next, both with 10 percent each.
"The sheer number of credentials available is staggering and in just over the past 1.5 years, we've identified and alerted our customers to some 27 million credentials -- which could directly affect them," says Rick Holland, CISO and VP of strategy at Digital Shadows. "Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere. The message is simple -- consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised."
You can find the full report on the Digital Shadows site.