Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 PM
Connect Directly

Study Finds 15 Billion Stolen, Exposed Credentials in Criminal Markets

Data is fueling account takeover attacks in a big way, Digital Shadows says.

Cybercriminals looking to hijack online accounts belonging to consumers and organizations have an almost unlimited supply of stolen and exposed credentials they can use to try and facilitate the takeover.

New research by Digital Shadows uncovered a stunning 15 billion credentials circulating on the Dark Web and in underground marketplaces. The compromised credentials from over 100,000 breaches in recent years were associated with a wide range of accounts, including domain administrator accounts, bank and financial accounts, and social media and video-streaming service accounts.

Prices in criminal marketplaces for these credentials ranged from an average of $3,139 for domain admin accounts to $70.91 for bank accounts, $21.67 for account access for antivirus programs, and less than $10 for credentials to adult sites. Usernames and passwords for video game accounts and file-sharing sites were available for less than $2 a pop.

Credentials to high-value accounts — such as bank accounts confirmed to have a certain amount of funds or accounts with privileged access to large enterprise networks and systems — tended to fetch much higher prices. Researchers from Digital Shadows came across dozens of advertisements on underground forums for admin accounts being auctioned to bidders at prices ranging from $500 to $120,000. Many of these premium credentials had usernames — such as "invoice," "invoices," "payments," and "partners" — that suggested they were associated with financial accounts.  

"The cost of accounts can vary on their quality," says Kacey Clark, threat researcher at Digital Shadows. "Vetted, active credentials for a tried-and-tested bank account that include the victim's personal information will be more expensive than a bulk pack of streaming accounts that may or may not be active."

Overall, 25% of the ads for stolen and leaked credentials that Digital Shadows researchers encountered were for banking and other financial accounts. Other popular categories — based on the number of ads for them — included streaming accounts, proxy/VPN accounts, and cable.

"One of the main takeaways from this report [is] the sheer scale of account takeover on the cybercriminal landscape," Clark says. "Cybercriminals target the obvious gold mines of financial or internal company accounts, but they also see value in things like streaming or antivirus accounts."

Online credential theft has emerged as a major problem for consumers and businesses in recent years. Criminals have employed a variety of tactics including phishing botnets, credential stuffing, and brute-force techniques to harvest credentials to online accounts. They have then sold or used the stolen credentials to carry out a variety of malicious activity, from initiating fraudulent wire transfers from business accounts to gaining free access to streaming and gaming services. 

Mega Breaches, Mega Problems
Recent years have witnessed numerous mega breaches where tens and even hundreds of millions of credentials belonging to Internet users have been compromised. Among the most notable was one involving Yahoo, where between 500 million and 3 billion records were exposed, and one at Facebook last year, involving over 260 million records.

The threat from these breaches has been exacerbated by the tendency among a high percentage of Internet users to use the same — and often easy-to-guess — passwords across multiple accounts. Tools such as Sentry MBA and OpenBullet have also made it easier for cybercrminals to quickly test millions of username and password questions to see whether there's match, Clark says. So attackers can use credentials obtained from one breach to try and crack open other accounts.

Digital Shadows' research found the number of compromised credentials available to cybercriminals via criminal forums and marketplaces surged 300% from 2018. The vendor estimated that of the 15 billion credentials currently floating about, some 5 billion are unique, meaning they have been advertised just once on criminal forums.

One trend that Digital Shadows observed was a continued increase in the number of marketplaces renting access to compromised accounts for criminals not interested in purchasing or harvesting their own credentials. The security vendor first identified the practice in 2018.

"Account-takeover-as-a-service [ATaaS] can significantly lower the barrier to entry for cybercriminals," Clark says. Just like phishing- and malware-as-a-service, ATaaS gives cybercriminals the ability to rent a digital identity to access specific accounts. "The identity can include fingerprint data, including cookies, IP addresses, credentials, and time zones," she says.

Criminal markets, going by names such as Genesis Market, UnderWorld Market, and Tenebris, give criminals the option of renting access to different account types, including e-commerce, streaming, and social media, sometimes for prices as little as $10 for a specific period.

"These services perform the account takeover operations by using a multitude of tactics" and then rent out access to the compromised account, Clark notes. The ATaaS model is so popular that attackers on underground forms are often desperate to get invitations to these markets, Digital Shadows says.

Organizations can take multiple measures to mitigate their exposure to account-takeover attacks. Among them is the need to monitor for leaked employee credentials via sites such as "HaveIBeenPwned" and for mentions of the organization or brand on criminals forums, Digital Shadows. It's also a good idea to monitor code repositories and for leaked customer credentials the vendor.

In addition, implementing requirements for strong passwords is advised, Clark says. "Adding a security layer with multifactor authentication can significantly reduce the likelihood of your account being abused by cybercriminals," she says.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
PUBLISHED: 2020-12-01
ManageOne versions,,,, ,, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...