Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 PM
Connect Directly

Study Finds 15 Billion Stolen, Exposed Credentials in Criminal Markets

Data is fueling account takeover attacks in a big way, Digital Shadows says.

Cybercriminals looking to hijack online accounts belonging to consumers and organizations have an almost unlimited supply of stolen and exposed credentials they can use to try and facilitate the takeover.

New research by Digital Shadows uncovered a stunning 15 billion credentials circulating on the Dark Web and in underground marketplaces. The compromised credentials from over 100,000 breaches in recent years were associated with a wide range of accounts, including domain administrator accounts, bank and financial accounts, and social media and video-streaming service accounts.

Prices in criminal marketplaces for these credentials ranged from an average of $3,139 for domain admin accounts to $70.91 for bank accounts, $21.67 for account access for antivirus programs, and less than $10 for credentials to adult sites. Usernames and passwords for video game accounts and file-sharing sites were available for less than $2 a pop.

Credentials to high-value accounts — such as bank accounts confirmed to have a certain amount of funds or accounts with privileged access to large enterprise networks and systems — tended to fetch much higher prices. Researchers from Digital Shadows came across dozens of advertisements on underground forums for admin accounts being auctioned to bidders at prices ranging from $500 to $120,000. Many of these premium credentials had usernames — such as "invoice," "invoices," "payments," and "partners" — that suggested they were associated with financial accounts.  

"The cost of accounts can vary on their quality," says Kacey Clark, threat researcher at Digital Shadows. "Vetted, active credentials for a tried-and-tested bank account that include the victim's personal information will be more expensive than a bulk pack of streaming accounts that may or may not be active."

Overall, 25% of the ads for stolen and leaked credentials that Digital Shadows researchers encountered were for banking and other financial accounts. Other popular categories — based on the number of ads for them — included streaming accounts, proxy/VPN accounts, and cable.

"One of the main takeaways from this report [is] the sheer scale of account takeover on the cybercriminal landscape," Clark says. "Cybercriminals target the obvious gold mines of financial or internal company accounts, but they also see value in things like streaming or antivirus accounts."

Online credential theft has emerged as a major problem for consumers and businesses in recent years. Criminals have employed a variety of tactics including phishing botnets, credential stuffing, and brute-force techniques to harvest credentials to online accounts. They have then sold or used the stolen credentials to carry out a variety of malicious activity, from initiating fraudulent wire transfers from business accounts to gaining free access to streaming and gaming services. 

Mega Breaches, Mega Problems
Recent years have witnessed numerous mega breaches where tens and even hundreds of millions of credentials belonging to Internet users have been compromised. Among the most notable was one involving Yahoo, where between 500 million and 3 billion records were exposed, and one at Facebook last year, involving over 260 million records.

The threat from these breaches has been exacerbated by the tendency among a high percentage of Internet users to use the same — and often easy-to-guess — passwords across multiple accounts. Tools such as Sentry MBA and OpenBullet have also made it easier for cybercrminals to quickly test millions of username and password questions to see whether there's match, Clark says. So attackers can use credentials obtained from one breach to try and crack open other accounts.

Digital Shadows' research found the number of compromised credentials available to cybercriminals via criminal forums and marketplaces surged 300% from 2018. The vendor estimated that of the 15 billion credentials currently floating about, some 5 billion are unique, meaning they have been advertised just once on criminal forums.

One trend that Digital Shadows observed was a continued increase in the number of marketplaces renting access to compromised accounts for criminals not interested in purchasing or harvesting their own credentials. The security vendor first identified the practice in 2018.

"Account-takeover-as-a-service [ATaaS] can significantly lower the barrier to entry for cybercriminals," Clark says. Just like phishing- and malware-as-a-service, ATaaS gives cybercriminals the ability to rent a digital identity to access specific accounts. "The identity can include fingerprint data, including cookies, IP addresses, credentials, and time zones," she says.

Criminal markets, going by names such as Genesis Market, UnderWorld Market, and Tenebris, give criminals the option of renting access to different account types, including e-commerce, streaming, and social media, sometimes for prices as little as $10 for a specific period.

"These services perform the account takeover operations by using a multitude of tactics" and then rent out access to the compromised account, Clark notes. The ATaaS model is so popular that attackers on underground forms are often desperate to get invitations to these markets, Digital Shadows says.

Organizations can take multiple measures to mitigate their exposure to account-takeover attacks. Among them is the need to monitor for leaked employee credentials via sites such as "HaveIBeenPwned" and for mentions of the organization or brand on criminals forums, Digital Shadows. It's also a good idea to monitor code repositories and for leaked customer credentials the vendor.

In addition, implementing requirements for strong passwords is advised, Clark says. "Adding a security layer with multifactor authentication can significantly reduce the likelihood of your account being abused by cybercriminals," she says.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-08
Dell iDRAC8 versions prior to contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections.
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site scripting (XSS). Users are able to create folders in the web application. The folder name is insufficiently validated resulting in a stored cross-site scripting vulnerability.
PUBLISHED: 2021-03-08
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulner...
PUBLISHED: 2021-03-08
PowerScale OneFS 8.1.2,8.2.2 and 9.1.0 contains an improper input sanitization issue in a command. The Compadmin user could potentially exploit this vulnerability, leading to potential privileges escalation.