Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 PM
Connect Directly

Study Finds 15 Billion Stolen, Exposed Credentials in Criminal Markets

Data is fueling account takeover attacks in a big way, Digital Shadows says.

Cybercriminals looking to hijack online accounts belonging to consumers and organizations have an almost unlimited supply of stolen and exposed credentials they can use to try and facilitate the takeover.

New research by Digital Shadows uncovered a stunning 15 billion credentials circulating on the Dark Web and in underground marketplaces. The compromised credentials from over 100,000 breaches in recent years were associated with a wide range of accounts, including domain administrator accounts, bank and financial accounts, and social media and video-streaming service accounts.

Prices in criminal marketplaces for these credentials ranged from an average of $3,139 for domain admin accounts to $70.91 for bank accounts, $21.67 for account access for antivirus programs, and less than $10 for credentials to adult sites. Usernames and passwords for video game accounts and file-sharing sites were available for less than $2 a pop.

Credentials to high-value accounts — such as bank accounts confirmed to have a certain amount of funds or accounts with privileged access to large enterprise networks and systems — tended to fetch much higher prices. Researchers from Digital Shadows came across dozens of advertisements on underground forums for admin accounts being auctioned to bidders at prices ranging from $500 to $120,000. Many of these premium credentials had usernames — such as "invoice," "invoices," "payments," and "partners" — that suggested they were associated with financial accounts.  

"The cost of accounts can vary on their quality," says Kacey Clark, threat researcher at Digital Shadows. "Vetted, active credentials for a tried-and-tested bank account that include the victim's personal information will be more expensive than a bulk pack of streaming accounts that may or may not be active."

Overall, 25% of the ads for stolen and leaked credentials that Digital Shadows researchers encountered were for banking and other financial accounts. Other popular categories — based on the number of ads for them — included streaming accounts, proxy/VPN accounts, and cable.

"One of the main takeaways from this report [is] the sheer scale of account takeover on the cybercriminal landscape," Clark says. "Cybercriminals target the obvious gold mines of financial or internal company accounts, but they also see value in things like streaming or antivirus accounts."

Online credential theft has emerged as a major problem for consumers and businesses in recent years. Criminals have employed a variety of tactics including phishing botnets, credential stuffing, and brute-force techniques to harvest credentials to online accounts. They have then sold or used the stolen credentials to carry out a variety of malicious activity, from initiating fraudulent wire transfers from business accounts to gaining free access to streaming and gaming services. 

Mega Breaches, Mega Problems
Recent years have witnessed numerous mega breaches where tens and even hundreds of millions of credentials belonging to Internet users have been compromised. Among the most notable was one involving Yahoo, where between 500 million and 3 billion records were exposed, and one at Facebook last year, involving over 260 million records.

The threat from these breaches has been exacerbated by the tendency among a high percentage of Internet users to use the same — and often easy-to-guess — passwords across multiple accounts. Tools such as Sentry MBA and OpenBullet have also made it easier for cybercrminals to quickly test millions of username and password questions to see whether there's match, Clark says. So attackers can use credentials obtained from one breach to try and crack open other accounts.

Digital Shadows' research found the number of compromised credentials available to cybercriminals via criminal forums and marketplaces surged 300% from 2018. The vendor estimated that of the 15 billion credentials currently floating about, some 5 billion are unique, meaning they have been advertised just once on criminal forums.

One trend that Digital Shadows observed was a continued increase in the number of marketplaces renting access to compromised accounts for criminals not interested in purchasing or harvesting their own credentials. The security vendor first identified the practice in 2018.

"Account-takeover-as-a-service [ATaaS] can significantly lower the barrier to entry for cybercriminals," Clark says. Just like phishing- and malware-as-a-service, ATaaS gives cybercriminals the ability to rent a digital identity to access specific accounts. "The identity can include fingerprint data, including cookies, IP addresses, credentials, and time zones," she says.

Criminal markets, going by names such as Genesis Market, UnderWorld Market, and Tenebris, give criminals the option of renting access to different account types, including e-commerce, streaming, and social media, sometimes for prices as little as $10 for a specific period.

"These services perform the account takeover operations by using a multitude of tactics" and then rent out access to the compromised account, Clark notes. The ATaaS model is so popular that attackers on underground forms are often desperate to get invitations to these markets, Digital Shadows says.

Organizations can take multiple measures to mitigate their exposure to account-takeover attacks. Among them is the need to monitor for leaked employee credentials via sites such as "HaveIBeenPwned" and for mentions of the organization or brand on criminals forums, Digital Shadows. It's also a good idea to monitor code repositories and for leaked customer credentials the vendor.

In addition, implementing requirements for strong passwords is advised, Clark says. "Adding a security layer with multifactor authentication can significantly reduce the likelihood of your account being abused by cybercriminals," she says.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.