Research: 15 Billion Credentials in Circulation for Cybercriminals

When it comes to usernames and passwords, cybercriminals are swimming in a treasure trove.

A 15 billion-strong treasure trove, according to a new study from Digital Shadows.

Research: growing number of account details are on the dark web

In theory, when there's enough of something floating around for every person on earth to have two, there might be too much floating around.

But new research from Digital Shadows makes this idea a reality.

Its recent study, "When Exposure Becomes Game Over," revealed some shocking statistics about account takeover during the last two years.

The organization found a 300% increase in stolen credentials from over 100,000 data breaches.

And those numbers are more alarming when you consider the result of this increase: 15 billion usernames and passwords circulating the dark web for cybercriminals.

What accounts do these credentials connect to? Digitial Shadows says that many connect to video, music streaming, or social media. But bank account details are also common.

How much do stolen credentials sell for on the dark web?

And cybercriminals know that not all accounts are created equal. Check out how they break down "selling" credentials:

"Many account details are offered free of charge but of those on sale the average account trades for $15.43. Unsurprisingly, bank and financial accounts are the most expensive, averaging at $70.91, however they trade for  upwards of $500, depending on the ‘quality’ of the account. In addition to being the most expensive, banking, and financial accounts accounted for 25% of all the advertisements analyzed."

And the accounts that connect to the workplace are even more valuable.

• Usernames with “invoice” or “invoices” were by far the most common advertised and comprise 66% of the 2 million usernames assessed.
• “Partners” and “payments” came in a distant second and third place, both with 10% each.

Accounts claiming to hold "admin access" also sell for a pretty penny:

"[they] are being auctioned to the highest bidder with prices ranging from $500 to $120,000 – with an average $3,139."

How does a dark web marketplace operate?

According to the researches, this cybercriminal activity is starting to look more like ‘account takeover as-a-service.' The research provides the example of Genesis Market:

"...Where rather than buying a credential, criminals can rent an identity for a given period, often for less than $10. For this price, the service collects fingerprint data (such as cookies, IP addresses, time zones) from an individual (the target), which makes it considerably easier to perform account takeovers and transactions that go unnoticed. Such is the popularity of these services that users on forums are desperate to acquire invite codes to this market."

Here's what Rick Holland, CISO and VP of Strategy at Digital Shadows, has to say about the new data:

“The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them. Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere."

The message is simple – consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”

How can you mitigate stolen credential risk?

Researchers also provided advice for those looking to defend their accounts from cybercriminals.

One of the first cybersecurity solutions to fight account fraud is multi-factor authentication. However, criminals are sharing information on getting around it:

"Methods to bypass 2FA are also commonly discussed on cybercriminal forums. In December 2019, for example, one user on the Russian-language cybercriminal forum Exploit created a thread to sell a method designed to bypass 2FA systems at a United States-based online bank.

They stated that their system would allow seven to nine out of 10 accounts to be accessed without requiring SMS verification, and that they considered their offer was worth USD 5,000."

Here are some other best practices that can mitigate this kind of risk:

• Monitor for leaked credentials of your employees.
• Monitor for mentions of your company and brand names across cracking forums.
• Don’t forget other sources. Code repositories can be rich with secrets and hard-coded passwords. 
• Monitor for leaked credentials of your customers, allowing you to take a more proactive response.
• Deploy an online Web Application Firewall.
• Increase user awareness.
• Gain an awareness of credential stuffing tools.
• Some element of 2FA is always better than none but try to phase out multi-factor authentication using SMS. This can help to reduce account takeovers, but make sure this is balanced against the friction (and cost) it can cause.