Threat Management

15B credentials available on dark web; average selling price below $16

There are more than 15 billion stolen account credentials being sold or even shared for free on the dark web, with individual entries selling for an average of $15.43, a new research report states.

Roughly one-third of the credentials, or about 5 billion, are unique, according to Digital Shadows, whose researchers reached these totals following an analysis of two-and-a-half years of advertised account credentials found across nine active and defunct dark web marketplaces.

Of the various categories of stolen credentials, bank and financial account passwords were found to be the most expensive -- advertised on the dark web for an average of $70.91, with some prices set upwards of $500.

Those seeking to score admin credentials for the purpose of a corporate account takeover (ATO) must pay an especially high premium. These privileged accounts cost an average of $3,139 but can go as high as $140,000.

Cybercriminals who don't want to spend too much or harvest credentials themselves have the option of renting compromised accounts via ATO-as-a-service offerings for $10. Meanwhile, tools to crack accounts, including brute-force tools and account checkers, are being advertised for as little as $4, the report notes.

Digital Shadows says the total number of credentials available for account takeovers come from approximately 100,000 separate breaches. Additional details can be found in the report and Digital Shadows' corresponding blog post and press release.

“The sheer number of credentials available is staggering..." said Rick Holland, CISO and VP of strategy at Digital Shadows. "Some of these exposed accounts can have, or have access to, incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere. The message is simple: Consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds