- Stolen credentials are sold by the billions today, as we have about 185 data breaches per day.
- Almost one-third of the stolen credentials are unique pairs that aren’t used anywhere else.
- Hacking people’s accounts is becoming more streamlined, easier, cheaper, and more profitable.
Digital Shadows has been collecting data over the past 18 months, trying to figure out the scale of the business that is set up around the bartering of stolen user credentials. What they have found is not unexpected, but the numbers are presenting an unprecedented scale of operations. In total, there are over 15 billion credentials in circulation out there, which is 300% up compared to what was going on back in 2018. These credentials come from 100,000, or potentially even more individual data breaches, which is another way of saying that the whole situation is out of control and that data security is just an illusion.
With the average person having accounts on 191 online services, it is natural to see many duplicates in there. People are reusing their passwords or passphrases across a set of websites and services, so this is to be expected. However, 5 billion out of the total 15 billion are unique credentials.
Other interesting stats given in the report include the following:
- Bank and financial accounts are sold for an average of $70.91 per piece.
- “Regular” credentials are sold for an average of $15.43, while many are shared for free.
- AV accounts are sold for around $21.67, while media streaming, VPN, and social media accounts are traded for less than $10.
- Access to compromised company networks is sold for an average of $3,139, and up to $120,000.
- About two million accounting email addresses are compromised, and actors are using them for phishing and BEC operations.
- Hacking and taking over someone’s account costs an average of $4 (for brute forcers).
- “Sentry MBA” remains the most popular credential stuffing tool, while “OpenBullet” is a rising star.
- Fingerprint markets like the “Genesis Market” are on the rise.
- The sector with the most breached credentials is that of technology (31%) because it can serve as a pivot point.
There’s a clear conclusion that can be drawn from the above, and this is that hacking accounts and cracking protection systems like 2FA have now become an industrialized process. It takes place in an egregious scale that leaves no one untouched. Not finding yourself in one of the 100,000 breaches is statistically improbable. At the same time that the most skillful and notorious hacker groups are focusing their efforts on big companies, there are swarms of not so tech-savvy actors who are infesting every little piece of the internet, looking for low-hanging fruits.