More than 15 billion stolen account credentials are up for grabs on cybercrime forums, with 5 billion of them considered unique, meaning that they haven’t been offered for sale more than once, according to research by Digital Shadows.

The usernames and passwords found on cybercriminal marketplaces, especially on the dark web, come from over 100,000 separate data breaches and include access credentials for financial accounts and streaming services, and even for admin accounts providing access to organizations’ key systems.

The researchers spent a year and a half analyzing the tactics that crooks use to exploit pilfered account information and found that the amount of misappropriated credentials has risen by 300% since 2018.

Most of the stolen login information belongs to consumers and while many are often offered for free, those that do go on sale have an average asking price of approximately US$15 per account. However, depending on the type of access they provide the price might go up or down, with financial and banking accounts commanding the highest price – US$70 a pop. The rest, typically streaming media accounts, social media and other services, can be purchased for under US$10.

Consumers are just the tip of the iceberg; perpetrators have their eyes on bigger fish they’d like to fry. Accounts that could allow them to infiltrate the critical systems of an organization are auctioned and can fetch an average price of over US$3,100; the most valuable have been known to go for US$120,000. That said, Digital Shadows noted that it "cannot confirm the validity of the data that the vendors purport to own".

Still, the price might not come as a surprise, since compromising a whole company network could yield information that can be sold off or held for ransom, ultimately paying out much more than the initial 'investment'.

RELATED READING: Cybercrime black markets: Dark web services and their prices

How are all those credentials acquired, anyway? As the report points out, there is the straightforward option of hacking a company database and stealing the data, but there are also methods that require less effort.

These include harvesting them using phishing campaigns, as well as compromising machines with malware, such as keyloggers, or buying the login information from marketplaces or using credentials that are offered on forums for free. But there is still one more option.

Dark Shadows says that they have observed the emergence of markets that are offering account takeover as a service; in this case, instead of buying account credentials, criminals are renting an identity for a limited amount of time. “Such is the popularity of these services that users on forums are desperate to acquire invite codes to this market,” the company adds.

How to protect yourself?

There are multiple steps you can take to mitigate the risk of having your usernames and passwords stolen:

  • Don’t recycle your passwords across multiple services; you should use a strong and unique password for each of your online accounts – which is precisely where a password manager can come in handy.
  • Start using multi-factor authentication, which is the easiest way to add an extra layer of security to your account.
  • If a service you use has been breached, immediately change your password across all the services you use it for and perhaps check if you use a variation of it on other services and change those as well. You can also set up a password breach alert, such as the one offered by Chrome’s Password Checkup or you can run a similar check using dedicated services.
  • Watch out for phishing attempts, don’t click on links or attachments that seem suspicious.
  • Use a reputable security solution.