Researchers at Digital Shadows warn that there are more than 15 billion leaked login credentials for sale in online criminal marketplaces. This number is up 300% since 2018, and the researchers say the credentials come from more than 100,000 separate data breaches. Additionally, more than 5 billion of the username/password pairs are unique.
The researchers analyzed the pricing of these credentials on underground forums, and found that bank account logins fetch the highest prices for an individual account, with an average cost of just under $71. Antivirus logins came in second, averaging $21.67. The most expensive logins, however, are the ones that claim to offer access to an organization’s entire network.
“We’ve also seen some criminal advertisements for domain administrator accesses (login details, credentials or sensitive files from an organization or individual’s machine, used to access systems/infrastructure, data, bank accounts, and/or other accounts),” the researchers say. “This takes the conversation from ‘simple’ account compromise to complete network compromise, and we’ve seen these accesses sold or auctioned for an average of $3,139 and up to $140,000. The data may not always be valid, but just the concept of a large corporation or government network administrator’s access being sold on criminal marketplaces is, to say the least, unnerving.”
Online services should never store users’ passwords in plaintext, but Digital Shadows found that more than 80% of the passwords being sold by criminals are in plaintext. The researchers conclude that the passwords were either stored in plaintext originally, or they were stored using a weak hashing algorithm which allowed criminals to obtain the plaintext versions. This conclusion is supported by the fact that of the passwords for sale that were in a hashed format, more than 80% used MD5 or SHA1 hashing algorithms, both of which can be easily cracked.
The researchers also describe a number of tools used by criminals that illustrate how easy it is to automate account takeover methods.
“Just gaining access to accounts that have reused credentials is not always the end goal,” the researchers write. “These accesses can be used as pivot points to access even more sensitive information. Take, for example, the Cre3dov3r tool, which searches for public leaks related to any specified email address; if passwords are identified, the tool checks seven popular websites—including GitHub and Stackoverflow—to see if the credentials are valid or whether CAPTCHA is blocking access.”
Using unique, complex passwords with a password manager is always recommended, since it will minimize the damage if attackers steal the credentials to one of your accounts. Multi-factor authentication should also be used wherever possible to make it harder for attackers to log into an account even if they have the credentials. New-school security awareness training can teach your employees the importance of following security best practices to protect their accounts.
Digital Shadows has the story: https://resources.digitalshadows.com/whitepapers-and-reports/from-exposure-to-takeover