Around 15 billion credentials are in circulation in cyber-criminal marketplaces. According to new research from Digital Shadows, a 300% increase in stolen credentials from over 100,000 data breaches in the past two years means there are more than 15 billion credentials in circulation. These include credentials for bank accounts, social media and video streaming services. Of these, more than five billion were assessed to be ‘unique’ – i.e. they have not been advertised more than once on criminal forums.
Rick Holland, CISO and VP of strategy at Digital Shadows, said: “The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them. “Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be reused to compromise accounts used elsewhere.” Many account details are offered free of charge, but of those on sale, the average account trades for $15.43. Bank and financial accounts are the most expensive, averaging at $70.91, however they trade for upwards of $500, depending on the ‘quality’ of the account.
There was also evidence that methods to bypass 2FA were commonly discussed on cyber-criminal forums. In one example, in December 2019, a user on the Russian-language cyber-criminal forum Exploit created a thread to sell a method designed to bypass 2FA systems at a United States-based online bank. They stated that their system would allow seven to nine out of 10 accounts to be accessed without requiring SMS verification, and that they considered their offer to be worth $5000. In an email to Infosecurity, security researcher and speaker Troy Hunt said he was not “overly surprised by the numbers” as he had noticed a lot more credential stuffing lists in circulation recently and just like the pandemic itself, they seem to be replicating at a fierce rate.
“It’s one of those things that’s very easy to propagate and I often see the same data represented in different derivatives, for example, expressed by the domain of the email account or the geographic location of the account holder.” Asked if he felt more accounts were being created due to people working from home and getting more deliveries, Hunt said: “Personally, I think it’s too early to see an impact on credential stuffing lists due to the pandemic. Yes, there’s a lot more people working remotely, but these lists are curations of previous data breaches bundled up and passed around as sources for brute-forcing login pages.
“These lists are also dependent on having passwords accessible in either plain text or with weak cryptographic protection (i.e. MD5 or SHA-1 hashes) which fortunately is becoming increasingly uncommon.” Digital Shadows also observed the growth of ‘account takeover as-a-service’ where, rather than buying a credential, criminals can rent an identity for a given period, often for less than $10.
For this price, the service collects fingerprint data (such as cookies, IP addresses, time zones) from an individual (the target), which makes it considerably easier to perform account takeovers and transactions that go unnoticed. Such is the popularity of these services that users on forums are desperate to acquire invite codes to this market. Holland added: “The message is simple – consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”