A new report has revealed the true extent of stolen account logins to be found circulating on the dark web amongst cybercriminals. The Digital Shadows Photon Research team has spent 18 months auditing criminal forums and marketplaces across the dark web and found that the number of stolen usernames and passwords in circulation has increased by 300% since 2018. There are now more than 15 billion of these stolen credentials, from 100,000 data breaches, available to cybercrime actors. Of this number, some 5 billion are said to be unique, with no repeated credential pairs. The “From Exposure to Takeover” report warns that there’s a “treasure trove of account details” available in cybercrime markets. The 15 billion stolen account logins include credentials, usernames and password pairs, for online banking, social media accounts, and music streaming services. To put it another way, that’s the equivalent of two sets of account logins for every man, woman, and child on the planet.
Reports like this demonstrate how login details from one data breach can be used to access accounts on other sites and services. This puts added emphasis on my constant recommendation to never use a password on more than one account. Unique passwords help ensure that bad guys will not be able to access your checking account simply because they have your Hulu password.
I also strongly suggest users implement two-factor authentication (2FA) for their accounts whenever it is available. The added requirement of an extra piece of information (such as codes sent via text or email or that are generated by a second app or security fob) or a biometric identification such as a fingerprint or facial identification. Both of these add an additional and important layer of protection for accounts.
The report demonstrates why it\’s important to never reuse passwords across multiple accounts. Given that most of us have dozens of online accounts, it\’s best to assume at least one has been compromised and the password leaked. Cybercriminals will use that same password and username or email combination to attempt logins on other accounts, an attack known as credential stuffing. Always use unique passwords for each account and use a password manager if you have trouble memorizing them all. Check Have I Been Pwned to see if your email was included in any known data breaches, and be sure to change passwords on those accounts. Enable two-factor authentication wherever possible to prevent unauthorized access even if the attacker has your password.
The dark web is notoriously easy to navigate and inexpensive personal information including passwords and bank details can be found in just a few clicks even for the inexperienced. Although it’s sad to think that our personal data will inevitably end up for sale, it is somewhat safer to assume it could which in turn may force users to make changes to their data habits.
The current advice on passwords is that if they are all unique and long, then you should try and change them all once a year. If you are using a password manager this can be a rather simple task which helps you stay in control of your accounts and stay more secure. If passwords are convenient to the user, they are usually even more convenient to a hacker.
Making changes to your financial details isn’t so straightforward to edit so it is worth checking your banking apps daily to monitor for any unusual activity.
We have been watching the number of stolen credentials rise for over 20 years now, we should not be surprised that we have finally eclipsed the 15 billion credentials number. Concerns are also heightened during a time when many people are still working remotely under lockdown, which presents a field day for hackers of all types, as digital customers are a prime target for cyber-attacks. Now more than ever, users should understand that using a single form of authentication such as a password or SMS text or a knowledge-based question and answer, is open to compromise. The web and mobile applications as well as the platforms they run on have numerous holes and backdoors which allow hackers to easily attack using these credentials.
Technologies such as multi-factor authentication can help protect the stolen credentials, while technologies such as application shielding can help protect the applications from being attacked. These technologies help strengthen security on the consumer side, but banks can help protect their customers as well by ensuring their risk analytics technologies are up to date and are checking real-time transactions across all applications and channels, looking for anomalies and patterns that are the hallmark of an attack. Hackers have all the information they need to attack billions of users today, but consumers and financial institutions can make things more difficult if the correct technologies are applied.