Recent research into the dark web has revealed a staggering number of identity credentials for sale with more than 15 billion stolen login details available of which 5 billion are said to be unique. Within this context, 'unique' means credentials that have never been advertised more than once on cybercriminal forums.

Many of the account details are being offered free of charge which suggests they were compromised some time ago and have been hawked around different dark web forums. However, those that are on sale go for an average price of $15 USD.

Unsurprisingly, bank and financial accounts are the most expensive averaging $70. That said some are also trading upwards of $500 depending on the quality of the account. This means the account has been accessed and the hackers know how much is sitting in the account. Included within this enormous haul will be dedicated online services such as PayPal. Criminals sell these accounts with full knowledge of how much is in the account as well as instructions on how to take the money out.

So how come so many stolen ID credentials are for sale on the dark web, approximately two for every person on the planet?
  • When ID credentials are stolen in a hack, they are often applied randomly to other online accounts. For instance, an email address and password may have been stolen from a hotel chain. Using bespoke software this email address and password are then automatically applied to other online services such as Amazon, PayPal, loyalty card systems, bank accounts, and more.
  • Cybercriminals know only too well that lots of people use the same ID credentials across multiple accounts so with automated software it is relatively easy for them to get 'hits' for other online services. These ID credentials are then advertised for sale on the dark web.
  • A typical dark web forum might say 100,000 accessible accounts for sale including Netflix, Sony PlayStation, Spotify, and PayPal. The ID credentials for these accounts may easily have come from another hack, such as the hotel chain, mentioned above.
  • It's also set in stone that many of the stolen ID credentials will have come from malware, such as spyware, that has been planted on a user's device such as smartphone, laptop, or desktop.
Identities for rent

Equally chilling is a new type of criminal service for sale in which an individual is targeted, their online identifiers such as cookies, IP addresses, and time zones are collected and then hired out to cybercriminals who then take over the account for a limited period.

The criminals will be targeting high net worth or high profile individuals and this service is proving to be immensely popular in the underground. Those who are renting the service provide 'invite codes' for cybercriminals and these are proving to be much sought after.

Company front door keys for sale

A further discovery was the sale of Active Directory domain admin accounts. It is the most powerful account in a network domain. It essentially provides full access to a company network from databases, servers, email accounts, and files and also includes the ability to create new users, delete users, and change their network permissions.

As far as a cybercriminal is concerned, an Active Directory domain admin is the digital equivalent of the keys to the treasure chest. Is it any wonder then that one of these accounts is on sale for $120,000; which must be a large company with enormous potential for fraud. That said, the average sale price for domain admin credentials were priced at a little over $3,000 suggesting these are small businesses.

What can I do?

Panic would be one option. Practical steps are much more desirable.
  • The best defence against ID credential theft attacks is to use a unique password for each site you have an account with.
  • There are various password management applications that can help you to keep track of all of these details in a secure manner.
  • You can also check whether any of your accounts have been breached using the website Have I Been Pwned.
What about malware?

This is a good point. ID credentials, such as Active Directory domain accounts, are typically filched via malware which is often delivered via phishing emails. These attacks can target hundreds of thousands of computers at the same time.

To protect against malware that steals ID credentials, or any other type of malware, all devices need to be protected. BullGuard provides multi-award protection against the full gamut of malware and can be used on all devices running Windows, Android, and Apple operating systems.

Small business troubles

This level of fundamental protection can be tricky for small businesses that have to protect a relatively large number of devices. Do they use free antivirus protection (not a good idea in the face of today's advanced malware), do they manage each device individually (a time-consuming headache) or do they use a scaled-down enterprise product is invariably far too complex for a small business?

BullGuard Small Office Security is the answer. Designed specifically for small businesses all protected computers, including laptops and smartphones, are managed centrally via a cloud dashboard. This means updates are pushed out simultaneously to all devices, single devices can be isolated, and devices can also be remotely shut down and wiped if lost or stolen. It provides a lot more, dedicated small business functionality. You can find out more here.

What if I’ve already been hacked?

You’ll only find out when it’s too late, for instance, if your ID credentials are used for some type of fraud. That said BullGuard Premium Protection safeguards your ID credentials and any other information you wish to protect. It scans the internet and thousands of dark web sites 24/7 on the alert for the information you have chosen to protect like an ever-watchful guardian. Should any of your details appear on the internet, you will receive an immediate alert allowing you to take the necessary protective steps.

Am I among the billions?

Fifteen billion ID credentials for sale is a sobering figure. However, it probably includes credentials from ‘old’ hacks such as the 2016 Yahoo attack which saw the theft of 3 billion customer details, 360 million user accounts in the 2013 MySpace hack, and 500 million customer details between 2014 and 2018 from Marriot International. That said 5 billion unique ID credentials are alarming and it probably means there are many as yet 'undiscovered' hacks.