TitanHQ Blog

The Underground Market for Stolen Personal Data is Booming

Posted by Geraldine Hunt on Mon, Jan 27th, 2020

More and more criminals are gaining access to large amounts of stolen personal data at ever-cheaper prices. Gaining access to this data is not difficult which is why there’s so much stolen data available. The average going price for stolen credentials tied to popular e-commerce and banking sites is a mere $15.  Even a credit card number with its corresponding CVV only goes for $12, oftentimes even less.  The price goes up to $25 for credit card data that is paired with the cardholder’s date of birth and bank identity number.  While your individual credentials may not be worth all that much, the possible damage that can result to you financially can be hefty.

The Supply of Stolen Credentials is Mindboggling

A 2017 study conducted by Google and the University of California Berkeley found that billions of usernames and passwords are at risk.  The involved research team tracked several black markets that sold stolen credentials. These credentials were compromised through data breaches as well as some 25,000 hacking tools.  Deeper analysis showed that 788,000 credentials were stolen via keyloggers, 12 million credentials through phishing and 3.3 billion through third-party data breaches.   Keep in mind this data is more than 2 years old.

In February 2019, more than 617 million online account details stolen from 16 hacked websites were being sold for less than $20,000 in Bitcoin according to an article in Forbes Magazine.  Says one cybersecurity analyst, stolen usernames and passwords are “traded like Pokémon cards.” 

Current Prices for Stolen Credentials

For those who access the dark web, shopping for stolen credentials has truly become a retail-like experience.  According to Brian Krebs from KrebsonSecurity.com, credentials are being sold in retail like fashion.  These retail sites list the involved website, the sale price and current inventory on hand.  Actual examples of what you can find from one of these sites include the following:






By the way, we only included the biggest names from the A’s.  Many of these sites sell more than just credentials.  For instance, you can purchase someone’s identity.  The identities of these unknowing victims are even indexed according to FICO score.  An identity with a near-perfect score above 840 can go for $150.  Full credit reports are also for sale on millions of Americans from all three credit bureaus.  These go for as little as $35.  You can even purchase diplomas for $100-$400.  Passports are the real prize, garnering as much as $2,000.

A number of factors determine prices for stolen credentials.  These include:

  • The type of data it is
  • The supply and demand of that data at the time
  • The amount of time that has transpired since when the credential was stolen
  • The available balance of the accounts

Automated Credential Shops

The introduction of “automated shops” provided a convenient marketplace for stolen credentials.   Think of them as an eBay or Amazon retailer in which the smallest of independents can sell their goods to the world through a single global retailer.  These automated shops give cybercriminals a means to sell the credentials they steal.  Stealing credentials today does not require extensive cyber or programming experience.  Low-level cybercriminals can purchase credential-stealing kits for $550 on the dark web, a nominal fee that can produce a return of 20 times the initial investment.   The automated shops charge a 10 to 15 percent commission for each sale and provide customer and vendor support.  They will even help resolve transaction disputes.  Welcome to the digital transformation of cybercrime.

The Retail Process for Stolen Credentials

In the same that there are established processes that retail products go through from the time they are manufactured to the point at which a consumer might purchase it from a first level retailer, or a discount store months later, stolen credentials go through a defined process as well in order to reach these automated stores.  The first step in the chain is an inventory of the data. 

Hackers that manage large-scale bot networks or implement data breaches will sort through their log files to determine what type of data they have recently captured.  They then correlate this data in order to package personal information in order to complete data profiles.  Stolen credentials that can be appended with names, addresses, phone numbers, email addresses, etc. are more valuable.

High-value data such as the personal data of government workers or military personnel are set aside.  These personal data packages are then sold as profiles while unmatched credentials are sold.   Eventually, the compromising of these accounts is discovered, making most of them worthless.   Stolen credentials that have some age on them are repackaged into bulk lists and can be sold at cut-rate prices for years. 

Why Layered Security is More Important Now Than Ever

As you can see, the selling of stolen credentials is a serious business.  That is why all companies, organizations, and individuals must take cybersecurity seriously.  It makes sense to be proactive about data security and avoid a breach in the first place.  The key is to take a multi-layered approach, as there is no one solution to cybersecurity.

Your organization is under constant and unpredictable threats of attack.  Cybercriminals aren’t going away. Their methods are getting increasingly sophisticated as they evolve to meet new security solutions and standards.  As malware writers change their techniques to evade detection, layered security becomes more important than ever to lower the probability of a successful attack and stop an attack even if one component of your defenses fail.

Implementation isn't always simple, it requires planning and expertise.  Relying on a single security layer is no longer wise in today’s threat landscape. Organizations need to focus on the data they are protecting and build layers of security around it. Your clients and your bottom line will thank you.

Never Miss a Blog Post

Sign-up for email updates...

Start Free Trial Request Demo

Talk to a Trusted Security Advisor

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us