Hacker Forums Contain Over 15 Billion Stolen Credentials

A new report from data loss detection specialists Digital Shadows has revealed the sheer scale of stolen user credentials available online for potential misuse.

According to Digital Shadows, there are at least 15 billion stolen user credentials currently circulating on various hacker forums. This gives hackers and cybercriminals access to a huge amount of data when they are carrying out account takeover attacks or identity renting services.

Besides hosting stolen data, hacker forums are known to offer hacking tips and lessons for criminals, and last year it emerged that APT41, one of the most effective hacking teams backed by the Chinese government, was advertising its cyber crime services for cash on forums.

Stolen credentials

But now Digital Shadows has been able to put a number on the amount of data that has been stolen via data breaches and cyber security incidents over the years.

“The average person uses some 191 services that require them to enter passwords or other credentials,” said the data loss firm. “That’s a lot to keep on top of, and it presents a huge problem if compromise occurs, particularly if a person uses the same credentials across multiple services.”

“Over the past 18 months the Digital Shadows Photon Research team has been analysing how cybercriminals conspire to prey upon users of online services by “taking over” the accounts they all use on an everyday basis – for banks, to stream videos or music, for work – the list goes on,” Digital Shadows said.

The firm said the stolen credentials stems from more than 100,000 data breaches and over five billion of them are unique.

According to Bleepingcomputer.com, most of these stolen credentials are from consumers, hacker forums also contain advertisements for corporate accounts that unlock key systems.

It reported that login pairs from accounts for non-financial services (cable, social media, streaming, VPN services, file sharing, video games, adult) are the cheapest and cybercriminals give away many of them. Those for sale have an average price of $15.43.

From advertisements analysed by Digital Shadows, one in four offers accounts related to banking and other financial services. These are priced higher at $70.91 each on average.

However, a confirmed balance for an online banking account, availability of personally identifiable information, and credential freshness can reportedly drive the price up to $500.

No surprise

A security expert has said it should come as no surprise about the amount of data cyber criminals have access to online.

“We have been watching the number of stolen credential rise for over 20 years now, we should not be surprised that we have finally eclipsed the 15 billion credentials number,” noted Will LaSala, director of Security Solutions at OneSpan.

“Concerns are also heightened during a time when many people are still working remotely under lockdown, which presents a field day for hackers of all types, as digital customers are a prime target for cyber-attacks,” said LaSala.

“Now more than ever, users should understand that using a single form of authentication such as a password or SMS text or a knowledge based question and answer, is open to compromise,” said LaSala. “The web and mobile applications as well as the platforms they run on have numerous holes and backdoors which allow hackers to easily attack using these credentials.”

“Technologies such as multi-factor authentication can help protect the stolen credentials, while technologies such as application shielding can help protect the applications from being attacked,” said LaSala.

“These technologies help strengthen security on the consumer side, but banks can help protect their customers as well by ensuring their risk analytics technologies are up to date and are checking real-time transactions across all applications and channels, looking for anomalies and patterns that are the hallmark of an attack,” he said.

“Hackers have all the information they need to attack billions of users today, but consumers and financial institutions can make things more difficult if the correct technologies are applied,” LaSala concluded.

Do you know all about security? Try our quiz!