It seems that a few months cannot pass without some company or another reporting that login data has been stolen from their care. Those details, which comprise email addresses, usernames and passwords, among other personally-identifying info, have to end up somewhere. And that somewhere is the dark web, where they’re being sold.
And the number of login details up for sale is not insubstantial. Cybersecurity firm Digital Shadows says that, according to the company’s research, there are more than 15 billion logins for sale, the product of more than 100,000 data breaches. Of these, some five billion are unique. But they’ve all got one thing in common – they have value.
Your mileage may vary
Though the value may also vary. Some login details, such as those related to online banking accounts, are being sold for up to $70 (R1,100, or the price of a PS5 game), while other, lesser accounts are going for anywhere down to R20. Popular accounts include those for antivirus programs and video game accounts. But don’t expect to rock up and pick up an account you’ve had your eye on for ages – they’re not usually that organized.
Usually. Some accounts, such as those belonging to company system administrators or government logins, can fetch a far larger sum. They’re typically sold at auction, fetching anywhere from $3,150 to $140,000. We’d imagine they’re being used to commit crimes of one sort or another – there’s probably not much of a market for valuable login collections. Besides, how would you display them?
Would you like to know more?
Are you likely to be in the collection of stolen credentials being peddled online? Odds are, if you’ve ever found out that your email address has been compromised on Have I Been Pwned, you are. But it’s what you’ve done afterwards that really matters.
Setting up 2FA (two-factor authentication), practicing basic data security like using a password manager instead of the same password for every… bloody… account… and changing your passwords when a breach occurs goes a long way. And if you’re the subject of a suspicious email from inside your company from someone asking for information they should already have, perhaps… pick up the phone and check with them before replying with the logins to the server? Maybe?
Source: Business Insider