Research just out by Digital Shadows has shown the size of the security problem consumers now face, as revealed 15 billion usernames & passwords stolen in over 100,000 different data breaches!
15 billion
Over 15 billion username & password credentials to online digital services, including bank & social media accounts, are now ‘quite openly’ for sale on the dark web & this is 3 times the amount available to cyber criminals just 2 years ago, this according to the latest research by risk prevention experts Digital Shadows.
Compromised
Bottom of FormThis is the same as over 2 compromised accounts for every human on earth, & is caused by around 100,000 different data breaches, commented Digital Shadows. It estimated that more than 5 billion of the credentials sets it found were “unique”, meaning they had not been advertised more than just the once on the cyber-criminal network, & were therefore considered more valuable.
“The sheer number of credentials available is staggering,” observed Rick Holland, CISO & Vice-President of Strategy at Digital Shadows. “In just the past 1.5 years, we’ve identified & alerted our customers to some 27 million credentials which could directly affect them.
Sensitive
“Some of these exposed accounts can have, or do have, access to really incredibly sensitive information. Details revealed from one breach could be reused to compromise accounts used elsewhere. The message is quite simple – that consumers should use different passwords for every account, & organisations should ‘stay-ahead’ of the criminals by tracking where the details of their employees & customers could be compromised.”
Most exposed credentials caught by Digital Shadows’ were for consumer services not enterprise ones, but credentials that could give access to corporate systems seemed to be more in demand, incl. those with words like “invoice”, “invoices”, “partners” or “payments” being particularly valuable.
Free of Charge
Digital Shadows explained that many basic account details were offered free of charge, but for those on sale, the average account traded for $15.43 (€13.43/£12.15), rising to an avg. of $70.91 for a bank account.
Researchers commented that they also found ‘dozens of adverts’ for domain admin access, & in many cases these were being auctioned for between $500 & $120,000, with an avg. selling price of $3,139. Listings were found for many large enterprises & public sector bodies.
Indicators
Holland warned too, unfortunately, that all the indicators suggested that account takeover has never been either easier or cheaper for criminals, with many brute-force tools & account checkers also available, for an avg. of $4 each, with many of them very simple to use.
About identity & access management
- Regarding minimum password length, 14-character passwords are generally considered secure, but they may be insufficient to keep your enterprise safe.
- Nuance voice age-detection features are for security teams that want to prevent fraud, & to route service calls. Potential seen for marketing personalisation.
- Identity & access management is fast changing, & strategies for managing it must too. See IAM architecture approaches & how to select the best for your organisation.
Rents
Also flagged were the growth of account takeover as-a-service, where instead of buying a name & password, a cyber-criminal ‘rents’ someone else’s ID for a while. These services collect target data including cookies, IP addresses & time-zones, making it easier to perform account takeovers & transactions that the target will not see.
This type of service is becoming much more popular, explained Digital Shadows, which observed many people on dark web forums were “desperate” to obtain invite codes to this market.
Russian-language forum
Digital Shadows reported too that cyber criminals are increasingly looking at methods to bypass 2-factor authentication. For example, a user on the Exploit Russian-language forum was recently observed attempting to sell a technique designed to circumvent 2-factor authentication systems at a major US bank.
The player said their system could access 70-90% of accounts without requiring SMS verification!
