Digital Shadows has released the results of a study that quantifies the sheer scope of the world’s digital security problem. The From Exposure to Takeover report reveals that there are currently more than 15 billion credentials available for sale through criminal channels, a number that represents a 300 percent increase over 2018.
The dramatic spike is the result of 100,000 data breaches in the past two years. The credentials typically include user names and passwords, many of which correspond to bank accounts, social media channels, and other sensitive applications. According to Digital Shadows, the average bank account credential goes for just over $70, though the price for a high quality account can climb above $500.
However, individual bank accounts were not the most expensive product on the criminal dark web. Admin access to a larger organization’s key systems went for an average of $3,139, but could go for as much as $120,000 during an open auction.
“The sheer number of credentials available is staggering,” said Digital Shadows CISO and Strategy VP Rick Holland. “Some of these exposed accounts have access to incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere.”
The report goes on to warn that account takeover attacks have become a particularly pernicious problem, largely because such attacks have become relatively simple and cheap to execute. That’s why Digital Shadows recommends that people use a different password for every account. It also advises organizations to watch for leaked credentials, and to be wary of some of the more vulnerable two-factor authentication methods, including CAPTCHA and (especially) SMS.
The Digital Shadows report arrives roughly a month after a ForgeRock report that found that U.S. organizations lost more than $1.2 trillion due to data breaches in 2019 alone. On that front, several recent studies have shown that many businesses and individuals are still putting far too much faith in the integrity of passwords.
(Originally posted on Mobile ID World)