Unprecedented Amounts of Usernames and Passwords for Sale

Unprecedented Amounts of Usernames and Passwords for Sale

There has been a large increase of consumer credentials being sold on the dark web. A 300 percent increase in stolen credentials has been witnessed from 100 separate data breaches, that have happened over a two-year period. This has resulted in mass amounts of account details being sold on these dark web hacker forums.  

Data Breach Response 

Our Incident Response Team handles data breach response and emergency situations with military precision throughout the entire life cycle of an incident. 


About fifteen billion usernames and passwords are currently being sold on these underground forums.  These login credentials account for internet and streaming services, and bank or financial accounts. These consumer credentials are sometimes given away by hackers for free, or they can be sold for about $15 on these forums. The price, however, does depend on the type of credential being sold. For example, it was found that bank and other financial accounts credentials sold at an average of $70.91 apiece.

Data for accessing antivirus programs sold at an average of $21.67, while media streaming credentials sold for substantially less at under a $1 on forums. This shows that financial account credentials were found to be most valuable to threat actors, considering they were also the most expensive to purchase.       

Unfortunately, threat actors have a multitude of ways to gain access to these credentials. This can include credit-card skimmers, phishing, and credential-stealing malware.  

What is more problematic is that consumers aren’t exercising simple security measures and basic cyber hygiene. These measures can decrease their chances of falling victim to stolen account credentials. They aren’t frequently changing their passwords and they use the same password for different accounts. This puts users at an increased chance for their passwords to be guessed, and for multiple accounts to be breached. It’s important to practice good password hygiene. This means not reusing passwords, creating hard to guess passwords, and frequently changing them as well. This makes it challenging for threat actors to guess login credentials and gain unauthorized access into users’ accounts.