Is my login information for sale on the black market?

Published Jul 16, 2020 by Ncrypt

For all you know, your passwords for sites and services are currently available to buy on the dark web

It’s a well-known fact that corporations and government bodies are consistently inventing novel methods of legally’ siphoning our personal information. Even for those who’ve devoted their entire lives to exposing such questionable behaviour, staying ahead of the curve is almost impossible. Threats come in all forms and from all fronts and no matter how big a fish is landed; schools of others are forever waiting just beneath the surface. 

What’s less known, or at least often downplayed, is the role that cybercrime plays in everyday life. It’s easy to think of hackers as a small group of basement-dwellers who occasionally give you cause to change your password, but in reality, they operate on an almost unfathomable scale from a growing underground space in which authorities can barely make a dent; a space where your private information can be added to a cart like any ordinary consumer product.

No, that’s not an exaggeration

This month, a dark web audit revealed that at least —and this is not an error­—15 billion credentials are currently circulating on dark web forums and markets. Thanks to 100,000+ data breaches, cyber criminals have ready access to a seemingly endless well of digital gold that allows them to wreak havoc in a variety of different ways. From consumer login details to every imaginable online service, to corporate account information that unlocks key systems – no form of private information is off limits. 

Here’s a breakdown of the most commonly traded user information on the underground market:

Banking and other financial services – on a consumer level, access to financial portals are the most expensive, averaging out at $102.15 AUD per login pair. The next time you encounter someone who’s had to switch credit cards due to a fraud attempt, chances are their details have been purchased online. More current, in-depth banking account information (often used by money launderers and for cash-out schemes) can cost upwards of $700 AUD. 

Non-financial services – login information for cable, streaming, social media, VPN, file-sharing, video games and adult services (ranging from standard, premium to even lifetime access) is a buyer’s market, averaging out at $22.34 AUD. Login pairs for educational portals cost an average of just under $6 AUD. 

Domain administrator access – those wanting to commit crimes on a larger scale by infiltrating/controlling entire sites and even networks are looking at an average cost of $4, 514 AUD. These items are often auctioned off due to high demand and their price sometimes spike as high as high as $173,000 AUD. Scarily, the product descriptions for such items include “big university”, “petrochemical” and even “government”. Some market vendors spruik the value of such products by mentioning the number of machines on the network, the number of employees and the availability of any intellectual property or sensitive documents. 

If you think that Australia is immune to such phenomena, know that we are the third-most penetrated nation, close behind the United States and Canada. 

A call to vigilance 

It would seem as if all of the above is enough to make us either throw our hands in the air or abandon the digital space altogether, but not all is lost. The good news is that with a little bit of vigilance, you can minimise the possibility of falling victim to such theft and exploitation. Here’s a quick rundown of the measures you can take, right now, to wipe the sinister grins off the face of cyber criminals:

Password diversification – when details of a single account to a single service from a single breach are leaked to hackers, they can easily be re-used to compromise accounts elsewhere. It’s not enough to make your passwords more complex (though that can’t hurt), it’s imperative that you use a unique password for every account, no matter how inconvenient it might seem at the outset. 

Two-factor authentication – where offered, consumers should take advantage of two-factor authentication (2FA). In simple terms, 2FA is where more than one piece of information (such as a password AND a pin) is required before accessing an account or system. While imperfect, your data is far more likely to remain in your hands with 2FA than it is without it. 

Hardware-based authentication keys – thanks to the introduction of highly affordable consumer options, hardware-based authentication keys are growing in popularity by the day. The idea here is that you cannot access specific account information unless you plug in what looks like a USB thumb drive. This is the ultimate method of taking back control of your privacy and security. We stock the most reliable security key on the planet, the Yubico NFC - and it will only cost you $45. That’s a lot of security for a one-off minimal cost. 

In addition to these practical steps, it’s wise to stay as aware as possible. Free resources such as allow you to search previous data breaches to see if your email address has been compromised. While it may cause initial alarm to see your address listed, all it means is that you need to get a little stricter with your security measures. As you can probably deduce from this piece, the minimal amount of time it will take you to do so is more than worth it. 

And with every new person that wakes up and takes such measures, the black market is a little poorer and your (private) life becomes a little bit richer and more importantly, safer. 



Posted in: Security