A new report by cyber threat intelligence provider Digital Shadows reveals the extent of login data leaked worldwide in connection with account takeovers (Account Take Over, or ATO for short). There are more than 24 billion user-password combinations in circulation on the dark web.
In relation to the world population, this corresponds to four exposed accounts per Internet user. The number of stolen and disclosed credentials has thus increased by around 2020% since 65.
Login data on the dark web: increase of 65 percent
The majority of the data exposed concerns individuals and consumers and includes usernames and passwords from various accounts - from bank accounts and online retailers to streaming services and social media to corporate portals. A total of 6,7 billion of the discovered login data are classified as "unique" and were thus offered for sale for the first time and once on a marketplace on the dark web (2020: 5 billion; +34%).
The compromised login data is primarily offered via relevant marketplaces and forums on the dark web. Here, the cybercriminal ecosystem has grown significantly in scope and professionalism over the past two years. In addition to leaked access data, malware and cracking tools, interested customers can also take out subscription services and premium services related to account takeovers. In the last 18 months alone, Digital Shadows analysts identified 6,7 million incidents of customer login credentials being advertised across multiple platforms. This includes the usernames and passwords of employees, partners, customers, as well as various servers and IoT devices.
A lack of password hygiene makes it easy for attackers
According to the study, the greatest security deficit is still a lack of password hygiene. Internet users continue to use easy-to-guess passwords (e.g. "password") and simple sequences of numbers. Almost every 200th password (0,46%) is therefore "123456". Combinations of letters that are close together on the computer keyboard (e.g. “qwerty”, “1q2w3e”) are also popular. Of the 50 most common passwords, 49 can be cracked in less than a second. Some of the tools you need to do this are available on the dark web for as little as $50.
Even adding special characters (e.g. @, #) can only delay the hacking of login data, but not necessarily prevent it. A 90-part password with just one special character costs cybercriminals an average of 4 minutes more time, according to Digital Shadows. With two special characters, hackers still need two days and XNUMX hours.
Passwordless future must come
“The industry is making great strides towards a passwordless future. For now, however, the issue of compromised credentials seems to be spiraling out of control,” said Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows. “Criminals have endless lists of leaked or stolen credentials at their disposal, and they delight in users' lack of creativity in choosing their passwords. This allows accounts to be taken over in seconds using automated and easy-to-use cracking tools. Many of the cases that we examined as part of our study could have been avoided by assigning a unique and strong password.”
More at DigitalShadows.com
About digital shadows
Digital Shadows tracks down unintentionally leaked data across the open, deep, and dark web, helping organizations minimize the resulting digital exposure to external threats. With SearchLight™, companies can comply with data protection regulations, prevent the loss of intellectual property and avoid reputational damage.