More Than 15 Billion Credentials are up for Sale on Hacking Forums

New research conducted by Digital Shadows has provided insight into the scale of credential theft and the extent to which stolen credentials are being sold on hacking forums and darknet marketplaces. A wide range of credentials are up for sale including social media accounts, streaming services, Office 365 accounts, and bank accounts.

According to the Digital Shadows analysis, there are currently more than 15 billion username and password combinations listed for sale. There is some duplication, as some credentials are included in more than one list, but not to a great degree as the assessment by Digital Shadows indicates 5 billion of those credentials are unique. The credentials were stolen in more than 100,000 data breaches over the past two years. The Digital Shadows Photon Research Team says there has been a 300% increase in credentials theft in the past two years.

Lists of stolen credentials are offered free of charge or are traded online, although many are sold. The average cost for a username/password combo is $15.43. Approximately a quarter of the credentials being sold are for online bank and other financial accounts, and these attract the highest prices, with an average price of $70.91. Logins to antivirus software programs are also popular and attract a higher than average price, typically selling for more than $21.

Credentials are stolen in a number of ways. Automated brute force attacks are common, with brute forcing tools offered on hacking forums for as little as $4. Many credentials are obtained through phishing attacks, malware such as keyloggers, and credit-card skimmers.

Despite the risks involved, many people still do not practice good cybersecurity hygiene such as regularly changing passwords, setting strong passwords, and ensuring a unique password is used for all online accounts. It is not only consumers that are taking risks. Many companies store passwords in plaintext and do not scan for vulnerabilities that could be exploited by cybercriminals.

Many companies are not scanning for compromised employee credentials and are not using services that monitor for mentions of their company name on darknet forums, which Digital Shadows strongly recommends. Businesses are also advised to provide regular cybersecurity awareness training to their employees that includes good password practices such as never reusing passwords, setting strong passwords, and how to identify phishing scams.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of