Report: 24B usernames and passwords available for sale in cybercriminal marketplaces

Threat Intelligence provider Digital Shadows has published new research that’s found more than 24 billion usernames and password combinations in circulation in cybercriminal marketplaces, many on the dark web — the equivalent of nearly four for every person on the planet. This number represents a 65% increase from their previous report, which was released in 2020.

Within this data set, Digital Shadows found that approximately 6.7 billion credentials had a unique username-and-password pairing, indicating that the credential combination was not duplicated across other databases. This was 1.7 billion more than Digital Shadows found in 2020, highlighting the rate of compromise across completely new credential combinations. The most common password, 123456, represented 0.46% of the total of the 6.7 billion unique credentials. The top 100 most common passwords represented 2.77% of this number.

Today, compromised passwords and usernames are enabling all kinds of threat actors to perform all kinds of account takeover (ATO) attacks. Basic cyber hygiene significantly lowers the risk of ATO; however, many online users continue to reuse passwords or create vulnerable, easy-to-guess passwords. This was recently demonstrated in Verizon’s Data Breach Investigations Report (DBIR), which found that stolen credentials accounted for half of the 20,000 incidents analyzed by Verizon. This represents a 30% increase in use of stolen credentials found in the DBIR from just five years ago.

As with any cyberattack, ATO starts with a mistake, a misconfiguration or another oversight that provides an opportunity to someone with malicious intent. It‘s often tough to spot before it’s too late. There are many scenarios where ATO can flourish, however, a typical lifecycle involves identifying a susceptible service or user, attempting to acquire accounts, verifying whether they can be used across other services, and exploiting these accounts for nefarious purposes.

The latest Digital Shadows report states that offline attacks usually produce the best results for cracking passwords; 49 of the top 50 most commonly used passwords could be cracked in less than a second. Adding a special character to a basic ten-character password adds about 90 minutes to that time. Adding two special characters boosts the offline cracking time to around two days and four hours. However, Digital Shadows finds that until passwordless authentication becomes mainstream, the best ways to minimize the likelihood and impact of ATO are simple controls and user education ― use multi-factor authentication, password managers, and complex, unique passwords.

Digital Shadows’ research examines the roots of the trend, the methods and techniques cybercriminals use to steal these credentials and steps people can take to make themselves a harder target for would-be credential thieves.

Read the full report by Digital Shadows.