Stolen domain admin login credentials can be resold by dark web criminals for up to £95,000 and a total of 15 billion purloined credentials are traded on illicit marketplaces.
Or so says threat intel biz Digital Shadows in a study published today, which it said equates to roughly two login details for every human on the planet today.
Rick Holland, CISO and strategy veep of Digital Shadows, mused: "The sheer number of credentials available is staggering and in just over the past 1.5 years, we've identified and alerted our customers to some 27 million [leaked] credentials which could directly affect them...
"Details exposed from one breach could be re-used to compromise accounts used elsewhere. The message is simple – consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised."
The business said it found "more than 15 billion credentials in circulation in cybercriminal marketplaces, many on the dark web".
Of those 15 billion stolen login details, around 5 billion are said to be unique - "ie, they have not been advertised more than once on criminal forums."
"Many account details are offered free of charge but of those on sale the average account trades for £12.18 ($15.43). Unsurprisingly, bank and financial accounts are the most expensive, averaging at £56 ($70.91), however they trade for upwards of £395 ($500), depending on the ‘quality' of the account," Digital Shadows said.
The infoseccers also found "dozens" of ads for Active Directory domain admin accounts, which it said were being auctioned off "with prices ranging from £395 ($500) to £95,000 ($120,000)". On average, domain admin creds were priced by criminals at £2,487 ($3,139) each.
By contrast, Digital Shadows found that consumer-grade accounts commanded far lower prices, though banking credentials changed hands for an average £56 ($71). Alarmingly, cybercrims are said to have figured out profitable rent-stolen-creds business models, where a target's identity can be rented from identity thieves. Targeted surveillance picks up the mark's "fingerprint data," including cookies, IP addresses, and time zones, which allows the account to be taken over by the baddies.
"Such is the popularity of these services that users on forums are desperate to acquire invite codes to this market," concluded the company. ®