Over 24 billion compromised credentials are on the dark web, some of which are so weak that it would only take one second to crack them and the accounts they are protecting, reported risk management and threat intelligence company Digital Shadows.Â
Although the dark web is brimming with stolen credentials, the rate at which new ones are uploaded is concerning. According to a recent analysisOpens a new window by Digital Shadows, fraudsters in the dark corners of the internet have access to around 24.6 billion login and password combinations.
The threat intelligence company calculated a 65% rise in the number of compromised credentials available on the dark web since 2020. About 6.7 billion of these compromised credentials had a unique username-and-password pairing, which is 1.7 billion higher than 2020. A unique credential implies the credential combination was not duplicated across other databases.
The number of compromised credentials online peaked in 2019 when Digital Shadows collated over 10.3 billion credentials. Since then, the number has hovered around the 5 billion mark in the following two years, and the company expects the same to continue in 2022.
Number of Credentials Collated by Digital Shadow by Year
Kim DeCarlisOpens a new window , CMO at PerimeterX, told Toolbox, “The front door to a web app is a valid user name and password, and it is eye-opening to learn the number of credential pairs available on the dark web.â€
The findings are from Digital Shadows’ Account Takeover in 2022 report, a study that examines the reasons for the titular attack type. An ATO attack entails oversight of the basic cyber hygiene by the target, whether through system misconfiguration, falling prey to phishing, or simply setting a weak password.
For instance, reusing or creating easy-to-guess passwords is akin to leaving the door of your home unlocked at night. It can and possibly will lead to account takeover and, by extension, identity theft, financial theft, social media spam, and more.
“Once a valid username and password pair is found, cybercriminals can use the credentials to log into — and take over — legitimate accounts, typically on a number of sites since password reuse is common,†added DeCarlis.
“Because the credentials are accurate, there’s a good chance the criminal will get into the account without any problems. Since most websites don’t have security checks post-login, they are free to navigate through and abuse the account, no questions asked. This abuse could include transferring money, cashing out credits or buying products that are easy to resell.â€
Using credentials is also the top method for establishing initial access. Digital Shadows estimated that almost 50% of ATO attacks had credentials as the initial access vector, followed by phishing (nearly 18%), vulnerability exploitation (almost 6%), and botnets (less than 1%).
See More: The Current State of Passwordless Authentication
It is a no-brainer that a strong password should be a cardinal rule to avoid most ATO attacks. Yet, 123456 is the most common password representing 0.46% or 30,679,190 of the 6.7 billion unique compromised passwords. This means nearly one in every 200 passwords is 123456. Keyboard combinations such as ‘qwerty’ or ‘1q2w3e’ are also commonly used.
Rank |
Password |
No. of Times Found |
1 |
123456 | 30,679,190 |
2 | 123456789 |
17,087,782 |
3 |
qwerty | 10,589,340 |
4 | 12345 |
10,368,618 |
5 |
password | 8,987,753 |
6 | qwerty123 |
5,722,547 |
7 |
1q2w3e | 5,306,421 |
8 | 12345678 |
5,207,749 |
9 |
DEFAULT | 4,507,715 |
10 | 111111 |
3,766,387 |
Additionally, 49 of the top 50 most commonly used passwords could be cracked in less than a second.
Most of these compromised credentials end up on darknet marketplaces where they’re traded in exchange for a price that depends on the account’s age, the buyer’s reputation, and the size of the data file on offer. Whether or not the password file is encrypted or is in plain text also affects the price.
What follows is credential stuffing and other intrusion efforts. A typical ATO attack lifecycle is as follows:
Source: Digital ShadowsOpens a new window
DeCarlis further told Toolbox, “The cyberthreat landscape has changed. Web attacks that were once separate and distinct have come together in a continuous and integrated cycle of cybercrime. One kind of attack fuels another, propagating and prolonging an attack lifecycle that hits consumers everywhere along their digital journey — and web apps are a prime target.â€
“In this case, since the theft of credentials has already happened, digital businesses should look for a way to stop the next step: credential stuffing attacks in which cybercriminals try to validate the username and password. It would be smart for online businesses to look for solutions that flag when a known compromised credential is being used and force an action such as a simple password reset.â€
Going password also seems like the smart choice going forward. Users can leverage password managers, multi-factor authentication, and authenticator apps until passwordless becomes mainstream globally.
DeCarlis concluded, “Businesses need to think about continuous post-login validation. It’s time to look beyond login to make sure the user is, in fact, who they say they are and is doing what they should be doing in the account.â€
“This kind of comprehensive account protection approach will pay dividends in the form of reducing chargebacks, lowering calls customer service, reducing strain on IT resources, protecting brand reputation and revenue.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!