According to a report by London-based cyber-security firm Digital Shadows, more than 15 billion credentials are in circulation on online marketplaces used by criminals.
It said account details for internet services, ranging from bank accounts to video and music streaming services, were among those on offer at an average price of around £12. Meanwhile, bank and financial service accounts were found to be on sale for an average of £56 – although they could be sold for £400 or more depending on the “quality” of the account.
Five billion of the identified credentials were assessed to be unique in that they had not been advertised more than once on a criminal forum. Banking and financial accounts made up around a quarter of those advertised, the research suggests.
“The sheer number of credentials available is staggering and in just over the past one-and-a-half years we’ve identified and alerted our customers to some 27 million credentials which could directly affect them,” said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows.
He added that some of the exposed accounts can have – or have access to – incredibly sensitive information. “Details exposed from one breach could be reused to compromise accounts used elsewhere,” he explained.
Among the credentials for sale were those that granted access to accounts within organisations, with usernames containing the word "invoice" or "invoices" among the most popular listings.
Digital Shadows said it was unable to confirm the validity of the data that the vendors purport to own without purchasing it. The researchers said that listings included those for large corporations and government organisations in multiple countries.
Security experts advise internet users to use individual passwords for each online service that they use, while also adopting measures like two-factor authentication where possible.