Over 15 billion account credentials are currently being sold on the dark web for an average price of $22, according to new research from Digital Shadows.

The investigation found that it was becoming easier to steal someone’s account with a wealth of cheap tools and pre-cracked accounts available on dark web marketplaces.

Of the different types of credentials available, banking and financial accounts were by far the most common, making up a quarter of all dark web listings.

After that were streaming and VPN service accounts which made up 13 and 12 per cent respectively.

“Would you rather pay $10 a month for yet another streaming service, or pay $5 for lifetime access?” asks Digital Shadows.

Of course, cheap access to someone else’s Netflix account only lasts while its owner doesn’t notice.

Geographically, Australian accounts were among the most commonly advertised on dark web marketplaces – along with those from the UK, Canada, and Germany.

But Digital Shadows still found US-based accounts made up the majority, saying that “cybercriminals very likely perceive North American accounts as being the most profitable”.


Bank and financial credentials are the most sold on dark web marketplaces. Source: Digital Shadows

Beyond hijacking streaming services and video games accounts, the researchers also found advertisements for whole-of-organisation access that can get auctioned for thousands of dollars.

“This takes the conversation from ‘simple’ account compromise to complete network compromise, and we’ve seen these accesses sold or auctioned for an average of US$3,139 and up to US$140,000,” the report said.

“The data may not always be valid, but just the concept of a large corporation or government network administrator’s access being sold on criminal marketplaces is, to say the least, unnerving.”

Also mentioned in the report is the rise of underground services that let users rent, rather than buy, credentials.

More than just purchasing a username and password, dark web services like Genesis Market hold a suite of data about compromised accounts including cookies, personal information, and device footprints.

Users of Genesis Market can effectively rent an identity for cheap, impersonating their victim and evading anti-fraud measures that pick up on more than just an authenticated password.

To mitigate against the threat of account takeovers, Digital Shadows recommends organisations monitor for leaked credentials on sites like HaveIBeenPwned and watch out for references to the company on cracking forums.

Although bot blockers like CAPTCHA and two-factor authentication can stop credential stuffing attacks, the report warns that cybercriminals are constantly developing ways to get around these mitigation tactics.