Here’s How Much Your Login Credentials Sell for on the Dark Web

If you think there’s only a slim chance that fraudsters might steal your login credentials and use them for financial fraud, identity theft and other criminal activities, it’s time for a wake-up call.

More than 15 billion login credentials are for sale on any given day on the dark web and other underground markets that sell tools and information for fraud and identity theft, according to “Why Your Social Security Number Isn’t as Important as Your Log-In Credentials,” a report from the Identity Theft Resource Center (ITRC).

Stolen login credentials can also be the cause of corporate and small business data breaches and cyberattacks.

In fact, in 2021, one stolen password that wasn’t protected by multifactor authentication (such as a code sent that must be entered to access the account) allowed hackers to launch a cyberattack against Colonial Pipeline that shut down deliveries from Gulf Coast refineries to major markets on the East Coast, according to Reuters.

“Identity thieves want login credentials,” says the report. “They make more money defrauding businesses with ransomware attacks and phishing schemes that rely on poor consumer behaviors than traditional data breaches that rely on stealing personal information.”

What are the going rates for login credentials?

Depending on the type of account login, high-value credentials sell on the dark web for as much as $500 to $140,000 each, according to “From Exposure to Takeover,” a report from digital risk security provider Digital Shadows.

Here’s a rundown of the prices for stolen login credentials, according to Digital Shadows :

• Email administrator: $500 to $140,000
• Bank and financial accounts: $70
• Antivirus programs: $21
• Video and music streaming services: $15
• Social media accounts: $10 or less

“Most credentials belong to consumers, and cybercriminals give away many for free,” according to the Digital Shadows report.

Find out: 4 Common Password Mistakes That Put Your Online Security at Risk

Ways that criminals steal login information

In addition to data breaches, your login credentials could be stolen in a number of ways, according to cybersecurity software company SentinalOne, including:

Credential stuffing

Hackers test databases and lists of stolen login credentials against multiple accounts to find a match.

Phishing emails and texts

Criminals pose as legitimate businesses to trick users into supplying their login credentials.

Password spraying

Hackers use a list of commonly used and easy-to-crack passwords such as 123456, password 123, batman, letmein and others against a user account name.

Keylogging

Malware keyloggers record your every keystroke to obtain login credentials for bank accounts, credit cards, digital wallets and other secure online forms.

Local discovery

Someone else sees a password you wrote down in a notebook, on a scrap of paper or elsewhere and uses it to access an account or multiple accounts.

How to protect your login credentials

Taking the following steps can help protect your login credentials against being stolen:

• Use multifactor (code sent to phone, fingerprint, facial recognition, etc.) on all accounts.
• Use only secure networks — avoid using public Wi-Fi, for example — and a virtual private network (VPN) to keep hackers, identity thieves and spammers from seeing your online activity.
• Stay on top of all software updates.
• Use at least a 12-character password on all accounts so they’re harder for hackers to crack.
• Never click on links in phishing emails or text messages.

Find out: 5 Identity Theft Risks You Should Never Take on Public WiFi