If you think there’s only a slim chance that fraudsters might steal your login credentials and use them for financial fraud, identity theft, and other criminal activities, it’s time for a wake-up call.
More than 15 billion login credentials are for sale on any given day on the dark web and other underground markets that sell tools and information for fraud and identity theft, according to “Why Your Social Security Number Isn’t as Important as Your Log-In Credentials,” a report from the Identity Theft Resource Center (ITRC).
Stolen login credentials can also be the cause of corporate and small business data breaches and cyberattacks.
In fact, in 2021, one stolen password that wasn’t protected by multifactor authentication (such as a code sent that must be entered to access the account) allowed hackers to launch a cyberattack against Colonial Pipeline that shut down deliveries from Gulf Coast refineries to major markets on the East Coast, according to Reuters.
“Identity thieves want login credentials,” says the report. “They make more money defrauding businesses with ransomware attacks and phishing schemes that rely on poor consumer behaviors than traditional data breaches that rely on stealing personal information.”
What are the going rates for login credentials?
Depending on the type of account login, high-value credentials sell on the dark web for as much as $500 to $140,000 each, according to “From Exposure to Takeover,” a report from digital risk security provider Digital Shadows.
Here’s a rundown of the prices for stolen login credentials, according to Digital Shadows :
- Email administrator: $500 to $140,000
- Bank and financial accounts: $70
- Antivirus programs: $21
- Video and music streaming services: $15
- Social media accounts: $10 or less
“Most credentials belong to consumers, and cyber criminals give away many for free,” according to the Digital Shadows report.
Ways that criminals steal login information
In addition to data breaches, your login credentials could be stolen in several ways, according to cybersecurity software company SentinalOne, including:
Credential stuffing
Hackers test databases and lists of stolen login credentials against multiple accounts to find a match.
Phishing emails and texts
Criminals pose as legitimate businesses to trick users into supplying their login credentials.
Password spraying
Hackers use a list of commonly used and easy-to-crack passwords such as 123456, password 123, batman, letmein, and others against a user account name.
Keylogging
Malware keyloggers record your every keystroke to obtain login credentials for bank accounts, credit cards, digital wallets, and other secure online forms.
Local discovery
Someone else sees a password you wrote down in a notebook, on a scrap of paper or elsewhere and uses it to access an account or multiple accounts.
How to protect your login credentials
Taking the following steps can help protect your login credentials against being stolen:
- Use multifactor (code sent to a phone, fingerprint, facial recognition, etc.) on all accounts.
- Use only secure networks — avoid using public Wi-Fi, for example — and a virtual private network (VPN) to keep hackers, identity thieves, and spammers from seeing your online activity.
- Stay on top of all software updates.
- Use at least a 12-character password on all accounts so they’re harder for hackers to crack.
- Never click on links in phishing emails or text messages.
Find out: 5 Identity Theft Risks You Should Never Take on Public WiFi
