15 Billion Stolen Logins From 100,000 Breaches – Reveals New Dark Web Audit


15 billion – a figure published demonstrates the stolen logins came about through the 18 months of Digital Shadow’s Security researchers. They audited the criminal’s marketplace over the dark web and found that the stolen credentials have increased 300% since the audit done previously in 2017. The audit reveals 15 billion stolen credentials from 100,000 breaches. 

Among those 15 billion records, about 5 billion are unique. These records estimate an average of $15.43 as an individual record selling. These data breaches highlight most of the compromised data belongs to banks and financial accounts which accumulate an average of $70.91 per piece. Also, about 25% of all dark web advertisements offer such records as they carry more valuable data.

In the audit, researchers have also found that the stolen credentials are provided as a service. Now instead of buying the credentials, criminals rent the identity for a particular time period for less than $10. 

The chief information security officer, Rick Holland, said in a statement,

“The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them,”  Also, he said, “Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere.”

He added by giving a simple message: “Consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”

Certified information systems security professional and senior vice president of global business and corporate development at digital identity firm ForgeRock Inc., Ben Goodman, told in a statement that passwords are traditional user authentication method for decades and that a user has an average of 130 online accounts.

“It’s unlikely that users can remember 130 unique sets of login credentials and as a result, most opt to reuse the same passwords and usernames across most if not all of their accounts,” he said. “In fact, 57% of people who have already been scammed in phishing attacks still haven’t changed their password, enabling fraudsters to leverage compromised login credentials from one account to access additional profiles with more critical data, including banking and healthcare information.”

His advice: Organizations must recognize the security risks of passwords and usernames and adopt technology to enable passwordless and username-less logins.