According to risk management and threat intelligence firm Digital Shadows, there are more than 24 billion stolen credentials on the dark web, some of which are so weak that it only takes a second to crack them and the accounts they protect.
While the dark web is awash with stolen credentials, the rate at which new credentials are being uploaded is alarming. Consumers continue to use easy-to-guess passwords, and fraudsters in the dark corners of the Internet have access to some 24.6 billion login and password combinations, according to an analysis of a recent study by Digital Shadows.
According to the threat intelligence firm's calculations, the number of compromised credentials available on the dark web has increased by 65 percent since 2020. About 6.7 billion of these stolen credentials have unique username and password pairings, an increase of 1.7 billion from 2020. Unique credentials mean that the credential combination is not duplicated in other databases.
The number of credentials compromised online peaked in 2019, when Digital Shadows collated more than 10.3 billion credentials. Since then, that number has hovered around the 5 billion mark for the next two years, and the company expects that number to continue in 2022.
According to Kim DeCarlis, chief marketing officer at PerimeterX, "Web applications are accessed with a valid username and password, and it's eye-opening to understand the number of credential pairs available on the dark web."
The findings come from Digital Shadows' Account Takeover 2022 report, a study that examines the causes of the title attack type. an ATO attack requires the target to neglect basic network security, whether through system misconfiguration, falling victim to phishing, or simply setting a weak password.
For example, reusing or creating easy-to-guess passwords is similar to leaving your home unlocked at night. It can and probably will lead to account takeover, which in turn can lead to identity theft, financial theft, social media spam and more.
"Once a valid username and password pair is found, cybercriminals can use these credentials to log in and take over legitimate accounts, often on many sites, as password reuse is common." DeCarlis added.
"Because the credentials are accurate, there is a good chance that the criminal will be able to access the account without any problems. Since most sites have no security checks after login, they are free to browse and abuse the account without any problems. This abuse could include transferring money, cashing out points or purchasing products that can be easily resold."
Using credentials is also the preferred method for establishing initial access. digital Shadows estimates that nearly 50 percent of ATO attacks use credentials as the initial access medium, followed by phishing (nearly 18 percent), exploits (nearly 6 percent) and botnets (less than 1 percent).
It is axiomatic that strong passwords should be the basic rule to avoid most ATO attacks. However, 123456 is the most common password, accounting for 0.46% or 30,679,190 of the 6.7 billion uniquely compromised passwords. Keyboard combinations such as "qwerty" or "1q2w3e" are also very common.
ID | Password | Times |
1 | 123456 | 30,679,190 |
2 | 123456789 | 17,087,782 |
3 | qwerty | 10,589,340 |
4 | 12345 | 10,368,618 |
5 | password | 8,987,753 |
6 | qwerty123 | 5,722,547 |
7 | 1q2w3e | 5,306,421 |
8 | 12345678 | 5,207,749 |
9 | DEFAULT | 4,507,715 |
10 | 111111 | 3,766,387 |
In addition, 49 of the top 50 most commonly used passwords could be cracked in less than a second.
Most of these compromised credentials are traded on dark web marketplaces, where the transaction price depends on the age of the account, the credibility of the buyer and the size of the data file provided. Whether the password file is encrypted or in plain text form also affects the price. Credential padding and other intrusion work comes next.
DeCarlis further states, "The cyber threat landscape has changed. Once separate and distinct Web attacks have come together in a continuous and integrated cycle of cybercrime. One attack fuels another, spreading and extending the attack lifecycle, and is ubiquitous in the consumer's digital journey - and web applications are the primary target."
"In this case, since credential theft has already occurred, digital businesses should look for a way to stop the next step: credential stuffing attacks in which cybercriminals attempt to validate usernames and passwords. It is wise for online businesses to find solutions that flag known compromised credentials when they are used and enforce actions such as a simple password reset."
Going "beyond" passwords seems to be the smart choice for the future. Users can leverage password managers, multi-factor authentication and authenticator applications until passwordless becomes a global staple.
DeCarlis concludes, "Enterprises need to consider continuous post-login authentication. It's time to look beyond the login to ensure that users are, in fact, who they say they are and are doing what they are supposed to be doing in their accounts."
"This comprehensive approach to account protection will pay off in the form of fewer chargebacks, reduced calls to customer service, less strain on IT resources, and protection of brand reputation and revenue."
Easy-to-use tools are often available at minimal or no cost through the criminal marketplace, and even unskilled script kiddies can easily crack weak passwords.
Simply adding a "special character" (such as @# or _) to a basic 10-character password makes it much more difficult to crack, thus making it much less likely that a person will be the victim of an attack, while criminals carry out attacks on more easily compromised accounts.
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said that despite the industry's attempts to move beyond passwords as an authentication mechanism, the problem of credential compromise remains pressing and is becoming more serious over time.
Criminals have an endless list of compromised credentials they can try, but what makes the problem worse are weak passwords, which means many accounts can be guessed in just a few seconds using automated tools," Morgan said. "
Morgan added, "Over the past 18 months, we at Digital Shadows have alerted our customers to 6.7 million exposed credentials. This includes the usernames and passwords of their employees, customers, servers and IoT devices."