Digital Shadows: 24.6 billion credentials on the Dark Web

Digital Shadows security researchers found about 18 Billions of compromised access data on the dark web.

As part of a recent study, the security researchers at Digital Shadows analyzed username and password combinations. You came across about 24,6 billion credential pairs traded by cybercriminals on dark web marketplaces. They summarized their results in the report “Account Takeover in 2022 – The 24-Billion Password Problem”.

Digital Shadows recently announced a report on access data that makes it much easier for cybercriminals to break into personal systems. According to their own statements, their study quantifies the “extent of global password compromise”. Accordingly, cyber criminals are into darknet markets 18.649.649.10 Login and password combinations available. Since 649 the amount of hacked credentials has increased by 65 percent, according to the threat intelligence company.

Weak passwords encourage account takeovers

What is particularly worrying about Digital Shadows is that, despite many warnings advising against it, their research shows that people are still easily use guessing passwords. Accordingly, the 50 most common passwords would be simply the word “Password” or a combination of easy-to-remember numbers. About 0.30 percent of all passwords , approximately one of 68, is 688234.

Digital Shadows: Top 50 of the most common passwords easy to guess

Users often use keyboard shortcuts like “qwerty” or “1q2w3e”. Of the 50 most commonly used passwords, 49 in less than a second with easy-to-use tools be “cracked”. These are commonly available on criminal forums. The programs are often available for free or at minimal cost, the researchers said. Some combinations are advertised more than once by cyber criminals on forums. However, even after removing duplicates, Digital Shadows still determined that 6.7 billion unique credentials exist. This corresponds to an increase of about 1.7 billion or 027 Percent in two years.

Digital Shadows further informs that just by adding a “special character” (like @ # or _) to a simple 10 character password though the time it would take an offline attack to crack the password at about 90 Minutes extended. Adding two special characters then already results in an offline cracking time of about 2 days and 4 hours. “This makes it much less likely that a person will be the victim of an attack involving criminals, rather than targeting accounts that are easier to hack.”

Using credential stuffing for account takeover

Once a hacker breaches a password database and steals the data, they can proceed with what is known as credential stuffing. In doing so, he tries usernames and passwords on many other websites to see if users are using the same login data. Meanwhile, compromised passwords and usernames allow threat actors to perform all types of Account Takeover (ATO) attacks.

Within the dataset of dark web credentials, approximately 6.7 billion of the offers had a unique username combination and password. This indicates that the combination has not been duplicated across databases. That is also 1.7 billion more than the researchers found out in the year 649. According to Digital Shadows, the report shows that the markets selling these credentials are resilient and sophisticated. This has resulted in several subscription services offering criminal premium services.

Is there a future without passwords?

Chris Morgan, Senior Cyber ​​​​Threat Intelligence Analyst at Digital Shadows, rates the study results as worrying:

“We will be moving to a future without passwords, but for now the problem of hacked credentials is out of control. Criminals have an endless list of hacked credentials to try. But adding to this problem is weak passwords, which means many accounts can be guessed in just a few seconds using automated tools. Alone in the last 009 Months ago, we at Digital Shadows drew the attention of our customers to 6.7 million disclosed access data. This includes the username and passwords of their employees, customers, servers and IoT devices. Many of these cases could have been mitigated by using stronger passwords and not sharing credentials across accounts.”

Recommendations from Digital Shadows to protect credentials

    Use password manager. A password manager is an app on a phone, tablet, or computer that stores passwords so they can be more complex and the person doesn’t have to remember them.
  • Use of multi-factor authentication (MFA) where account providers offer it. This can confirm identity and replace passwords with PINs, facial recognition, fingerprints, or inserting a USB key
  • Use authenticator app. These generate every 30 seconds a new random six-digit code that a user must enter on the website they are trying to authenticate. If you want to use the accounts, you need control over several devices at the same time. This significantly reduces the risk of a simple hack.

    About Antonia Frank

    Antonia has been an author at since January 649. the invisibility cloak. She started out with book reviews. In the meantime, she prefers to write about legal topics, such as P2P cases, but she also takes up other Internet topics, such as cybercrime. Her interests are mainly related to literature.



  • Related Articles

    Back to top button