"Issue is out of control": 24 billion passwords leaked on the dark web

65% more passwords are circulating on the dark web than in 2020. Users still choose basic passwords that can be cracked in mere seconds.

A recent Digital Shadow's study showed that there are more than 24 billion username and password combinations in cybercriminal marketplaces.

"We will move to a 'passwordless' future, but for now, the issue of breached credentials is out of control," Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, said.

Moreover, people still use weak passwords – nearly one in every 200 passwords is '123456.' This means that cybercriminals can breach accounts with automated tools in seconds. Some of these tools cost as little as $50.

In the last 18 months, Digital Shadows alerted their clients about 6.7 million exposed credentials.

  • To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.

"This includes the username and passwords of their staff, customers, servers, and IoT devices. Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts," Morgan said.

In addition to '123456' passwords, people commonly use keyboard combinations such as 'qwerty' or '1q2w3e.'

"Of the 50 most commonly used passwords, 49 can be 'cracked' in under one second via easy-to-use tools commonly available on criminal forums, which are often free of charge or at minimal cost," the company noted.

Adding a unique character to a password, such as @ or #, prolongs the password cracking time by approximately 90 minutes. Adding two similar symbols results in an offline cracking time of roughly two days and four hours.

Out of 24 million compromised credentials the company found on the dark web, approximately 6.7 billion had a unique username-and-password pairing, indicating that the credential combination was not duplicated across other databases.

Digital Shadows noted that the volume of account takeover attacks has been skyrocketing since the start of the pandemic. Organizations with unsecure methods of authentication have become victims.

The risk of account takeover has become even more prevalent in recent months since the Lapsus$ Group came on the scene. A remote desktop protocol (RDP) used by an Okta contractor was compromised, which led to fears that an authentication firm might be compromised too. As it later turned out, Lapsus% exaggerated the scale of the access to Okta.

However, it’s a perfect example of what harm compromised credentials could induce. Account takeover is a gateway to sophisticated social-engineering attacks.

"One type is business email compromise (BEC): an escalating threat that has brought significant gains to financially motivated cybercriminals; a recent report from the FBI indicated that the total global financial damage inflicted by BEC activity from 2016 to 2021 equated to $43 billion," Digital Shadows said.