Friday, May 9, 2025
HomeDark Web24.6 Billion Pairs of Credentials For Sale on The Dark Web

24.6 Billion Pairs of Credentials For Sale on The Dark Web

Published on

SIEM as a Service

Follow Us on Google News

As of this year, there are over 24.6 billion credential pairs are available or actively getting circulated on the dark marketplaces or dark web. However, it indicates that cybercrime has become a profitable business, one that has become extremely widespread.

At this point, it seems that one of the most hyped internet security categories is passwordless technology. Despite those initiatives, the reality is that passwords still remain firmly entrenched in the minds of many users.

As compared to the figures for the year 2020, the figures for last year showed an increase of 64%. In comparison to the two years prior to 2020, this represents a significant slowdown.

- Advertisement - Google News

Limitless compromised data

The number of credentials for sale flew up by over 300 percent in the year between 2018 and the year the pandemic started. 

It is estimated that 6.7 billion of the 24.6 billion credentials are unique, which represents that over the past two years there is an increase of 1.7 billion. The figure equates to a 34 percent increase over where we were in 2020.

Cybersecurity analysts at Digital Shadows have claimed that almost 75% of the passwords, that’s the majority of passwords, available online for sale are purely common and easy to guess; in short, there is no uniqueness.

It is very easy for a cybercriminal to choose a compromised credential and attempt to use it since they have a limitless list of hacked credentials.

Here the primary culprit is the “Weak Password,” in short, an attacker can easily guess the passwords with the help of automated tools and compromise multiple accounts at a time.

The 123456 password appears in almost every 200 passwords offered by criminals, which is why many of those credentials have been stolen and compromised.

Weak Spots Enabling The ATO Attacker

Here below we have mentioned all the weak spots that are enabling the Account Takeover (ATO) attacker:-

  • Ever-Expanding Digital Footprint
  • Authentication Blind Spot
  • Too Late Attempts At Account Protection

Lifecycle of an ATO Attack

Taking part in an ATO is much like engaging in any kind of cyberattack: It begins with a mistake or a misconfiguration that enables the threat actors to take full advantage of the situation.

It continues to be difficult to detect until it is too late, but it is eventually caught. In a typical lifecycle, ATO can thrive in many scenarios, but the four main stages are parts of a typical lifecycle. And here below we have listed them all:-

  • Identification
  • Acquisition
  • Verification
  • Exploitation

Among the companies that have already agreed to implement FIDO-based authentication are Apple, Google, as well as Microsoft.

The problem of stolen and manipulated credentials used for ATO remains a growing problem, and organizations cannot afford to ignore it.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport...

160-Year-Old Haulage Firm Falls After Cyber-Attack: Director Issues Urgent Warning

The 160-year-old haulage giant Knights of Old, once a stalwart of the UK’s logistics...

SonicWall Unveils New Firewalls and Comprehensive Managed Cybersecurity Service

SonicWall has unveiled a new line of advanced firewalls and a comprehensive managed cybersecurity...

China-Backed Hackers Target Exiled Uyghur Community with Malicious Software

Senior members of the World Uyghur Congress (WUC) living in exile were targeted with...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Selling SS7 0-Day Exploit on Dark Web for $5,000

A newly discovered dark web listing claims to sell a critical SS7 protocol exploit...

The Double-Edged Sword of AI in Cybersecurity: Threats, Defenses & the Dark Web Insights Report 2025

Check Point Research's latest AI Security Report 2025 reveals a rapidly evolving cybersecurity landscape...

Cybercriminals Selling Sophisticated HiddenMiner Malware on Dark Web Forums

Cybercriminals have begun openly marketing a powerful new variant of the HiddenMiner malware on...