The underground economy of stolen passwords

Just recently, a breach at Roku allegedly compromised more than 15,000 user accounts in a credential-stuffing attack. In a subsequent incident, Roku revealed that hackers had accessed roughly 576,000 additional accounts.

But how exactly does this data get stolen in the first place? And what happens to it once it falls into the hands of cybercriminals? Let's take a closer look.

How passwords and personal data get stolen

There are several popular ways that cybercriminals are able to pilfer passwords and personal information:

Stealers

Stealers are a type of malware specifically designed to harvest passwords, credit card numbers, crypto wallet keys, and other valuable data from infected computers. They often spread through phishing emails that trick users into downloading malicious attachments, or through compromised websites that secretly install the malware when visited. Once a stealer infects a system, it thoroughly scans the victim's browsers, files, and applications, searching for any sensitive information it can find. This data is then silently transmitted back to the attacker's servers, where it's collected and organized for sale on cybercrime forums and networks.

Malware

In addition to stealers, other types of malware like Trojans, spyware, and keyloggers can also be used to steal passwords and personal data. These malicious programs often masquerade as legitimate software, tricking users into installing them through fake updates or convincing social engineering schemes. Once on a system, this malware runs quietly in the background, recording every keystroke the victim types, taking periodic screenshots, and even siphoning off files and data as they're accessed. Over time, the attacker can amass a comprehensive profile of the victim's online activities and sensitive information, all without their knowledge.

Databases

Another common way data gets stolen is through unsecured databases and code repositories that are publicly exposed on the internet. Many companies inadvertently misconfigure their cloud storage or leave default access controls in place, allowing anyone who stumbles across the database to view and download its contents.

Attackers regularly scan the internet for these exposed assets, hoovering up any sensitive data they can find. In some cases, these unsecured databases contain huge troves of user passwords, personal details, and even financial information, ripe for the taking.

If you take a look above, you’ll see a website that allows you to explore and secure publicly exposed repositories. This platform provides a comprehensive interface for identifying and managing publicly accessible storage buckets, often used in cloud services like AWS S3, Google Cloud Storage, and Azure Blob Storage.

The underground economy of stolen data

So, what happens after passwords and personal information get stolen in a data breach? They quickly find their way onto the dark web and cybercrime forums, where a bustling underground economy exists for trading stolen data.

If you were to browse these illicit networks, you'd find entire sections dedicated to data leaks, where cybercriminals buy, sell, and share stolen passwords and personal records on an hourly basis.

Freshly hacked databases are often auctioned off to the highest bidder or sold for a set price per record, depending on the perceived value of the data. A database containing detailed financial information or complete identity profiles, for example, would fetch a much higher price than a simple list of email addresses and passwords.

Some enterprising cybercriminals will even give away stolen databases for free, using them as a sort of "loss leader" to build their reputation and notoriety on the forums. These "giveaway" sections are filled with posts from hackers looking to show off their skills and gain clout among their peers. To them, the prestige and street cred are worth more than any money they might have made selling the data.

But beyond individual leaks for sale, there are also massive compilations that aggregate leaked data from multiple breaches into convenient, searchable databases. Malicious actors could purchase credits to perform targeted queries, looking up specific individuals' information across all the breached data the service has collected. This could allow bad actors to build shockingly detailed profiles on potential targets, correlating data from dozens of different leaks to form a comprehensive dossier. Some examples of these database compilation services include*:

1. DeHashed

A notorious database compilation service that boasts over 14 billion records scraped from thousands of breaches. DeHashed offers a user-friendly search interface that could allow bad actors to quickly look up specific individuals and view all the stolen data associated with them, including passwords, addresses, phone numbers, and more.

2. Leaked.Domains

A newer player in the database compilation space, Leaked.Domains takes a slightly different approach by organizing its data around specific website breaches. Bad actors could search for a particular domain and see all the associated data that has been leaked from that site, making it easy to target users of specific services.

How stolen data compromises businesses

Now that we understand the lifecycle of stolen data, you may be wondering – how can a pile of hacked passwords and personal information actually be leveraged to compromise a company? Let's walk through a hypothetical example.

Suppose we're a hacker who wants to target a large Fortune 500 telecommunications company. The first thing we might do is search for related accounts across several database compilation services. After spending a few credits, we discover hundreds of thousands of hits: email addresses, passwords, and other personal data associated with their employees and users.

We could take all of this data and load it into a spreadsheet to analyze it for potential use in an attack. In many cases, the breached company may not even realize this sensitive information is out in the wild, giving us a significant advantage.

One obvious tactic would be to simply test out the exposed passwords and see if any of them allow us to log in to actual employee accounts. Humans are creatures of habit, and despite knowing better, many people reuse the same passwords across multiple services. All it takes is one employee doing this to give us a foothold in the company.

But even if none of the passwords work, we still have a wealth of potentially useful information at our fingertips. Perhaps we see an employee's IP address or phone number in the breach data. We could search for that same information across all the other stolen databases, looking for any other accounts associated with those personal details.

For example, if we find the employee's home address tied to an account on a random forum, and that forum was also breached, we may now have access to another set of passwords to try against the employee's account. Or we could use the details we've gathered to craft a highly convincing phishing email or social engineering scheme, tricking the employee into giving us access directly.

Bit by bit, we can build profiles and dossiers on our targets within the company, potentially gaining footholds inside the business and expanding our access. From there, we could launch further attacks to compromise servers, steal source code, or plant malware throughout the company's network. And it all began with a collection of stolen passwords and personal data.

Preventing password reuse and protecting accounts

Once your password leaks onto the dark web, it's compromised forever. And with database compilation services, hackers can easily acquire huge amounts of personally identifiable information to target victims. The key to protecting yourself and your business is using strong, unique passwords for every single account.

But creating and remembering complex passwords for dozens of accounts can be a daunting task. That's where a password manager comes in. A password manager generates, stores, and automatically fills in strong passwords, making it easy for you to use unique, hard-to-crack credentials for every login.

One of the best password managers on the market is NordPass, created by the trusted team behind NordVPN. NordPass offers a range of features that make it the ideal choice for securing your accounts, like strong password generation, secure encryption, and an easy autofill feature.

By using a password manager like this, you can ensure that every one of your accounts is protected by a strong, unique password. Even if one of your passwords gets leaked in a data breach, the rest of your accounts will remain secure.

NordPass also monitors leaked databases and alerts you if any of your data is detected. This breach monitoring feature is an integral part of the Data Breach Scanner, designed to proactively monitor the email addresses and credit card details stored in your NordPass account. The app issues precise notifications when any of your saved items appear in a data breach.

A final tip for identifying potential data leaks is to use unique email aliases when signing up for online services. By appending a "+service" tag to your email address (e.g., [email protected]), you can create a different identifier for each account. If that specific alias starts receiving spam or shows up in a breach database, you'll know exactly which service was compromised.

Keep in mind that not all websites allow these aliased email addresses, and a savvy attacker could still identify the core email by removing the "+service" portion. But it remains a useful trick for tracking which of your accounts may have leaked data.

As a business owner, you can mandate the use of a password manager. For a complimentary 3-month trial of NordPass Business, click here to get started today. Use the code “danielk” – no credit card is required.

Get a free 3-month trial of NordPass Business

No credit card required. Use code DANIELK

Start Free Trial

*Examples are provided for informational and educational purposes only. NordPass does not endorse, promote, or support their use and has no affiliation with them. Readers are strongly advised to comply with all applicable laws and regulations. All trademarks mentioned are the property of their respective owners.