Millions Of Stolen Passwords For Sale To Hackers For Just $81

If you thought the sheer number of stolen passwords that have been published on dark web criminal marketplaces was shocking, and when 19 billion is the figure in question, that’s understandable, then wait until you find out how little it costs for cybercriminals to access them and carry out potentially significant money-making attacks.

The Low Cost To Criminals Of High-Value Stolen Passwords

There are many ways that passwords can be compromised, some more convoluted than others. While the risk from a Microsoft Copilot for Sharepoint password access exploit ranks pretty low, phishing attacks even highly-targeted ones against Gmail accounts, for example, more so. The biggest stolen passwords risk is posed by infostealer malware including Lumma Stealer which can then be packaged into so-called combo lists.

It is these lists, or more specifically, the infostealer logs that are used to compile them, that have become something of a valuable currency in the shady world of the cybercrime actors who inhabit the dark web and various other dodgy forums and marketplaces. Vakaris Noreika, a cybersecurity expert at threat exposure platform NordStellar, has revealed that a cyberattack employing stolen passwords can cost remarkably little: how does $81 a week grab you?

With IBM having reported that the average cost of a data breach to organisations in 2024 was a staggering $4.88 million, it seems almost ludicrous that cybercriminals can do so much damage to a business for such a small investment. But here we are.

Infostealers don’t just steal passwords; they will look for any useful data they can grab, including two-factor authentication session cookies to enable 2FA bypass attacks and credit card information. "Usually, their attacks are random, but in some instances, cybercriminals can also use infostealers for targeted strikes,” Noreika said. Whatever, one fact remains inescapable: infostealer logs are sold pretty much anywhere you will find cybercriminals. That means the dark web, of course, but also Telegram channels. "Dark web users can purchase stealer logs by subscribing to a private channel,” Noreika explained, adding that a weekly subscription to infostealer log updates averages out at $81, or you can get a monthly deal for $200.

MORE FOR YOU

Google’s New Android Update — 3 Things Your Phone Can No Longer Do

Microsoft Update Fails—New Download Breaks Windows

Microsoft Confirms Windows Upgrade Choice—You Must Now Decide

There are as many mitigations to the infostealer threats as there are criminals out there collecting stolen passwords by using them, but my personal favourite is as simple as it is effective: stop using passwords. I know that sounds like silly advice, but nonetheless, I’m offering it. Don’t use passwords, switch up to passkeys wherever they are available and stop the infostealer threat dead in its tracks. You’re welcome.