The Market for Stolen Account Credentials
Past stories here have explored the myriad criminal uses of
a hacked computer, the various ways that your inbox can be
spliced and diced to help cybercrooks ply their trade, and
the value of a hacked company. Today's post looks at the
price of stolen credentials for just about any e-commerce,
bank site or popular online service, and provides a glimpse
into the fortunes that an enterprising credential thief can
earn selling these accounts on consignment.
Not long ago in Internet time, your typical cybercriminal
looking for access to a specific password-protected Web site
would most likely visit an underground forum and ping one of
several miscreants who routinely leased access to their "bot
These bot log sellers were essentially criminals who ran
large botnets (collections of hacked PCs) powered by malware
that can snarf any passwords stored in the victim's Web
browser or credentials submitted into a Web-based login
form. For a few dollars in virtual currency, a ne'er-do-well
could buy access to these logs, or else he and the botmaster
would agree in advance upon a price for any specific account
credentials sought by the buyer.
Back then, most of the stolen credentials that a botmaster
might have in his possession typically went unused or unsold
(aside from the occasional bank login that led to a juicy
high-value account). Indeed, these plentiful commodities
held by the botmaster for the most part were simply not a
super profitable line of business and so went largely
wasted, like bits of digital detritus left on the cutting
But oh, how times have changed! With dozens of sites in the
underground now competing to purchase and resell credentials
for a variety of online locations, it has never been easier
for a botmaster to earn a handsome living based solely on
the sale of stolen usernames and passwords alone.
If the old adage about a picture being worth a thousand
words is true, the one directly below is priceless because
it illustrates just how profitable the credential resale
business has become.
This screen shot shows the earnings panel of a crook who
sells stolen credentials for hundreds of Web sites to a dark
web service that resells them. This botmaster only gets paid
when someone buys one of his credentials. So far this year,
customers of this service have purchased more than 35,000
credentials he's sold to this service, earning him more than
$288,000 in just a few months.
The image shown above is the wholesaler division of
"Carder's Paradise," a bustling dark web service that sells
credentials for hundreds of popular Web destinations. The
screen shot above is an earnings panel akin to what you
would see if you were a seller of stolen credentials to this
service -- hence the designation "Seller's Paradise" in the
upper left hand corner of the screen shot.
This screen shot was taken from the logged-in account
belonging to one of the more successful vendors at Carder's
Paradise. We can see that in just the first seven months of
2017, this botmaster sold approximately 35,000 credential
pairs via the Carder's Paradise market, earning him more
than $288,000. That's an average of $8.19 for each
credential sold through the service.
Bear in mind that this botmaster only makes money based on
consignment: Regardless of how much he uploads to Seller's
Paradise, he doesn't get paid for any of it unless a
Carder's Paradise customer chooses to buy what he's
Fortunately for this guy, almost 9,000 different customers
of Carder's Paradise chose to purchase one or more of his
username and password pairs. It was not possible to tell
from this seller's account how many credential pairs total
that he has contributed to this service which went unsold,
but it's a safe bet that it was far more than 35,000.
[A side note is in order here because there is some
delicious irony in the backstory behind the screenshot
above: The only reason a source of mine was able to share it
with me was because this particular seller re-used the same
email address and password across multiple unrelated
Based on the prices advertised at Carder's Paradise (again,
Carder's Paradise is the retail/customer side of Seller's
Paradise) we can see that the service on average pays its
suppliers about half what it charges customers for each
credential. The average price of a credential for more than
200 different e-commerce and banking sites sold through this
service is approximately $15.
Part of the price list for credentials sold at this dark web
ID theft site.
Indeed, fifteen bucks is exactly what it costs to buy stolen
logins for airbnb.com, comcast.com, creditkarma.com,
logmein.com and uber.com. A credential pair from AT&T
Wireless -- combined with access to the victim's email inbox
-- sells for $30.
The most expensive credentials for sale via this service are
those for the electronics store frys.com ($190). I'm not
sure why these credentials are so much more expensive than
the rest, but it may be because thieves have figured out a
reliable and very profitable way to convert stolen frys.com
customer credentials into cash.
Usernames and passwords to active accounts at military
personnel-only credit union NavyFederal.com fetch $60
apiece, while credentials to various legal and data
aggregation services from Thomson Reuters properties command
a $50 price tag.
The full price list of credentials for sale by this dark web
service is available in this PDF. For CSV format, see this
link. Both lists are sorted alphabetically by Web site
This service doesn't just sell credentials: It also peddles
entire identities -- indexed and priced according to the
unwitting victim's FICO score. An identity with a perfect
credit score (850) can demand as much as $150.
Stolen identities with high credit scores fetch higher
And of course this service also offers the ability to pull
full credit reports on virtually any American -- from all
three major credit bureaus -- for just $35 per bureau.
It costs $35 through this service to pull someone's credit
file from the three major credit bureaus.
Plenty of people began freaking out earlier this year after
a breach at big-three credit bureau Equifax jeopardized the
Social Security Numbers, dates of birth and other sensitive
date on more than 145 million Americans. But as I have been
trying to tell readers for many years, this data is broadly
available for sale in the cybercrime underground on a
significant portion of the American populace.
If the threat of identity theft has you spooked, place a
freeze on your credit file and on the file of your spouse
(you may even be able to do this for your kids). Credit
monitoring is useful for letting you know when someone has
stolen your identity, but these services can't be counted on
to stop an ID thief from opening new lines of credit in your
They are, however, useful for helping to clean up identity
theft after-the-fact. This story is already too long to go
into the pros and cons of credit monitoring vs. freezes, so
I'll instead point to a recent primer on the topic and urge
readers to check it out.
Finally, it's a super bad idea to re-use passwords across
multiple sites. KrebsOnSecurity this year has written about
multiple, competing services that sell or sold access to
billions of usernames and passwords exposed in high profile
data breaches at places like Linkedin, Dropbox and Myspace.
Crooks pay for access to these stolen credential services
because they know that a decent percentage of Internet users
recycle the same password at multiple sites.
One alternative to creating and remembering strong, lengthy
and complex passwords for every important site you deal with
is to outsource this headache to a password manager. If the
online account in question allows 2-factor authentication
(2FA), be sure to take advantage of that.
Two-factor authentication makes it much harder for password
thieves (or their customers) to hack into your account just
by stealing or buying your password: If you have 2FA
enabled, they also would need to hack that second factor
(usually your mobile device) before being able to access
your account. For a list of sites that support 2FA, check
Posted on: def3.i2p