Report: Billions of financial accounts at risk from stolen passwords

Latest research shows rise in the trade of usernames and passwords as criminals get more adept at stealing information

Report: Billions of financial accounts at risk from stolen passwords
Steve Randall

The importance of strong cybersecurity for financial advisors and their clients has never been higher.

The current challenges for global economies, coupled with increasingly advanced tools, mean that criminals are intensifying their online activities, putting firms and individuals at increased risk.

A new report calculates that some 15 billion usernames and passwords are currently in circulation on cybercriminal marketplaces, including those for financial and social media accounts.

Research from digital risk protection firm Digital Shadows, reveals that the number of stolen and exposed credentials has risen 300% from 2018 as the result of more than 100,000 separate breaches.

"The sheer number of credentials available is staggering and in just over the past 1.5 years, we've identified and alerted our customers to some 27 million credentials – which could directly affect them,” said Rick Holland, CISO and VP of Strategy at Digital Shadows.

And if you think that someone hacking into your personal Twitter account will have little impact, Holland added that some of these exposed accounts can have (or have access to) incredibly sensitive information. A breached account can release details that can be used to compromise other accounts.

“The message is simple – consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised,” he said.

Riskiest usernames
The analysis of stolen login credentials reveals that usernames with "invoice" or "invoices" were by far the most common advertised on criminal marketplaces and comprise 66% of the 2 million usernames assessed. "Partners" and "payments" came in a distant second and third place, both with 10% each. 

There is also a strong trade in login details for domain admin accounts. Imagine the risk to your business if someone gained control of your website, email, and essential online services.

The report found that account takeover has never been easier (or cheaper) for cyber criminals with brute-force tools and account checkers available for an average of $4. These tools need little tech experience, lowering the bar for criminals even further.

Despite many digital users implementing two-factor authentication, Digital Shadows found frequent discussions on cybercriminal forums about how to bypass these security measures, especially those relying on SMS messages to users’ phones.

Although cybercriminals are often indiscriminate, there is a premium for access to the most lucrative accounts.

While many credentials are available on cybercriminal marketplaces without charge, the average account trades for $15.43, rising to $70.91 for bank and financial accounts and upwards of $500 for better ‘quality’ accounts.

Best cybersecurity practice
Digital Shadows has several key recommendations:

  • Monitor for leaked credentials of your employees. HaveIBeenPwned can be a useful starting point in alerting you to instances of breaches including your organization's email domain.

  • Monitor for mentions of your company and brand names across cracking forums. Use Google Alerts for this. Configuration files for your website that are being actively shared and downloaded are a good indication of impending attempts at account takeover.

  • Don't forget other sources. Code repositories can be rich with secrets and hard-coded passwords.

  • Monitor for leaked credentials of your customers, allowing you to take a more proactive response. Consider alerting your customers that their email has been involved in a breach, prompting them to reset their password if they have reused credentials.

  • Deploy an online Web Application Firewall. Commercial and open source web application firewalls, like ModSecurity, can be used to identify and block credential stuffing attacks.

  • Increase user awareness. Educate your staff and consumers about the dangers of using corporate email addresses for personal accounts, as well as reusing passwords.

  • Gain an awareness of credential stuffing tools. Keep an eye on the development of credential stuffing tools, and monitor how your security solutions can protect against evolving capabilities. Some credential stuffing tools are able to bypass some CAPTCHAs, for example.

  • Some element of 2FA is always better than none but try to phase out multi-factor authentication using SMS. This can help to reduce account takeovers, but make sure this is balanced against the friction (and cost) it can cause.