Over 24 billion usernames and passwords are up for grabs on cyber criminal marketplaces and the amount of breached credentials is still rising as hackers take advantage of weak and re-used passwords.
Analysis by cybersecurity researchers at Digital Shadows found that there’s been a 65% increase in usernames and passwords sold, traded or dumped in cyber criminal forums and underground marketplaces.
Of the usernames and passwords available across hundreds of underground marketplaces, 6.7 billion were unique – up by a third when compared with previous analysis in 2020 – indicating that many usernames and passwords are being accessed and stolen multiple times, likely without the victim even being aware.
One of the reasons for this is because many accounts use common or weak passwords, making them easy for cyber criminals to steal simply by just guessing passwords.
The paper says the most commonly leaked password, found over 30 million times and accounting for 0.46% of all unique passwords – or nearly one in twenty of the total – is ‘123456’ – one of the simplest passwords around. There were also millions of instances of other simple passwords, including over 17 million cases of ‘123456789’, over 10 million passwords which are ‘qwerty’, 10 million which are ‘12345’ and almost 9 million which are simply ‘password’.
The ten most common passwords found in the data include
According to the Digital Shadows report, of the 50 most commonly used passwords, 49 can be cracked in under one second via easy-to-use tools commonly available on criminal forums which are often free or for sale for small amounts. That means that if someone is using one of these passwords and they’ve not yet been hacked, it isn’t going to be hard for cyber criminals to do so.
“The top 50 is a mix of what you’d expect: almost all are incredibly weak, easily guessable, and related to something the user could easily remember,” the researchers said.
“We saw strings of easily remembered numbers, like 123456…and it’s painful to admit that was the most common password. That password actually represented 0.46 percent of our total number of the 6.7 billion unique credentials.” They noted that although probably a big portion of these top passwords were used for mundane accounts, like a TV or smart thermostat, they’re also likely to be in wide use across more-sensitive accounts.
One of the most common forms of cybersecurity advice is that users should use strong, unique passwords, but with so many common and weak passwords posted on underground marketplaces, it appears that the message isn’t getting through. So why is this?
Passwords are complicated, and remembering those complex trains of letters and numbers is something we find hard. “We are not programmed that way – our brain don’t work that way – so it is a hard and complex task for us,” Stefano Di Blasi, cyber threat intelligence analyst at Digital Shadows told ZDNet.
The number of different accounts is also a problem as we’re told it’s good cybersecurity hygiene to use a different password for each of these accounts. But it’s difficult to remember many different passwords, so many people choose convenience over security – and use the same passwords repeatedly.
“Cybersecurity should be important for everyone, but not everyone is concerned,” said Di Blasi.
An individual getting their account breached is damaging enough, but if the account is one that’s used on a corporate network – or their corporate password is the same as a personal account that gets breached – that can leave whole businesses vulnerable to cyber attacks.
Not only could cyber criminals gain access to networks in order to steal more usernames and passwords, they could steal sensitive information, financial details, or use access to networks to plant malware or ransomware.
Remembering passwords is difficult, but using a unique password for each account can go a long way towards helping to stay safe online. One of the simplest ways to do this is to use a password manager, which can generate and store complex passwords for you.
“Using password managers, is the first step. They’re super easy to set up. It takes really a second to have them generate a secure password and use that,” said Di Blasi.
But even if you do have strong passwords, that account isn’t immune to being breached – it’s possible that the credentials could be stolen in a phishing attack, taken in an cyber attack against a corporate network, or simply leaked by accident.
It’s therefore important to set up multi-factor authentication (MFA) on any accounts which allow it, providing an extra barrier against attacks trying to exploit exposed passwords.
And in the event of a password being exposed or stolen, it’s important to change the password as soon as possible to stop cyber criminals from having access to it.
MORE ON CYBERSECURITY
- We’re all still using the same passwords, even after they’ve been breached
- Terrible cloud security is leaving the door open for hackers. Here’s what you’re doing wrong
- Hackers are now hiding inside networks for longer. That’s not a good sign
- Cloud security: Five things you need to get right
- Two-factor authentication is a great idea. But not enough people are using it