Login credentials and other personal information linked to more than a million Gmail and Yahoo accounts is reportedly being offered for sale in a dark web marketplace.
Download this free guide
A Computer Weekly Buyer’s Guide to Client Access
Look at how to orchestrate the variety of devices in use, and how to achieve efficient workforce mobility.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The dark web, like the deep web, is not indexed by search engines such as Google, but typically requires specific software, configurations or authorisation to access it.
Dark web marketplaces typically trade in illegal goods and services, and have become a popular means of trading user data stolen from large companies offering online services.
A seller using the handle “SunTzu583” is reportedly selling 100,000 Yahoo accounts, from the 2012 Last.fm data breach in which 43 million accounts were compromised, for 0.0079 bitcoins ($10.75).
Another 145,000 Yahoo accounts from the 2013 Adobe breach of 153 million accounts and the 2008 MySpace compromise of 360 million accounts are on offer for 0.0102 bitcoins ($13.75), according to a report by HackRead.
SunTzu583 is also reportedly selling 500,000 Gmail accounts for 0.0219 bitcoins ($28.24). The accounts allegedly come from the 2008 MySpace hack, the 2013 Tumblr breach and the 2014 Bitcoin Security Forum breach.
Another 450,000 Gmail accounts were also listed on sale for 0.0199 bitcoins ($25.74) from other data breaches that took place between 2010 and 2016, including the Dropbox, the Adobe and other breaches.
The data on sale by SunTzu583 has reportedly been checked by matching it to data on data breach notification platforms, including HaveIBeenPwned.
Stolen credentials are one of the biggest threats to enterprise security, according to penetration testers, because many people still use the same password for work systems and personal online accounts.
Using automation tools, attackers are able to try email address, username and password combinations against corporate IT systems. Any match enables them to log in to corporate networks as an authorised user and to look for data assets undetected by most security controls.
Many businesses are still failing to implement two-factor authentication and require password changes, despite the fact that this would eliminate of the biggest security risks.
According to a June 2016 report by mobile identity firm TeleSign, 73% of online accounts are guarded by duplicate passwords and 54% of consumers use five or fewer passwords for all their online accounts. The report also said 47% of online account holders rely on a password that has not been changed for five years.
Security advisors recommend the use of a password manager to generate, store and change regularly strong, unique passwords for all accounts. … …