Are your credentials already in cyber criminals’ hands?

Article content

It’s common for every digital service today to ask you to log in with a password and an email address. Social media, streaming services, favourite news sites and work accounts all require credentials to protect user data.

One recent study[1] found the average person has between 70 and 80 accounts requiring passwords. The proliferation of passwords is not as comforting as it might appear to be. With so many to remember, it’s no surprise that people are tempted to reuse, rotate or use variations of a few passwords. But if individuals repeatedly use the same email and password combination when accessing third party services, and these services are then breached, the individuals and their organisations face an increased cyber security risk.

In recent years, cyber criminals have been moving from ‘spray and pray’ tactics to target individuals and specific industries. Digital footprints and social media presences help criminals identify individual employees or departments working within target companies. Mining an individual’s digital information is also used to gain access to password-protected accounts and discover credentials to further criminal activities.

15 billion credentials are already available for cyber criminals

The number of stolen usernames and passwords in circulation has increased by 300% since 2018. Research from Digital Shadows found there are now more than 15 billion available to cybercriminals[2]. These credentials have become commodities to be traded, or even given away, on the dark web by criminal syndicates.

For syndicates, selling compromised accounts is easier and can be more lucrative than ‘spray and pray’ attacks. The average price for the commercially traded logins was US$15.43, while credentials such as active bank account logins commanded a premium. Digital Shadows saw some banking account credentials sold for as much as US$500 depending on the funds available and the freshness of the credential theft itself.

Domain administrator accounts are among the most valuable to cyber criminals because they offer access to internal business networks. Such accounts are usually sold by auction with an average price of US$3,139 per account. In some cases, the price reached over US$120,000.

These new market dynamics give an incentive to cyber criminals to target a wider range of organisations, including small and medium-sized businesses, and not just larger enterprises. Australian charities, not-for-profits and SMBs are already being affected[3], with Australia third on the global list for most in-demand credentials behind the US and Canada[4].

The silent threat

According to The Federal Government’s Office of The Australian Information Commissioner, 518 breaches were notified under the Notifiable Breach scheme between January and June 2020[5].  Although this figure is down 3% from 532 in the previous six months, it is up 16% on the 447 notifications received during the period January-June 2019.

It’s important to note that the threat from leaked credentials is not always obvious at first. Once hackers have credentials, they put them up for sale on the market, or they (or the party which purchases them) may lurk within the organisation’s systems, watching activity and mining more valuable data.

Are your credentials already in the cyber criminals’ hands?

The first step to reducing the threat is understanding the problem and identify any compromised accounts related to your business. This is where Telstra’s Leaked Credential Assessment can help.

Telstra, together with our expert partner FirstWave, monitors hidden chat rooms, private websites, peer-to-peer networks, Internet Relay Chat channels, social media and black market sites for leaked account names and passwords. Using your domain name, we can help determine whether an employee’s corporate email address and password used have been compromised as a result of a third party being breached. We can tell you which credentials we have found on the dark web and guide you through steps mitigate any potential risk to the business. We will also help you understand where the breach happened and provide advice on how you can reduce the likelihood of it happening in future.


1. NordPass, February 2020

2. Digital Shadows Photon Research, Forbes, August 2020

3. ABC, September 2019; Sydney Morning Herald, May 2020

4. Digital Shadows Photon Research, Forbes, August 2020

5. OAIC, July 2020