Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

360 Million Credentials for Sale to Crooks by Crooks. Black Market Info Bigger Risk to Companies and Consumers than Even Credit Card Data.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Because the stolen user names and passwords might be able to access online bank accounts, corporate networks, health records, etc., they’re more of a risk to consumers and companies than even stolen credit card data.

Security expert Alex Holden, who helped uncover the data breach at Adobe where tens of millions of records were stolen, said he believed the 360 million records were taken in separate attacks. In one of those attacks, 105 million records were stolen. If his information is accurate it would make it the largest single credential breach in history. No one knows for sure because the breaches weren’t made public by the companies involved. In fact those companies might not be aware there were breaches until notified by a third party about the attacks.

Holden observed that the difference between the Adobe breach and this one was that Adobe’s records had encrypted passwords whereas these usernames, email addresses and passwords were in plain text.

In his article, Jim Finkle reported that the for sale email addresses are “from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations.”

Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, said hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.

“They can get access to your actual bank account. That is huge.”

Holden also noted that in addition to the 360 million credentials, the criminals are selling some 1.25 billion email addresses. Just imagine all the diet aids, wrinkle cream and male enhancement kits spammers can push with all those addresses.

By ThreatMetrix Posted