Cybercriminals prey on passwords and it’s becoming a thriving business in the cyber underworld.

The average person uses 191 services that require them to enter passwords or other credentials, according to a report from cybersecurity firm Digital Shadows. All those usernames, passwords and other credentials are becoming increasingly vulnerable as criminals ramp up and perfect their credential-hacking operations, the report said.

More than 15 billion credentials are in circulation, up 300% since 2018. The source for those credentials: 100,000-plus discrete breaches.


Of those 15 billion, 5 billion are unique, i.e. not a password used repeatedly across different accounts. Most of those credentials belong to consumers. The report emphasizes, as many cyber experts do, that consumers should never use the same password across different accounts.

"The message is simple – consumers should use different passwords for every account," Rick Holland, CISO and VP of Strategy at Digital Shadows, said in a statement.

Businesses and individuals with revealing email addresses should also be wary. Digital Shadows found 2 million accounting email addresses exposed, with “invoice” or “invoices” or “payments” the most popular.

How valuable is a password? Though cybercriminals give away many credentials for free, those that are sold go for an average of $15.43, the report explained.

Here’s how criminals value your credentials, depending on type:

  • Access to organizations’ key systems is being sold at a big premium, selling to the highest bidder for up to $140,000 with an average of $3,139.
  • Bank and other financial accounts sell for an average of $70.91.
  • Account accesses for antivirus programs are priced at around $21.67.
  • Accounts for media streaming, social media, file sharing, virtual private networks (VPNs) and adult-content sites all trade for well under $10.

What’s driving all of this criminal activity? Account takeover “has never been easier (or cheaper) for cybercriminals,” the report noted.

So-called brute force cracking tools – which have proven to be surprisingly effective – are available on criminal marketplaces for an average of $4. Brute force attacks are generally those where an attacker tries to guess passwords based on common passphrases, hoping that one eventually works.


Criminals can also buy Account Takeover (ATO) “as-a-service.” Essentially, the criminal rents an identity, often for less than $10.

Sentry MBA is the most popular tool for credential stuffing – a method of cracking credentials where hackers “stuff” a bunch of stolen credentials against whatever they’re trying to crack with the hope that one of those credentials will work. Other tools like OpenBullet are also popular.

The report cited Verizon’s 2020 Data Breach Investigations Report that said more than 80% of breaches related to hacking involved brute-force cracking or the use of lost or stolen credentials.

“Credential lists are widely sold and traded on cybercriminal forums and marketplaces, and full accounts for various services can be bought for even a few dollars,” the Digital Shadows report added.