How Your Passwords Can End up for Sale on the Dark Web

7th August 2023

Hundreds of millions of accounts are compromised every year in data breaches through phishing, malware and other types of attacks. More than 11.6 billion records have been breached since 2005, according to a running tally by California-based nonprofit Privacy Rights Clearinghouse.

Those accounts are often then dumped on hacker forums or put up on the dark web, a collection of websites that can only be accessed by a special type of browser called Tor (it stands for The Onion Router, and dark web sites end with .onion). Originally created by the US Navy in 2002 to enable anonymous online communication, the system’s enhanced encryption and anonymity means it’s often used for illegal activity, including drug sales.

Hackers buy databases of stolen passwords and bombard other websites with them until one works, a fairly common technique known as credential stuffing. They also run variations of the password with different combinations, according to Beenu Arora, CEO of Atlanta-based cybersecurity firm Cyble. If one of those passwords works on another service — a bank, for example — it can then be posted or sold on the dark web again.

“That happens a lot,” said Bruce Schneier, a cybersecurity expert and a fellow at Harvard University’s Berkman Center for Internet and Society. “There’s a big data breach, and then someone will try the same username and password at a bank, at Google. You just try it. A lot of us reuse passwords, so you might get lucky.”

Credential stuffing was likely how hackers managed to gain access to over 500,000 Zoom accounts that they then posted on the dark web, according to Cyble, which first flagged their availability. A Zoom spokesperson confirmed to CNN Business that its “ongoing investigation” suggests “bad actors” relied on the credential stuffing method.

“It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere,” the spokesperson said in a statement.

Zoom accounts may have been made available for barely a penny each, but that’s not always the case — especially when more sensitive or detailed information is compromised. Arora said certain passwords on the dark web, particularly those that provide access to financial or medical information, can sell for as much as $1,000 apiece.

The main source of vulnerability, experts say, is that people tend to use the same password across multiple accounts or don’t change their passwords even after they’ve been breached. Microsoft estimates that around 73% of passwords are duplicates.