Over 24 billion usernames and passwords are up for grabs on cyber-criminal marketplaces and the amount of breached credentials is still rising as hackers take advantage of weak and re-used passwords.
Analysis by cybersecurity researchers at Digital Shadows found that there’s been a 65% increase in usernames and passwords sold, traded or dumped in cyber-criminal forums and underground marketplaces.
Of the usernames and passwords available across hundreds of underground marketplaces, 6.7 billion were unique – up by a third when compared with previous analysis in 2020 – indicating that many usernames and passwords are being accessed and stolen multiple times, likely without the victim even being aware.
One of the reasons for this trend is because many accounts use common or weak passwords, making them easy for cyber criminals to steal simply by just guessing passwords.
The paper says the most commonly leaked password that was found over 30 million times – and accounting for 0.46% of all unique passwords, or nearly one in 20 of the total – is ‘123456’, which is one of the simplest passwords around. There were also millions of instances of other simple passwords, including over 17 million cases of ‘123456789’, over 10 million passwords which are ‘qwerty’, 10 million which are ‘12345’, and almost nine million that are simply ‘password’.
The 10 most common passwords found in the data:
According to the Digital Shadows report, of the 50 most commonly used passwords, 49 can be cracked in under one second via easy-to-use tools commonly available on criminal forums that are often free or for sale for small amounts. That means that if someone is using one of these passwords and they’ve not yet been hacked, it isn’t going to be hard for cyber criminals to do so.
“The top 50 is a mix of what you’d expect: almost all are incredibly weak, easily guessable, and related to something the user could easily remember,” the researchers said.
“We saw strings of easily remembered numbers, like 123456 … and it’s painful to admit that was the most common password. That password actually represented 0.46 percent of our total number of the 6.7 billion unique credentials.”
The researchers noted that although probably a big portion of these top passwords were used for mundane accounts, like a TV or smart thermostat, they’re also likely to be in wide use across more sensitive accounts.
One of the most common forms of cybersecurity advice is that users should use strong, unique passwords, but with so many common and weak passwords posted on underground marketplaces, it appears that the message isn’t getting through. So why is this?
Passwords are complicated, and remembering those complex trains of letters and numbers is something we find hard. “We are not programmed that way – our brains don’t work that way – so it is a hard and complex task for us,” Stefano De Blasi, cyber-threat intelligence analyst at Digital Shadows told ZDNet.
The number of different accounts is also a problem as we’re told it’s good cybersecurity hygiene to use a different password for each of these accounts. But it’s difficult to remember many different passwords, so many people choose convenience over security – and use the same passwords repeatedly.
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- UK bans Chinese CCTV cameras at ‘sensitive’ government locations - 26 November 2022
- Chrome Update: Exploited Zero-Day Vulnerability fixed by Google, the 8th this year - 25 November 2022
- RESEARCH: analytics information related to iPhones include a Directory Services Identifier (DSID) that may be used to identify users - 24 November 2022