The 411 on the Password Black Market

It’s no secret that passwords are becoming more and more valuable. It seems like every new day brings a new breach involving hundreds of thousands or millions of passwords. While you’re probably aware of this threat, you may not be sure why you’re at risk, and even what it means for your accounts. Do you really need to worry about every single breach? What can hackers really do with your passwords anyway?

Here’s what you need to know about the black market for passwords and what you can do to protect your passwords and personal information.

How passwords are stolen

The term ‘black market’ for passwords gets mentioned here and there when a data breach makes the news. It might sound far-fetched, but the truth is that on both publicly-available websites and the dark web there are stolen passwords available for sale. These are usernames and passwords that hackers obtain and sell to those who want cheap access to online services, or who may have more nefarious intentions by using them as a foothold into someone’s online identity. There are many ways attackers might try to infiltrate your online accounts and steal your passwords. Here are some of the most common methods:

In phishing attempts, a fake sender pretends to be contacting you from a reputable company where you have an account, such as Netflix or even your credit card. They’ll ask you to update your account information, like resetting your password. When you follow their links to do so and enter your username and password, it goes right into a hacker database and is usually made available for sale.

Another type of social engineering attack (meaning the user engages with the hacker to give up information) is pretexting. This entails a hacker reaching out to users and leveraging some piece of personal information to then encourage the user to give up even more information about themselves.

Seems like a no-brainer, but when you write down passwords on paper and leave it near your desk, anyone can take that information. Whether it’s someone at work or a burglar if your home is broken into or your phone is stolen, those passwords contain sensitive information that you don’t want in the hands of the wrong people.

Brute-force attacks occur when a hacker systemically and methodically attempts to guess all versions of a password until finding the correct one. This is a clear case where having a longer, more complicated, and random password is advantageous to protecting your account.

Data breaches can occur on a small or large scale, and usually occur when a database for a company, such as Target or Omni Hotels, is compromised. Usually attackers either gain direct access to the database to steal personal information directly, or they install malware on machines that then captures account information that is sent back to the hacker. Data leaks also happen when corporate devices like laptops or cell phones are lost or stolen, or when paperwork is mishandled.

Why passwords matter

Even if your account doesn’t include access to cash or credit card numbers, it’s still extremely valuable and you don’t want it in the wrong hands. It’s likely the account includes information that a hacker could use to access other accounts via a pretexting or phishing attack, such as family member’s names (from your Netflix profiles), common running routes and your home address (from activity tracking apps like FitBit), home zip code (available in most apps), and much more. Passwords for services like Spotify Premium and Netflix may sell for as little as $0.25 on the black market as people want cheap access to online services.

If that doesn’t convince you that you shouldn’t use any ‘throwaway’ passwords, this will. Consider the LinkedIn breach back in 2012; those passwords are still being sold on the black market. You likely changed your LinkedIn password at the time of the breach, but if you used your original password for other accounts, hackers who buy the stolen credentials may now find the other sites where you used that password (think brute-force, password-reuse attacks) and be able to get into the account. That’s one good reason to never reuse passwords.

How to protect your passwords

The news of so many threats can be overwhelming, but there are a few important steps you can (and should) take to prevent your password from being stolen and sold on the black market.

First off, use a unique password for every account, regardless of how sensitive you feel the information in your account is. When you have a separate password for every account, if one of your accounts is hacked and someone tries to sell or leak your password, the person who may purchase them will not be able to use that password to get into any of your other accounts. If you have trouble with that, a password manager like LastPass can remember and generate them for you.

Second, set up multifactor authentication on your accounts wherever it’s possible. Let’s say one of your passwords is stolen and made for sale on the black market. If you have multifactor authentication on that account, the person who buys your password will not be able to access the account because it requires a second form of identification or authentication that is tied to your phone or email.

Just as hackers are becoming more savvy in stealing and selling passwords, we too must become more savvy in protecting our information. If you don’t use a password manager yet, you can get started for free with LastPass in just a few minutes. This allows you to easily create and manage unique passwords because LastPass remembers those passwords for you. Already using LastPass? Try the Security Challenge to identify and change your reused passwords and setup two-factor authentication for your LastPass account.

Get LastPass!

One Comment

  • Anonymous says:

    How does the generated passwords work? How do you remember them or do they come up everytime you open the account? I have a folder with severlal pw’s I also have google chrome and norton mobil on my phone and computer