Whenever a company suffers a data breach, passwords are one of the most commonly leaked pieces of information. And when threat actors behind the attack get a hold of these, they are normally dumped on the dark web where they can be purchased and used for identity and financial theft.
Cybersecurity company SpyCloud's 2023 Identity Exposure Report confirms this. According to the paper, the company's researchers discovered 721.5 million exposed credentials online in 2022. Of this number, 50% came from botnets, a network of computers infected with malicious software and controlled as a group by threat actors to deploy information-stealing malware.
"The pervasive use of infostealers is a dangerous trend because these attacks open the door for bad actors like Initial Access Brokers, who sell malware logs containing accurate authentication data to ransomware syndicates and other criminals," said Director of Security Research at SpyCloud Trevor Hilligoss. "Infostealers are easy, cheap, and scalable, creating a thriving underground economy with an ‘anything-as-a-service’ model to enable cybercrime. This broker-operator partnership is a lucrative business with a relatively low cost of entry."
To make matters worse, the study found that 72% of users exposed in 2022 data breaches were still reusing previously compromised passwords. Over 327,000 of the exposed passwords were related to Taylor Swift and Bad Bunny, 261,000 were associated with streaming services such as Netflix and Hulu, and over 167,000 were related to the British royal family and Queen Elizabeth’s death.
The study also uncovered 8.6 billion personally identifiable information assets in 2022. This includes 1.4 billion full names, 332 million national IDs/full Social Security numbers, and 67 million credit card numbers.
If your information is affected by a security breach, it pays to change your passwords immediately. You can either use passphrases, which are strings of unrelated words, or have password managers generate a strong password for you. It also helps to turn on multifactor authentication, which requires you to provide another proof of your identity to log in to your account. This could take the form of a one-time PIN, physical key, or a fingerprint or facial scan. This way, cybercriminals won't be able to infiltrate your account even if they acquire your credentials.