A study from Kaspersky Lab investigated dark web markets to determine how much money cybercriminals can make by selling consumers’ personal data online.

 

The research revealed that criminals could sell someone’s complete digital life for less than $50, including personal data stolen from social media, bank accounts, gaming websites and more.

While many people have heard of, or even fallen victim to, cybercrimes such as data and identity theft, relatively few know the true value of the information that can be stolen. Although the resale value of personal data is relatively low, cybercriminals can still put it to use and cause significant problems for victims. Individuals whose data has been stolen could lose money, face a damaged reputation, be held liable for debt that somebody else incurred in their name, or even be accused of a crime that somebody else has committed using their identity as a cover.

Through its investigation, Kaspersky Lab researchers found that criminals still have an appetite for personal data stolen from popular services, even if it does not come with a high price tag. For under $50, criminals can sell a person’s complete digital life on the dark web, including data from breached social media accounts; banking details; remote access to servers or desktops; data from popular services like Uber, Netflix, and Spotify; and accounts for gaming websites, dating apps and porn websites, which might store credit card information. 

The researchers also found that the price paid for a single breached account is even lower, with most accounts selling for about $1 each, and criminals offering discounts for buying in bulk. Interestingly, some criminals selling data provide their buyers with a “lifetime warranty,” so if an account they have purchased stops working, the buyer will receive a new account for free.

The most common way criminals steal this data in the first place is through spear-phishing campaigns or by exploiting security vulnerabilities in a web application’s software. After a successful attack, the criminal will obtain a password dump, which contains a combination of email addresses and passwords for the hacked service. With many people using the same password for several accounts, attackers may also be able to use this information to access accounts on other platforms. 

“It is clear that data hacking is a major threat to us all at both an individual and societal level, because stolen data can be used for many nefarious activities,” said David Jacoby, senior security researcher at Kaspersky Lab. “Fortunately, there are steps that we can take to prevent this, such as using cybersecurity software and being aware of how much data we are giving away for free – particularly on publicly available social media profiles."