A look into the pricing of stolen identities for sale on dark web

After a data breach, much of that stolen personal and sometimes highly personally identifiable information (PII) is sold on markets residing within the dark web. But, how much does the sale of stolen information work, exactly, and how much money are criminals making from stolen data?

Comparitech researchers analyzed listings across 40+ dark web marketplaces gathering data on how much stolen identities, credit cards and hacked PayPal accounts are worth to cybercriminals.

Here are some key findings:

Americans have the cheapest "fullz" (full credentials e.g. SSN, name, DOB etc), averaging $8 per record. Japan and the UAE have the most expensive identities at an average of $25. Not all fullz are the same. While SSN, name, and DOB are all fairly standard in fullz, other information can be included or excluded and thereby change the price. Fullz that come with a driver’s license number, bank account statement, or utility bill will be worth more than those without, for example. Some fullz even include photos or scans of identification cards, such as a passport or driver’s license.
Prices for stolen credit cards range widely from $0.11 to $986. Hacked PayPal accounts range from $5 to $1,767.
The median credit limit on a stolen credit card is 24 times the price of the card.
The median account balance of a hacked PayPal account is 32 times the price on the dark web.

Credit cards, Paypal accounts, and fullz are the most popular types of stolen information traded on the dark web, but they’re far from the only data worth stealing, says Comparitech. Other types of stolen information usually for sale are: passports, driver’s licenses, frequent flyer miles, streaming accounts, dating profiles, social media accounts, bank accounts, and debit cards.

This data - most often stolen through phishing, credential stuffing, data breaches, and card skimmers - is bought and sold on dark web marketplaces. Here’s a few tips for avoiding those attacks, from Comparitech researchers:

There’s not much an end user can do about data breaches except to register fewer accounts and minimize your digital footprint.
Keep an eye out for card skimmers at points of sale, particularly unmanned ones such as those at gas stations.
Learn how to spot and avoid phishing emails and other messages.
Credential stuffing can be avoided by using strong, unique passwords on all of your accounts.

For the full blog, please visit https://www.comparitech.com/blog/vpn-privacy/dark-web-prices/

Situational awareness should be at the forefront of your security program. It can mean the difference between life and death in a workplace emergency.

Security’s digital transformation is now entering stage 5. Complex security technologies are connected to HR systems, global security operations centers, and other building technologies in a world where employees now work in two places: home and the corporate office.