Email, Banking, and Other Login Credentials of Upstate NY Users Found for Sale on the Dark Web
Our Network Operations Center (NOC) has noticed an alarmingly high number of local business accounts leaked on the Internet.
Is access to your email, your bank accounts, your website, or your social media accounts being bought and sold on the online black market? It’s more likely than you might think.
While deploying a new feature to our service stack for our managed IT clients, where our technicians monitor the dark web for stolen passwords, our techs were made aware of large caches of local stolen credentials.
What is the Dark Web?
The dark web is considered a small part of the deep web (the part of the web that can’t be found on Google or other search engines). The dark web isn’t accessible for most people, as it requires specific software and connection configurations in order to do it safely. You won’t stumble upon the Dark Web in your everyday web surfing, which is good, as there are plenty of risks just connecting to it.
The dark web operates with a high degree of anonymity. You might think this is a good thing, but this anonymity attracts a lot of illegal activity. Criminals use the dark web to peddle illegal substances, stolen information, counterfeit goods, and things can get pretty dark beyond that.
What Kind of Data Is Bought and Sold on the Dark Web?
The dark web is filled with a wide variety of different types of stolen information available to purchase. Interestingly, you can even put a price tag to the stolen data:
- Social security numbers sell for $1
- Drivers licenses sell for about $20
- College diplomas sell for anywhere between $100 and $400
- US passports go for anywhere between $1000 and $2000
- Credit card information starts at a measly $5 to $110
- Subscription service accounts sell for about $1 to $10
- Stolen medical records start at $1 but could sell for up to $1000
- Online payment services like Paypal and bank accounts sell for $20 to $200 each
On top of this, a ‘popular’ package on the dark web is called Fullz information. Fullz information contains the name, SSN, data of birth, credit card information, and some other data A single package of Fullz information for one person runs at about $30.
This means that, for the price of a steak dinner, a criminal can steal your identity and cause a massive amount of trouble for you.
How Can My Information Get on the Dark Web in the First Place?
This is where things get even more scary. Your sensitive information could be up for grabs on the dark web and it isn’t necessarily your fault.
When you do business with a company, they collect and process some of your information. When you do business with Netflix, they process your email, your Netflix password, your credit card details, and your Netflix preferences. When you ‘do business’ with Facebook, they might not get your credit card information necessarily, but they hold a ton of data about you - your contact info, your contacts, any accounts you’ve used Facebook to log into, and so much more.
Even purchasing popcorn and soda at the movie theater involves passing sensitive information over the Internet.
When a company gets breached by hackers and the data is intercepted or stolen, your information can be a part of it.
This happens all the time. In fact, here are just a few of the biggest data breaches over the last few years:
- Earl Enterprises (2019) - If you’ve been to a Buca di Beppo, Earl of Sandwich, Planet Hollywood, or Chicken Guy restaurant, there’s a chance that malware stole your credit card information. It affected more than 2 million customers.
- Marriott Hotels (2018) - 500 million guests had their contact information and passport information stolen, and an undisclosed number of guests had credit card numbers hijacked.
- Macy’s (2018) - For about a month and a half, all of Macy’s online customers had their contact information and credit card information accessed by a third party.
- Verifications.io (2019) - The email validation company discovered that 1 billion email accounts were exposed in one of the largest single-source data breaches, causing the company to close its doors immediately after.
- MedSpring Urgent Care (2018) - 13,000 patients may have had their medical data breached when a single employee fell victim to an email phishing attack.
- Verizon (2017) - 14 million Verizon subscribers had their customers support information stolen, which could have included anything that an individual customer willingly gave to Verizon’s support over the phone.
- Facebook (2019) - 600 million user passwords were made accessible to more than 20,000 of Facebook’s employees.
- Equifax (2017) - This affected 143 million consumers. This is considered one of the worst breaches ever. The compromised data included full names, addresses, birthdates, credit card info, SSN, driver’s licenses, and more.
This doesn’t just happen on a large scale. You might remember back in 2008 when a credit card breach affecting Hannaford customers hit Oneonta residents. The fault can’t be placed on the customer, and in Hannaford’s case, they were reportedly meeting the proper security requirements when the breach happened. The breach was tied to a gang of five Russian and Ukrainian men who were targeting payment systems and retailers.
Let's just put it this way; it would be a miracle if you’ve never had any data stolen.
Often, when a lot of data gets stolen, it finds its way on the dark web, where it’s displayed, traded, bought, and sold.
But I Don’t Have Anything Worth Stealing!
We hear this a lot. Because there are safeguards in place to protect consumers from stolen credit cards, credit card holders don’t really feel like they are on the hook when fraudulent charges occur. For many situations, a few annoying calls to your credit card company solves everything. Unfortunately, having your credit card stolen is typically the best-case scenario when it comes to data theft.
You might not give them a monetary value, but online accounts like social media, Amazon, Google, and email accounts contain access to lot of sensitive information about you. Some people just don’t consider their online identity that critical. It’s easy to ignore the massive amount of personal information we feed into these platforms, and how one chink in the armor can really do some damage in the long run.
A Hypothetical Example
Let’s look at your Facebook account, for example. Maybe you don’t use Facebook all that much. You have an account that you log in to once every month or so to chat with family members. If your Facebook account were to go away tomorrow, you probably wouldn’t miss it. In the worst case scenario, you’ll spin up another account and send your family members a new friend invite and move on. Despite being a tech-geek myself, I’d imagine this is the situation for a lot of readers.
If your Facebook account credentials were to get into the wrong hands, however, a lot of damage could be done. Here are some situations to consider if your Facebook account gets compromised:
- Contacts - Your Facebook is essentially a big contact list. If you get compromised, you’ve opened your friends and family up.
- Company Pages - If you administrate a company page, a criminal could kick out all the other admins and take over. It’s extremely hard to get in touch with Facebook to get this kind of issue resolved.
- 3rd-Party Site Logins - If you’ve signed in to other services with your Facebook account, such as payment apps like Venmo and Paypal, a criminal could easily gain access to these other services.
- Your Common Password - Criminals know that many users will use the same password on multiple sites, so if they know your Facebook password, they will try logging into other accounts with it.
- Your Identity - Facebook inherently stores a lot of data about you, and it’s not just the information you voluntarily hand over.
Even if you are lax when it comes to online accounts, there are great risks when you don’t take basic measures to protect yourself.
The Big Question - How Can I Tell If My Sensitive Information is on the Dark Web?
First and foremost, I have to advise everyone to avoid attempting to connect to the dark web and digging around to seek out their personal information in this online black market.
Although there are tutorials online to get connected to the dark web, I cannot stress enough the dangers that come with it. The dark web is essentially lawless territory. I say this not only for the sake of your computer, your network, and your identity, but for your psychological state; there is no shortage of troubling material to be found.
Leave It to the Security Experts
There’s a bright side to the dark web. Security experts around the world are always examining data from various sources, both on the publicly accessible Internet and the dark web. They scour through data that was stolen in security breaches, posted on bulletin boards, peer-to-peer sharing networks, forums, and other sites.
When major caches of stolen information hit the dark web, these security experts collate the data for several reasons. One is to determine the scale, motives, and threats brought on by cybercriminals. The other is to share limited access to this data with other IT security experts to help protect individuals and businesses, and to prevent further cybersecurity issues.
We’ve invested in tools that support this initiative, and because of this, we are able to monitor the dark web for our clients’ email accounts to discover if their personal information has been breached.
Find Out If Your Personal Data Has Been Stolen
Although we intended to only offer this service as a monitoring package for clients to determine if their sensitive credentials have been stolen, we have decided to offer one-time scans for any Upstate New York business that wants to check to see if their information has been breached.
We’ll scan the dark web for your company email domain and report back on any instances where a password is found. We can also help you take action based on what we’ve found.
CLICK HERE TO SIGN UP FOR YOUR COMPLIMENTARY DARK WEB SCAN
The page above will mention this, but there is no obligation or fee for this, we just really want local business owners to be aware of any risks they might not know about. This will not interfere with your existing IT, or anyone managing your IT. The scan is 100% discreet and confidential.
We hope we can further help our local community by offering our experience to business owners!