Understanding the Password Black Market
Last week, we saw one of the biggest password dumps in recent history thought to contain 272 million passwords. The problem: All passwords contained turned out to be aged, inaccurate and ultimately worthless. Several providers were on the list including Gmail, Yahoo, Hotmail, and mail.ru. The list was posted almost free of charge, which gave security experts the first red flag that led to a lot of skepticism. Experts reviewed the list and major providers responded that the passwords were inaccurate or too old for concern.
So why would a hacker bother building a list of bunk passwords? In this case, the hacker was using it to improve his reputation on the black market. The black market is filled with forums and sites where hackers sell their wares (usually stolen passwords and credit cards) to buyers â€“ sometimes your competitors. Because the black market is unregulated and available only through Tor, hackers first need to build a reputation before they can be trusted. The main way to build trust is to sell items and get good reviews. Once a hacker builds trust in the community, he can sell larger and more valuable items.
In case of the password list, the hacker assembled and combined other lists into his own to give away in exchange for good feedback. Once his reputation is built, he can then sell quality level lists for much more money.
Some people donâ€™t believe their accounts are worth anything or that their low-limit credit card is worthless to a hacker. On the dark markets, stolen credit cards, passwords and open accounts are extremely valuable regardless of this perception. Hackers usually donâ€™t target sites to use the data on their own. They steal data to sell on these markets, which means more data makes them more money â€“ even low-limit credit cards or seemingly worthless accounts.
This is why itâ€™s important to always keep data secure and change password often. If your provider offers 2-factor authentication, use it to defend against these types of attacks. Donâ€™t disregard security thinking a hacker has no interest in your data. Your data is always valuable on the black market.