Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
Passwords for individual online banking accounts sell on the dark web for an average of $160.15.
If that seems pricey, there’s plenty of other personal information available for much less.
Getting in the front door of a person’s Airbnb account will cost hackers about $7.87. Uber credentials are a bargain at $7. And if cybercriminals get hungry, they can get a GrubHub food delivery login for about $9.16.
Those are the going rates compiled across three popular dark web marketplaces by Top10VPN, an online security and privacy education company.
“What really struck me [is] how everything has a value on the dark web,” said Simon Migliano, head of research and operations at Top10VPN. “It brought home how opportunistic this really is.”
The average person has at least a dozen online accounts, ranging from email and Facebook to online shopping, food delivery and banking. Add up all of those accounts and the typical internet user’s identity is worth about $1,200 to hackers, according to Migliano’s calculations.
Nicolas Christin, an associate research professor in computer science and engineering at Carnegie Mellon, who is not affiliated with the research, told NBC News that the prices appear to be similar to what he’s seen for sale on the dark web.
“Unfortunately, they don’t tell us much: We don’t know if people are actually buying these items. We don’t know anything about the quality of the items in question,” he wrote in an email.
On the dark web, Migliano described a system that could be likened to eBay or Craigslist, but for criminals. His team used automated and manual data collection during the week of Feb. 5 to build their index, which focuses on listings for American and British accounts.
The research focuses on three of the most popular places offering sensitive information on the dark web: Dream, Point and Wall Street Market. These platforms aren’t accessible to the average internet user and don’t show up in search engines. They often require particular software or special access, and hide users’ identities — making them perfect for marketplaces that traffic in personal data, drugs and child pornography.
While a criminal wouldn’t know for certain if the credentials they were buying actually worked or would lead to something of more value, Migliano said the covert online marketplaces are set up like any other online buying platform.
Sellers usually have ratings and reviews, so “as a would-be fraudster, you would want to be buying from a highly rated seller,” Migliano said.
After criminals get the credentials to a person’s account, whether it’s their email or online shopping account, Migliano said they will then snoop around, hoping to find more clues that could allow them to take over their target’s identity.
“The problem is, people usually reuse their passwords,” he said.
Here’s why that’s bad: If a hacker has access to a person’s online dating account, they could then try that password on their target’s email or banking accounts, opening the door to wider identity theft.
“Our research is a stark reminder of just how easy it is to get hold of personal info on the dark web and the sheer variety of routes that fraudsters can take to get hold of your money,” Migliano said.
While the idea of cybercriminals forking over a few bucks to weasel their way into a person’s online accounts sounds scary, there are a couple simple cybersecurity practices that can keep everyone safe.
Robert Siciliano, a security analyst with digital security firm Hotspot Shield, said it is important to use unique passwords for each account and to change them regularly. Two-factor authentication, where a code is sent to a phone and then used to log in, can also keep users safe.
“Because billions of passwords are in circulation it is essential that consumers do not reuse passwords,” Siciliano said. Because on the dark web, “every aspect of personal identifying information is up for grabs.”