How Much Does Your Data Cost on the Dark Web? – We Checked
The simple answer is this: about $45. This is how much, on average, a full set of information for a credit card is selling for, including a name, SSN, birth date, and CVV.
A fuller answer is a lot more complicated, like almost everything on the dark web. Buying illegally obtained data on arguably illegal platforms is, after all, a pretty shady business, and prices are therefore liable to extreme fluctuations and gross manipulation.
Fear not, though. Whilst I would never admit here that we have tried to buy illegal data (not least because our lawyers have told me not to), today I’ll give you a detailed run down of how much your data is (potentially) selling for, and what you can do about it.
To get this information, we read the research that has already been carried out by a variety of agencies and companies, such as Liv Rowley on Flashpoint, Richard on Dark Web News, and The Hidden Data Economy by Charles McFarland, François Paget, and Raj Samani.
We also did some investigating of our own. Whilst most of our results tallied with the research that is already out there, we also uncovered some new and troubling trends: specifically, that password information for commonly used sites such as Facebook and Instagram is becoming a valuable commodity on the dark web.
Let’s dig deeper into this skeezy topic.
The Cost of Personal Data
How much your data is worth on the dark web depends to a huge degree on how complete a profile is available to a potential identity thief. It also depends on a number of other factors, some more surprising than others: not just how much credit is available on your card, but also how old you are, and even which state you live in.
By far the most common pieces of personal information on the market, as you would expect, are credit card details. The purchase of these details allows an identity thief quick access to funds, and if purchases are compressed to a few days, you are unlikely to notice that your details have been stolen until your next statement. This said, the sheer range of personal information now available on the dark web is startling: everything from passwords to shopping sites to medical records.
At the budget end of the market, at least for data from the US, are Social Security numbers, which can be bought for $1. You read that right: $1. At the other end of the market are details that are extremely hard to get hold of, or documents that are difficult to fake. Historically, Passports have been a premium item, with US versions selling for between $1000 and $2000, though in recent years there has also been a worrying trend for stolen medical records.
We have made a handy infographic for some of these prices. Here it is:
Whilst a useful guide, it’s worth noting that the items above are far from the only pieces of information available, and prices vary significantly.
What Information Is Most Common?
Most guides to protecting your data will tell you that by far the most common information purchased by identity thieves is a package called ‘fullz’. These packages contain credit card numbers, but also any other information associated with the account, which allows an attacker to verify their identity if challenged by automated anti-theft systems.
The scale of theft of credit card information has, therefore, been the focus of most of the research done into prices on the dark web. An Armor Threat Resistance Unit (TRU) report released earlier this year, for example, looked exclusively at price trends for credit card details.
The TRU report found that credit card numbers from untested cards could be bought for between $10 and $12, though prices varied hugely depending on the credit limit of the card in question. Those with an advertised $5,000 limit are being sold for $450, while a card with a $10,000 limit was spotted on sale for $800. Another with a limit of $15,000 was being touted for $1,000.
There is another commodity, however, that is rapidly gaining popularity: your generic passwords. Many sites offering basic services now ask all their users to sign up for an account in order to gain access, and some miscreants have realized that, when asked to make a new password, most people will use the same one that affords access to almost all their other accounts.
In our own research, we found that password information from these sites are starting to command higher prices than they have historically, because identity thieves have realized that most people use the same set of passwords for almost all of their accounts. This is one of the reasons why we urge everyone who is sending sensitive personal information in a public place to use a high quality VPN service.
For this reason, details that used to sell for little more than $10, such as details for individuals’ instagram accounts or similar, are more expensive than they used to be: using these details to steal someone’s identity is a little more complex than merely ordering an illegal Passport, of course, but for those willing to put in the work the rewards can be greater.
Given that obtaining personal information, let alone selling and buying it, is illegal, it will come as no surprise to learn that the systems used to buy this information are complex and mysterious. There are typically a number of ‘middlemen’ who broker deals between those who steal data and those who sell it, and everyone in the chain takes great pains to protect themselves against discovery by law enforcement.
Organising the marketplace in this way also allows each individual to claim relatively little knowledge of the origin and intended use of the stolen data. This, coupled with outdated and inefficient law enforcement of the dark web, means that the amount of information available is still increasing rapidly.
Such an unregulated system also creates ‘problems’, if they can be called that, for potential buyers. Many online ‘shops’ for illegal data operate review systems familiar from more legitimate sites such as Amazon, where buyers can rate the service they receive from buyers. This helps to build trust, but in our own research, we were constantly being warned that even trusted brokers frequently delivered fabricated data.
It is hard to have any sympathy for an identity thief getting ripped off, of course, but such scams just got to show the total lack of regulation in the market, even by those heavily invested in it.
What Can I Do About It?
Unfortunately, there is little you can do about the most common way for your data to appear on the dark web. During our own research, the most common data we saw appeared to have been obtained from large-scale hacks of financial companies. There is little customers can do about this, of course, other than complaining to their account providers and hoping that they eventually install greater security protection for this data.
That said, there are a number of simple steps individuals can take to limit the amount of data available to criminals. The fact that our own research found a growing market for generic passwords suggests, in fact, that one of the best ways to protect yourself against someone stealing your data is also one of the oldest: using a variety of strong passwords.
Rather than using the same weak password for each online service you sign up to, it is good security practice to think up a new one each time. You may think that using a weak, easily guessed password for an apparently innocuous service like your web hosting account would not create a vulnerability, but if you use the same password for a variety of such services an attacker can cross-reference these and gain a surprising level of insight into your identity.
Another good practice is to test if your data is already available on the dark web, and to do so at regular intervals. Even if you were the victim of a hack several years ago, it is worth this regular check, because sometimes your data can take a while to circulate back to online marketplaces.
Ultimately, the price of your information on the dark web abides by the ancient rules of supply and demand. At the moment, it seems that there is plenty of both, albeit with a supply-side excess. This is not surprising, since the average corporate hack will gain access to thousands of individuals’ data, and though identity theft is a growing problem, the number of criminal involved in it remains mercifully (and relatively) low.
That said, it still seems that law enforcement agencies are pretty clueless when it comes to policing the dark web, and so the market for stolen information is something that, for now and the foreseeable future, we are going to have to get used to.
A method of protecting your data that is rapidly gaining popularity is connecting to the internet through a Virtual Private Network or VPN. While this topic deserves a page unto itself, suffice it to say that this option encrypts your connection, making it harder for bad guys to steal information. All VPNs are not created equal, however. Before seriously considering this as an option, read our article on which ones to shy away from because they log IP addresses, which totally defeats the purpose.
You May Also Like: