Security researchers have discovered a set of over 15 billion usernames and passwords obtained from as many as 100,000 separate data breaches or obtained by other means.

According to a new report from German information security firm Digital Shadows, many of the compromised credentials were duplicates, but the total number of unique account credentials was still over 5 billion.

According to the researchers, the credential sets were obtained in "over 100,000 various data protection regulation breaches, cyber hacks, and other data breaches," adding that "the number of access data stolen and disclosed has increased by nearly 300% since 2018."

Digital Shadows found that most of the stolen credentials belonged to "individuals and consumers," with login information for bank accounts, streaming services like Netflix and Spotify, and other platforms being sold on the dark web.

For example, Netflix accounts were trading between $3 and $5, except for one allegedly "cracked for life" account that was sold for $10.

While much of the information came from the data breach, some was undoubtedly obtained through other methods of stealing account credentials, such as phishing attacks against account holders and "credential stuffing" attacks that test reused usernames and passwords.

Given that the number of stolen account credentials discovered by Digital Shadows is twice the number of people on the planet, it is quite likely that anyone reading this article has at least one set of stolen credentials. If you have any doubt, enter your email address into the HaveIBeenPwned website and see if anything has been compromised.

To make your account credentials as secure as possible, first don't reuse passwords, and use the best password manager to generate and process all passwords.

If a service you have an account with is compromised, you cannot help it, but even if it is, if you have already taken the above steps, the password you created for that compromised account cannot be used anywhere You can rest assured knowing that the password you created for that compromised account cannot be used anywhere.

Such data was often available for free or sold at "bargain" prices. The average price of a compromised consumer account was $15.43 (€13.68).

However, prices vary by type of account. For example, financial services accounts commanded prices as high as about $70.91 (€62.86).

On the other hand, login information for antivirus applications sold for $21.67 (€19.21), and for less than $10 or €10, cybercriminals could purchase login information for streaming services and social media platforms. [Stefan Bange, DACH (Germany, Austria, Switzerland) Country Manager for Digital Shadows, said, "In the past 18 months alone, Digital Shadows' Photon Research team has identified among our clients approximately 27.3 million identified user and password combinations," he explains. [Of course, not all of the leaked logins will be successfully cyber-attacked. Nevertheless, many of these accounts contain personal and highly sensitive information that could be exploited by cybercriminals for phishing, social engineering, extortion, network intrusions, etc."

"While the risks to individuals are great, organizations and businesses are also affected directly and indirectly by their employees and customers.

Researchers also found 2 million email addresses and corporate sector usernames sold in these marketplaces.

Compared to consumer data, lucrative corporate and industry domains can be sold on the dark web for prices ranging from $50-120,000 or euros.

According to Digital Shadows, these include "large corporations, global players, and various governments and government agencies."

Bunge said the ease with which cybercriminals can hack into user accounts is a problem, noting that "forced cracking tools and account checkers are available on the dark web for as little as €4." [Furthermore, so-called "as-a-service" offers have been on the rise for some time now, where criminals can borrow a user's identity for less than 10 euros, without having to do the work themselves, but simply accessing the account.

"Multi-factor authentication (MFA) makes ATO attacks more difficult, but not impossible. We continue to see new ways to bypass 2FA being discussed and implemented in cybercriminal forums."