In brief

  • Cybersecurity firm IntSights has published a new report, “Paying the Price: What’s Your Data Worth on the Dark Web?”
  • It finds that some hacked data can go for as little as $0.
  • Purchases of exploits and ransomware fall into the highest range at $1,000 and up.

Over 3 million Americans each year lose money as a result of identity theft. Collectively, in 2016, Americans reported losses of $17.5 billion. The victims might be appalled to learn that, in some cases, their stolen data sold for the cup of Starbucks coffee—and not even the fancy kind with a double pump of vanilla.

In a recent report on dark web cybercrime shared with Decrypt, titled “Paying the Price: What’s Your Data Worth on the Dark Web?” cybersecurity firm IntSights found that many transactions of stolen data go for under $5.

“Data is the most valuable asset in the world right now—but your data is worth less to threat actors than it is to you,” the report said. Instead, bad actors make money by any combination of three methods: Costco, eBay, or Papa Murphy's. That is, they sell the data in bulk, auction it off, or give you the ingredients to hack others from home.

At the lowest price point are your run-of-the-mill social security numbers, birthdates, and credit card numbers, some of which even get shared for free. However, if hacked credit card digits are “fresh” (e.g.., haven’t been reported stolen), they might go for closer to $5.

The next price range is $5 to $10, which is for higher quality credit card data and scans of fake IDs and utility bills. Together, buyers can use these to commit financial fraud, take over an account of an existing bank customer, or even start a new one in their name.

After that, things start to get pricier. According to IntSight, $20-$100 is enough to buy compromised bank accounts as well as higher-quality “fullz,” packages that have multiple pieces of victim information (although some lower-quality fullz are available in the $0 to $5 price range, as well).

In the $100 to $1,000 range, you can find full databases of stolen information, but if you’re an enterprising criminal looking to collect new data, you can buy botnets that will collect user passwords on a site.

Things can get really expensive, from $1,000 to six digits, for really good databases that put various pieces of information together. Not just an address, but also email, phone number, account number, routing number, and so on. But this is also the price range where hackers can buy ransomware and exploits to steal information themselves. 

Sometimes, this type of info doesn’t even sell for a set price, but for a percentage of the eventual haul when a small town in Florida agrees to pay $500,000 to get back access to its computer systems.  

Given that the real money is for databases, the true hack targets are typically businesses. Because why hunt for Jane and John Doe’s details one by one when everybody’s info is at a centralized spot?

Almost makes you think someone should create a decentralized database.