E-mail accounts are among the most commonly stolen data on the dark web. The amount of stolen personal data on the dark web increased by a total of 17.9% in the first six months of the year.

In the first six months of 2023, fraudulent activity by hackers around the world continued to increase. The number of accounts whose credentials were compromised increased significantly, often in combination with other data that is extremely valuable to hackers. As a result, the number of alerts sent relating to data on the dark web also grew, totaling 911,960. This represents a 17.9% increase compared to the second half of 2022. On the other hand, the number of alerts sent relating to data on the open web was more than 45,600, down 26.9% compared to the same period.

The most commonly stolen data type on the web
Analysis of the data from the first half of 2023 shows that e-mail addresses are the most common category of data circulating on the dark web and therefore more vulnerable to hackers. These are followed by passwords and usernames in second and third place, then postal addresses and telephone numbers.

A qualitative analysis of the domains shows that the e-mail accounts detected on the dark web refer to personal accounts in 90.7% of cases, while in the remaining 9.3% of cases they are business accounts, with an increase of 3.7% in the latter case compared to the second half of 2022.

Together with e-mail addresses, the Cyber Observatory data shows that telephone numbers have also become increasingly valuable personal information that needs to be better protected, because they allow the victim’s profile to be completed. In fact, the combination of this with a password was detected in 29% of cases. This exposes victims to the possibility of receiving more credible fraudulent messages, such as those relating to the authorization of fake payments or blocked accounts. Often these smishing messages (SMS phishing) contain malicious links that encourage victims to click and provide additional data to the fraudsters, allowing them to geolocate victims’ devices and reconstruct their identities. Another very dangerous type of attack is known as SIM swapping, which involves obtaining the victim’s phone number to allow fraudsters to access certain services without the victim’s consent (bypassing two-factor authentication).
As a result, telephone numbers play a key role and, when combined with passwords, increase the vulnerability of victims. Indeed, this combination of data theft more than tripled compared to the second half of 2022, with an increase of 372%. In addition, among the main combinations of data collected on the dark web, e-mail addresses are very often associated with a password (92.3% of cases), just as passwords very often appear with usernames (62.5%).

Theft of credit card data
Looking at the continents most subject to the exchange of illicit data concerning credit cards, North America is in 1st place, followed by Europe, which saw a 90.8% increase in fraud compared to the first half of 2022. With regard to this data, it is important to note that very often, in addition to the credit card number, the CVV and expiry date of the card are also present on the dark web (95.5% of cases). In the end, therefore, criminals almost always manage to get hold of all the data on a card.

Use of stolen accounts
Interestingly, the analysis shows that most of the stolen accounts and data are then used by hackers to illegally enter entertainment sites (35.6%) followed by social media (21.9%) and e-commerce accounts (21.2%) using victims’ credentials. The theft of these accounts can have direct financial consequences for victims, and this phenomenon increased significantly compared to the second half of 2022. In fourth and fifth places are the theft of accounts relating to payment service websites and forums (18.8%) and financial accounts (1.3%), such as bank accounts, as well as marketplace accounts, including international, which are increasingly falling within the sights of hackers. In fact, the most affected e-commerce category is clothing sector platforms.

The situation in Switzerland
In the first half of 2023, the types of data most frequently collected on the dark web,
were the email credentials, followed by credit card number, IBAN and phone number: these precious data could be used to try to carry out scams, for example through phishing or smishing.

Looking at the most common passwords found on the dark web, for Swiss we find in the first places simple sequences of numbers, such as 123456 and 123456789 and easy to remember terms, such as newsletter, password or qwerty.

CRIF Cyber Observatory
CRIF Cyber Observatory investigates the vulnerability of individuals and businesses to cyber attacks on the open and dark webs; it also indicates which items of information are most exposed, what details can be found on the internet and where the traffic in data is most concentrated. This survey was carried out with reference to the first half of 2023.