A cybersecurity expert describes the underground hacker network where stolen usernames and passwords are 'traded like Pokemon cards'
- Hackers use secret networks to aggregate and trade millions of stolen login credentials and passwords, according to a cybersecurity expert.
- While high-profile data breaches make headlines, the real damage to individual users can be done in small increments in the months and years that follow using stolen login credentials.
- The practice of trading stolen passwords is only growing as aggregation software becomes more sophisticated and hacking becomes more profitable.
- Visit Business Insider's homepage for more stories.
If you're reading this, it's time to change all of your passwords.
That's because there's a good chance that your login information - or, at least, a past version of it - is circulating among secret networks where hackers trade stolen passwords or sell them for profit.
These secret networks are only growing, according to Alex Heid, chief research and development officer at SecurityScorecard, a cybersecurity firm.
"Within the hacking underground community, credentials are bought, sold, and traded for free like Pokémon cards," Heid said. "There are dozens of different hacking forums that have terabytes of information going back 10-plus years."
These forums primarily operate on the darkweb, a network of encrypted sites that don't show up in search algorithms. Login credentials and passwords that make it to these forums typically come from massive data breaches, which have happened frequently throughout the past year - in one recent example, 4.9 million DoorDash users' data were stolen just last week.
Hackers are using increasingly sophisticated database software to aggregate "combo lists" of millions of login credentials, according to Heid.
Even if hackers only have one set of credentials - for example, a user's DoorDash login - they can easily make inroads into the user's accounts on other sites. Hackers use "checkers," or programs that can take a user's email address and quickly determine if it's being used as a login on other sites. From there, hackers typically try to log into those other sites using the same password, betting that their targets use the same password across platforms. In many cases, they're successful.
"The people who are getting hit by that are the low-hanging fruit who reuse the same passwords," Heid said.
With hacking becoming increasingly profitable and hackers' software becoming more sophisticated, there's no indication that this trend will slow down any time soon. In the meantime, Heid advises that users change their passwords and ensure that passwords are different across different services.