How the illicit market driven by data breach sells your personal information to criminals

Every year, large-scale data breaches can harm the public. The goal is to store information about people's information. Each violation includes sensitive personal information such as credit and debit card numbers, home addresses, and usernames and passwords for hundreds of thousands (and sometimes millions of people).

In 2024, a national public data violated online background checks, the offender was given a name, address, date of birth and country identification numbers, such as the Social Security numbers of 170 million people in the United States, the United Kingdom and Canada. In the same year, hackers targeting Ticketmaster stole financial information and personal data from more than 560 million customers.

As a criminologist studying cybercrime, I have studied the ways in which hackers and cybercriminals steal and use people’s personal information. Understanding the people involved helps us better understand the ways in which hackers and data breaches are intertwined. In the so-called stolen data market, hackers sell personal information they illegally obtain to others, and they then use the data to commit fraud and theft to make a profit.

Quantity issues

Every personal data captured in a data breach - a passport number, a social security number or a login for a shopping service - has inherent value. Criminals can use this information in different ways. They can assume someone else’s identity, make fraudulent purchases or steal services such as streaming or music.

The amount of information that can be stolen through data breaches, whether it is a Social Security number or credit card details, exceeds any set of criminals that can effectively process, verify or use within a reasonable time. The same goes for millions of email account usernames and passwords, or access to streaming services that data breaches may be exposed.

This quantitative question has made information, including personal financial data, part of the larger online economy of cybercrime.

For example: In the title of the following chart, we do not need periods.

The sales of data (also known as combing) references the abuse of stolen credit card numbers or identity details. These illegal data markets began in the mid-1990s by using credit card number generators used by hackers. They share a program that generates randomly generated credit card numbers and details, and then check to see if fake account details match the active card, which can then be used for fraudulent transactions.

With more financial services created and allowing customers to access their accounts over the Internet, it has become easier for hackers and cybercriminals to steal personal information through data breaches and phishing. Phishing involves sending people compelling emails or SMS messages to trick them into giving up sensitive information, such as logins and passwords, usually by clicking on a wrong link that seems legitimate.

One of the first phishing options for American online users to get their account information to use their internet services for free.

Screenshot of email with prominent red button that reads update account immediately
This phishing attack email is a fabricated message designed to steal account information by inducing the recipient to click the Update Account Now button and enter a fake order. Federal Trade Commission

Stolen data for sale online

A large number of information criminals are able to steal from these programs, resulting in more vendors providing stolen data to others through different online platforms.

In the late 1990s and early 2000s, criminals used Internet relay chat or IRC channels to sell data. IRC effectively allows people to communicate in real time like modern instant messaging systems. Criminals use these channels to sell data and hacking services in effective places.

In the early 2000s, vendors transitioned to online forums, and individuals promoted their services to other users. The forum quickly gained popularity and became a successful business as suppliers sell credit cards, malware and related goods and services to abuse personal information and achieve fraud.

Since then, one of the more outstanding forums is ShadowCrew, which was founded in 2002 and was knocked out by joint law enforcement operations in 2004 until it was knocked out in 2004. Their members have trafficked more than 1.7 million credit cards in less than three years.

Forums are still very popular, although vendors transition to running their own web-based stores on the Open Internet and Dark Web, an encrypted part of the web that can only be accessed through professional browsers such as Tor in the early 2010s, starting in the early 2010s. These stores have their own URL and unique brands to attract customers, and they work the same way as other e-commerce stores. Recently, vendors of stolen data have also started running on messaging platforms such as telegrams and signals to quickly contact customers.

Cybercriminals and clients

Many of the people who supply and operate the market appear to be cybercriminals from Eastern Europe and Russia who steal data and sell it to others. Although there is no equal popularity in the global cybersecurity landscape, markets have also been observed in Vietnam and other parts of the world.

Customers in the stolen data market may be located anywhere in the world, and their demand for specific data or services may drive data breaches and cybercrime to provide supply.

goods

The stolen data is usually available in a single lot, such as a person’s credit or debit card and all information related to the account. The prices of these works are priced separately, and the fees vary depending on the location of the victim and the amount of data available for the affected account.

Suppliers often offer discounts and promotions to buyers to attract customers and stay loyal. This is usually done with a credit or debit card that is about to expire.

Some suppliers also offer different products, such as credit reports, social insurance numbers and login details for different paid services. The prices of information vary. A recent analysis found that credit card data is sold for an average of $50, while Walmart login is sold for $9. However, prices vary widely between suppliers and markets.

Illegal payment

Suppliers usually accept payments through cryptocurrencies such as Bitcoin, which are difficult for law enforcement to track.

Bitcoin ATM with Bitcoin logo on its large screen with a small keyboard at the bottom
Bitcoin is often used as payments that cause information because it is difficult to track. AP Photos/Charles Krupa

After payment is received, the supplier publishes the data to the customer. Customers take a lot of risks in this market because they cannot complain about fraudulent sales to police or market regulators.

The vendor may send a death account to customers who cannot use or do not provide data at all. This scam is common when buyers can only rely on signals from supplier trusts to increase the chances of purchased data, and if so, it is common. If the data they purchase is practical, they can use it to make fraudulent purchases or financial transactions to make a profit.

The rate of return may be an exception. If only 20 cards are active, criminals who can be used to recover 100 cards can recover the fee and can be used to purchase an average of $30. The result is that data breaches may continue as long as there is a need for illegal, profitable data.

This article is part of the series on data privacy, which explores who collects your data, what it collects, who and who sells and buys your data, all of them work on it and what you can do.