What’s In That Stolen Data?


In our last post, we showed you just how big those breaches are, like how the Target breach was like every single person in the Western United States having their credit card stolen. Now that we have a sense of scale, let’s talk about what those numbers mean in terms of what they represent and what that stolen information goes for on the black market. Time to go shopping.

$20-$135 Credit or Debit Cards

The kind of breach that gets more attention are the ones that hit credit cards for two reasons — it affects the credit card owner whose card has been stolen and it affects the merchant that might be the target for fraud after the card is stolen. Home Depot and Target were among the largest breaches but certainly not alone. K-Mart and Dairy Queen were hit, as well as a host of other retail chains, mostly through their POS systems.

The going rate for a stolen credit card can vary a lot. Prices skew higher if the data is considered “fresh” or if the card has a guaranteed balance behind it. The Target cards, for example, started out on sale for $20-$135. Costs skew lower if the black market was flooded with a huge batch of stolen cards or the data is old, reaching as low as $2 a card.

Bottom line, credit cards a cheap because they are everywhere, and cheaper every day as more get dumped into the market place.

$27 Username and Passwords

These are some of the most common targets and for most people don’t register as an event more noteworthy than being told they have to reset their passwords. But usernames and passwords were among the most sought-after data, whether it was a small breach like CurrentC’s unspecified number of beta user email addresses stolen or eBay’ massive hemorrhage, or the Russian crime ring managed to amass over a billion username and passwords.

Many people assume there’s no value in usernames and passwords but the market says otherwise. Twitter accounts sell at a higher value than credit cards because of what else they might unlock, and plum targets like eBay and PayPal user accounts sell on average for $27.

$0.10-$0.25 for Fullz

Instead of getting just one credit card or one username, for a bit more money you can buy what’s called in the black market ‘fullz’ — complete records of a person detailing most if not all of their personally identifying information. Names tied to addresses, phone numbers, date of birth, mother’s maiden name in some cases, social security numbers, as well as credit and banking information and any associated logins, are all the information someone needs to set up a fraudulent account somewhere else. The more breaches there are, the more data there is to aggregate into information that isn’t just used for a one-time cash grab but for deeper, ongoing fraud.

And while the potential for harm is greater to the individual, fullz are cheaper than ever before — $0.10-$0.25 cents apiece, and usually sold in bulk.

Why are fullz so cheap compared to credit cards? Perhaps a working credit card with a verified available amount is the path of least resistance when compared to committing large-scale identity theft, requiring a raft of raw data with no guarantee of a payout. It’s the sure thing verses a risky gamble.

The black market for stolen data is huge and its prices low – a buyers market for criminals if there ever was one. Next time, we’ll look at what kinds of fraud you can cook up with stolen user credentials, credit cards and fullz.