Billions of stolen usernames and passwords, including log-ins to bank accounts, are being offered to cybercriminals on the dark web, new research suggests. Cybersecurity firm Digital Shadows said it found more than 15 billion credentials in circulation on online marketplaces used by criminals. It said account details for internet services ranging from bank accounts to video and music streaming services were among those on offer at an average price of around £12, with bank and financial service accounts on sale for an average of £56 – although they could be sold for £400 or more depending on the “quality” of the account. Five billion of the identified credentials were assessed to be unique in that they had not been advertised more than once on a criminal forum. According to the research, banking and financial accounts made up around a quarter of those advertised. The cybersecurity firm said the number of stolen credentials available had quadrupled since 2018 as a result of more than 100,000 data breaches. Digital Shadows said it had alerted its own clients to more than 27 million credentials online which could be linked to them. It urged the public and businesses to follow basic cybersecurity principles, such as using different passwords for different accounts and activating additional layers of security for log-in such as two-factor authentication. The research warned that many online tools which could be used to target accounts were available to buy online for less than £3.50 and can be used with little technical expertise. Rick Holland, chief information security officer and vice president of strategy at Digital Shadows said: “The sheer number of credentials available is staggering and in just over the past one-and-a-half years we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them. “Some of these exposed accounts can have – or have access to – incredibly sensitive information. Details exposed from one breach could be reused to compromise accounts used elsewhere. Digital Shadows’ research also warned that as well as individuals, credentials providing access to large organisations and their systems were also being advertised. “The message is simple – consumers should use different passwords for every account and organisations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised,” Mr Holland said.