Over 24 billion stolen credentials are circulating on the dark web — and the number is rising. When a company is breached, it often takes only hours before the stolen data appears for sale on marketplaces, in Telegram channels, or on paste sites. For the affected organisation, a race against time begins: will the credentials be reset first, or exploited first?
What is traded on the dark web
Stolen data has a concrete market value. Prices vary depending on quality and freshness:
- Individual login credentials (email + password): CHF 5-20 per record, more for fresh breaches
- Fullz (complete identity packages) with name, address, date of birth, SSN/AHV number: CHF 50-200
- Corporate VPN or RDP access: CHF 500-5,000+, depending on company size and industry
- Credit card data with CVV: CHF 10-50 per card
- Session cookies and API tokens: prices vary considerably, particularly valuable for cloud services
Particularly lucrative are so-called Initial Access Brokers, who resell corporate access to ransomware groups. A working VPN connection to a mid-sized company can serve as the starting point for millions in damages.
How corporate data ends up on the dark web
The most common pathways are well known — and yet underestimated:
- Infostealer malware: trojans such as RedLine, Raccoon, or Lumma extract saved passwords, session cookies, and autofill data directly from the browser. A single infected workstation can yield dozens of credentials.
- Phishing: despite all training efforts, phishing remains the most effective initial attack vector. Modern phishing kits replicate login pages pixel-perfectly and intercept credentials along with MFA tokens.
- Third-party breaches: employees use corporate email addresses for external services. If one of these services is compromised, the credentials are exposed — and often identical to the corporate passwords.
- Large database dumps: compilations such as COMB (Compilation of Many Breaches) bundle billions of older records. Anyone reusing passwords remains at risk years after the original breach.
According to the IBM X-Force Threat Intelligence Index, stolen credentials are the most common initial access vector in cyberattacks — ahead of phishing and vulnerability exploitation. This makes credential theft the linchpin of modern attack chains.
What breach monitoring delivers
Breach monitoring systematically searches the places where stolen data surfaces: dark web marketplaces, underground forums, paste sites, Telegram channels, and public database dumps. As soon as an email address, domain name, or corporate credentials are found, an alert is triggered.
The decisive advantage: proactive action rather than reaction. When the security team learns that an employee’s credentials have appeared on the dark web, it can reset the password and secure the account — before an attacker uses the data to access corporate systems.
Without monitoring, organisations typically only learn of compromised credentials once the damage has already occurred: through unauthorised access, data loss, or ransomware encryption.
One solution that provides this monitoring automatically is ExposIQ. ExposIQ systematically searches dark web sources for leaked passwords and compromised credentials belonging to organisations, delivering actionable results that enable immediate response.
Concrete protective measures
Breach monitoring alone is not enough. It requires an interplay of several measures:
- Implement breach monitoring: continuous monitoring of corporate domains and email addresses for dark web exposure. Services such as ExposIQ automate this process and deliver timely alerts.
- Enforce unique passwords: roll out an enterprise password manager (e.g. Bitwarden, 1Password Business). Every service receives its own randomly generated password. This eliminates credential reuse and ensures a single breach remains isolated.
- Enable MFA on all accounts: prioritise FIDO2/Passkeys for critical systems, at minimum app-based TOTP authentication for everything else. SMS-based MFA only as an absolute last resort.
- Detect credential stuffing: analyse authentication logs for patterns — numerous failed login attempts with different usernames from a small number of IP addresses indicate automated attacks using stolen credentials.
- Incident response plan for credential compromises: defined procedures for when employee credentials appear on the dark web: immediate password reset, session invalidation, review of unauthorised access, forensics if infostealer infection is suspected.
The time factor
Europol states repeatedly in the Internet Organised Crime Threat Assessment (IOCTA) that stolen data is monetised within hours to a few days after a breach. The Swiss National Cyber Security Centre (NCSC) confirms that credential-based attacks are among the most frequent threats to SMEs in Switzerland as well. And the statistics from Have I Been Pwned show: over 14 billion accounts are contained in documented breaches — many of them with reused passwords.
Anyone not actively monitoring whether their own corporate data is circulating on the dark web is flying blind.
How Zerberos can help
Zerberos provides penetration testing, social engineering assessments, and risk assessments to evaluate your organisation’s resilience against credential-based attacks. We simulate realistic attack scenarios — from phishing campaigns and credential stuffing to the exploitation of leaked credentials — and identify exactly where action is needed.
For ongoing monitoring, we recommend ExposIQ as a breach monitoring solution that continuously checks your organisation for exposed credentials on the dark web.
Contact: www.zerberos.com/kontakt
Sources
- IBM X-Force Threat Intelligence Index 2024: ibm.com/reports/threat-intelligence
- Europol IOCTA 2024: europol.europa.eu
- Swiss National Cyber Security Centre (NCSC) — Semi-Annual Report: ncsc.admin.ch
- Have I Been Pwned — Breach Statistics: haveibeenpwned.com
- ExposIQ — Breach Monitoring: exposiq.ch