Article Lead Image

Online criminals selling ecommerce passwords for $2 each

An online black market offers stolen passwords for Amazon, Apple, Walmart and more at shockingly low rates.


Curt Hopkins

Internet Culture

Posted on Dec 27, 2012   Updated on Jun 2, 2021, 4:42 am CDT

The ecosystem for online fraud is growing more complex by the season. A proponent might call it a jungle, but the rest of us would probably think of it as a cancer. And this cancer is more penetrative and adaptable than ever, according to Brian Krebs.

In a new report on his blog, Krebs on Security, the former Washington Post reporter outlines how “computer crooks are extracting and selling a much broader array of data stolen from hacked systems, including passwords and associated email credentials tied to a variety of online retailers.”

Most people are aware that credit card numbers are stolen and resold. What may be less well known is how logins receive a similar treatment.

Botnet creation kits come pre-packaged, and users use them to pull together systems of infected computers and extract the information from them. This includes, usually by default, interception and recording of website logins and passwords.

The denizens of the “Underweb” as the Internet demimonde is sometimes called, use hidden fora to advertise their stolen goods. Like a virtual chop shop, the parted-out bits of people’s online lives are offered for sale.

When it comes to ecommerce materials, the login/password combinations are offered either in bulk, or by retailer. So if you want, for instance, to make off with tons of electronics, you might elect to buy logins and passwords for

A bulk buyer can find some real super deals, if they’re willing to root around a bit. “One Andromeda bot user was selling access to 6 gigabytes of bot logs for a flat rate of $150,” Krebs reported.

If you want to target a specific online retailer, however, you still aren’t going to pay much. At one site, Krebs found “usernames and passwords for working accounts at,,, all for $2 each.” He found and accounts at the same site for sale at $5 each.

Among the dozens of other sites for which Krebs found $2 logins were Amazon, Apple, Facebook, Macy’s and PayPal.

That’s not the end of the “ecosystem,” however. As Cory Doctorow points out on Boingboing, anyone using these accounts on a large scale will probably have “access to a stooge who does freight forwarding. The freight forwarder acts as a dead-drop for some other crook who’s wholesaling to dirty retailers, and so on.”

“(N)early every aspect of a hacked computer and a user’s online life can be and has been commoditized,” Krebs concluded. “If it has value and can be resold, you can be sure there is a service or product offered in the cybercriminal underground to monetize it. “

Photo by Daniel Oines/Flickr

Share this article
*First Published: Dec 27, 2012, 3:57 pm CST