Data Breach: How Your Info is Sold Online
- Massive data breaches continue to compromise personal information, creating a thriving, yet hazardous, online economy.
- In 2024, National Public Data, a background check company, suffered a breach impacting 170 million people across the U.S., U.K.,and Canada.
- Thomas Holt, a professor of criminal justice at michigan State University, researches cybercrime.
Data breaches are a goldmine for cybercriminals. Your personal information, from credit card numbers to passwords, is actively traded in online stolen data markets. In this report, understand how these breaches fuel cybercrime and the risks involved, with hackers leveraging stolen data for widespread fraud and theft. Massive breaches at companies like National Public Data and Ticketmaster underscore the scale of the problem. Discover the dynamics of the “carding” economy,where data is sold in individual lots and the role of cryptocurrency in these transactions. News Directory 3 insights reveal the evolving tactics used by vendors and the dangers buyers face in this illicit world. What’s ahead for the fight against these threats?
How Data Breaches Fuel Cybercrime and Online Stolen Data Markets
Updated June 10, 2025
Massive data breaches continue to compromise personal information, creating a thriving, yet hazardous, online economy. These breaches, targeting entities from email providers to government agencies, expose sensitive data like credit card numbers, addresses, and passwords for countless individuals.
In 2024, National Public Data, a background check company, suffered a breach impacting 170 million people across the U.S., U.K.,and Canada. Similarly, a Ticketmaster hack compromised the financial and personal data of over 560 million customers. These incidents highlight the scale of the problem and the vulnerability of personal data.
Thomas Holt, a professor of criminal justice at michigan State University, researches cybercrime. he studies how hackers steal and leverage personal information, noting that stolen data markets facilitate fraud and theft for profit.
Every piece of stolen data,from passport numbers to shopping service logins,holds value. Cybercriminals exploit this information for identity theft, fraudulent purchases, and service theft, such as accessing streaming media.
The sheer volume of stolen data, including Social Security numbers and credit card details, exceeds the capacity of individual criminal groups to process and use efficiently. This “quantity problem” drives the sale of personal financial data within the cybercrime economy.
The sale of stolen data, also known as carding, involves the misuse of stolen credit card numbers and identity details. These markets emerged in the mid-1990s with hackers sharing programs to generate and validate credit card numbers for fraudulent transactions.
As online banking grew, hackers found it easier to steal personal information through data breaches and phishing. Phishing involves tricking individuals into revealing sensitive information via deceptive emails or texts.
The abundance of stolen information led criminals to offer data through various online platforms. In the late 1990s and early 2000s, Internet Relay Chat (IRC) channels became popular for selling data and hacking services.Later, web forums emerged, with vendors selling stolen credit cards and malware.
ShadowCrew, a prominent forum in the early 2000s, trafficked over 1.7 million credit cards before being shut down in 2004. While forums remain popular, vendors have transitioned to web-based shops on the open internet and dark web as the early 2010s. Messaging platforms like Telegram and Signal are also used to connect with customers.
Cybercriminals from Eastern Europe and Russia often supply and operate these markets, stealing data and selling it to others. Customers can reside anywhere in the world, and their demands drive data breaches and cybercrime.
Stolen data is typically sold in individual lots, such as a person’s credit card and associated information. Prices vary based on card type, victim location, and available data. Vendors often offer discounts and promotions, especially for expiring credit or debit cards.
Some vendors offer credit reports, Social security numbers, and login details for paid services. A recent analysis found credit card data selling for an average of $50, while Walmart logins fetched around $9. Prices, tho, can fluctuate.
Payments are typically made through cryptocurrencies like Bitcoin, which are tough to trace. once payment is received, the vendor releases the data. However, buyers face important risks, including scams involving dead or unusable accounts.
Despite the risks, the potential return on investment can be high. An offender buying 100 cards for $500 can recoup costs if only 20 are active and used for an average purchase of $30. Provided that demand for illicit data persists, data breaches are likely to continue.
What’s next
Efforts to combat data breaches and cybercrime will likely focus on enhanced security measures,stricter regulations,and international cooperation to disrupt illicit markets and prosecute offenders.