Cyber-thieves waste no time in exploiting stolen personal data following successful data breach attempts, notes a study conducted by the Federal Trade Commission.
Hackers make unauthorised access attempts using stolen e-mail addresses, credit card numbers and payment accounts within hours of a breach.
To find out what happens to confidential personal data of citizens following a data breach, the FTC's Office of Technology Research and Investigation created 100 bogus customer accounts that included details like names, addresses, phone numbers, e-mail addresses, passwords, credit card numbers, online payment account details and Bitcoin wallets, and posted them on the web.
Hackers access DocuSign customer e-mails addresses, initiate massive phishing campaign
"There's a real mystery of what happens to consumer data when it becomes public. Our goal was to make this customer database look as realistic as possible," said Dan Salsburg, chief counsel and acting chief of the FTC's Office of Technology Research and Investigation.
The researchers posted the details twice, once on 27th April and then on 4th of May. They detected first unauthorised access attempts within 1.5 hours on April 27th and within 9 minutes on 4th of May. The total number of unauthorised access attempts rose to 1108 within two weeks.
The total number of unauthorised access attempts on e-mail addresses rose to 466 by the second week. At the same time, fraudsters tried to use stolen credit card details to conduct purchases worth $12,825.53 within two weeks. The largest attempted transaction was of $2,697.75 at a clothing website, followed by other attempts at online dating services, pizza places, and hotels.
GameStop data breach: Hackers offering stolen card details for sale
Out of 441 attempted purchases using leaked credit card numbers, only one was above $2000 but 17 of them were between $100 and $1000. As many as 137 attempts were either equal or less than $1, while 119 attempts were between $1 and $5. As many as 52 attempts were made to purchase products worth between $20 and $30 and 43 between $5 and $10.
The research revealed that there is more than a 90% chance of leaked or stolen data being used by fraudsters, with the percentage rising to over 95% in case of leaked credit card numbers and e-mail accounts. Such unauthorised access attempts can be plugged using two-factor authentication, blocking of seriatim purchase attempts by online portals and monitoring of paste sites by email and payment service providers.