Cyber hackers are trading online passwords of at least 178,000 accounts belonging to people in Northamptonshire every day in a bid to extort them for cash and goods, a group of undercover online moles has found.
And across the UK that number has spiked rapidly over the past four months, with an extra 1.4 million so-called "identities" being added to hidden "crypto" marketplaces since March in a shocking sign that illicitly obtained personal data has become one of the fastest growing tradeable commodities online.
So-called "dark web" marketplaces are now even offering money back guarantees for bulk purchases of people’s account passwords, which can come coupled with one or a mix of email addresses, credit card numbers, usernames and even personal details such as first cars and mothers’ maiden names.
Now Johnston Press investigations and the Northampton Chronicle and Echo has teamed up with London data firm C6 to reveal the true extent of the booming identity trade among the criminal underworld.
The study has revealed that in Northamptonshire a total of 178,207 are almost certainly unaware that, at the very least, their email address and password is on sale with the hardest hit postcode being the NN3 area - which includes the areas of Abington, Bellinge, Boothville, Weston Favell and Moulton in the East of Northampton.
The worrying numbers have been collated over a series of years by a team of cyber moles embedded in the murkiest reaches of the dark web, observing wholesale transactions through encrypted chat rooms.
Chief operating officer of C6, which runs the hasmyidentitybeenstolen.com website, Emma Mills, said the rapidly growing number of people at risk of being defrauded needs to act as a wake-up call.
She said: “As consumers, we have never really paid the price for fraud we’re used to the banks picking up the credit and debit card losses, we don’t see the downside to ourselves of being careless with our personal information.
“We don’t clearly understand the impact of having our identities compromised and how long and painful it is to re-build that genuinely, it causes problems with applying for credit or any other form of account.”
Often the online marketplaces sell only partial information about an individual that can be fledged out over a period of time.
One site visited by Johnston Press Investigations allowed users to bulk purchase Paypal accounts for one US dollar per account, with a minimum purchase of 100 at a time.
The store, which also purported to sell Ebay accounts, offered an 80 per cent working guarantee.
On its own, a person’s streaming service account details - a username and password - could be seen as innocuous. But profiles can then be ‘enriched’, often over a series of months, or even years.
If, like half of all internet users, a person uses the same password for multiple accounts those Netflix login details could be crucial to gaining access to a person’s email address - and with it a host of other accounts simply by pressing the ‘forgotten password’ button.
Once the identity is rich enough, fraudsters can open credit card accounts in a person’s name, buy goods and transfer money.
They can also sell on the so called -’full person profile’ in bulk.
Modern day gangs have a sophisticated hierarchy, Ms Mills said, operating in similar ways to a credit bureau, working from postcode area to postcode area, gathering details from a range of sources.
“They will have a group of people searching the electoral role, for example,” she added.
“They will start on a post code and start working through it.
“If someone knows your email, where you live and your date of birth it becomes quite a rich record.
“Once that information is gathered they can then sell it to a gang to ‘phish’ for your banking details.
“They will sit between you and the genuine site watching your keystrokes on the computer, they will know when you are logged on to your internet banking account.
“When you enter the 4th, 5th and 6th digit of your password they will know that.
Then they will be patient.
“They will watch you log in on multiple occasions until they have built up a full picture of you.”
And while early dark web sites were largely text-only, many are ditching their functional aesthetics in favour of more user-friendly interfaces.
“These sites are just like any online shopping site now,” said Ms Mills.
“You can find which bank you want to buy details from, you can select what bank of card you want to buy. You could choose to buy gold cards for example.
“Depending on what that brand indicates, that gives them an idea of the credit worthiness of its owner.
“They will even issue you with a money back guarantee if you cannot make the transaction work within 24 hours.
“Some of them offer good customer service - some have a helpdesk. The idea is they want you to continue to go back.”
The ability to steal details en masse represents a far cry from the fraudsters of the 1990s seen hanging outside call centres in the hope of convincing employees to evince confidential information.
And the number of stolen identities being traded online is rising at an alarming rate.
In March, 9.3 million UK identities were circulating in the hidden web to C6’s knowledge. As of July that total had risen to 10.8 million.
Ms Mills said that the amount of personal data for sale spikes whenever a major company’s data has been breached. But a company spokeswoman added that a spike has been in progress for the last three months, leading to the possibility that the recent Wannacry attack and other large scale breaches, such as that on AA customers, could be a contributing factor.
But, perhaps more concerning, is the theory that the recent rise could be down to a number of unreported hacks that companies are unwilling to disclose through fear of reputational damage.
“Things like the Ashley Maddison breach - a massive spike, the Talk Talk breach, a massive spike,” Ms Mills said.
“It comes in in a big bulk and gets divided out for criminal gangs to do things with.”
Ms Mills said C6 Intelligence sees spikes of data entering the dark web long before companies have told their customers, though she praised Talk Talk as one of the few exceptions.
In 2014, C6’s online moles saw a massive rise in customer details from a range of telecommunications companies on the dark web, not just Talk Talk.
“Either the same consumers were hacked because they were using the same username, e-mail password combinations,” said Ms Mills. “Or other organisations were similarly hit and did not disclose it.”
C6, owned by Acuris, has been researching this type of data since 2002 and works by updating a database of known records being traded in the far reaches of the dark web.
Its website, hasmyidentitybeenstolen.com, allows users to see whether their address or data has been compromised.