The old walls have come down. What replaces them remains unclear.
94% of users reuse passwords across multiple services, enabling attackers to exploit breaches through credential stuffing across hundreds of platforms simultaneously. Corporate access credentials command premium prices (avg €2,300) as specialized 'Initial Access Brokers' sell VPN and admin account access to enterprises for ransomware and data theft operations.
- 94% of users reuse passwords across multiple services
- Facebook accounts sell for €40; corporate access averages €2,300 but can exceed €96,000
- AI-generated phishing achieves 54% click rates versus 12% for traditional phishing
- 77% of workers paste confidential data directly into AI tools on personal accounts
- Over 225,000 OpenAI and ChatGPT credentials were found for sale on the dark web
A clandestine global market for stolen credentials has industrialized, with prices ranging from €40 for Facebook accounts to €96,000+ for corporate access, driven by AI, password reuse, and Telegram-based operations.
There was a time when passwords felt like walls. A sequence of letters, numbers, and symbols stood between your private life and the rest of the world. The internet ran on a simple faith: security meant memorizing increasingly impossible combinations, changing them every three months, adding special characters. For years, that logic held.
It doesn't anymore. A sixteen-character password is nearly worthless if malware steals it directly from your browser before you even finish typing. The problem is no longer that passwords are weak. The problem is that passwords themselves have stopped being enough.
Around that fragility, a vast underground economy has taken root. A global market in digital theft, powered by artificial intelligence, automation, and messaging platforms like Telegram, where millions of stolen credentials circulate like raw materials. Cybercrime has become industrialized. Security experts call it CaaS—Cybercrime as a Service—an ecosystem where one criminal steals data, another sells access, a third writes malware, and a fourth executes the final attack. The dark web has transformed too. The old hidden forums now serve mainly as reputation-building storefronts. The real business happens in private Telegram channels and automated bots that sell stolen credentials in seconds.
The pricing is straightforward and brutal. A hacked Facebook account goes for around forty euros. Gmail credentials fetch fifty-five. Stolen credit cards with CVV codes run between nine and thirty-five euros. But the real money is in corporate access. Specialized criminals called Initial Access Brokers sell entry points into companies—VPN credentials, remote desktop logins, administrative accounts that can be used to steal information or deploy ransomware. These sell for an average of twenty-three hundred euros, though some privileged access commands prices above ninety-six thousand.
This market thrives because users keep doing the same thing experts have begged them to stop: reusing passwords. According to data cited by Verizon, ninety-four percent of passwords are used on two or more services. When one platform leaks, attackers automatically test those same credentials on hundreds of other sites. It's called credential stuffing, and it works because millions of people use the same password for email, Netflix, and online banking. If your password leaks somewhere, security experts say, you can't just change it on that one site. You have to change it everywhere you used it.
But users are now revealing their own credentials without any help from criminals. They're handing them to artificial intelligence. According to a recent report from cybersecurity firm Check Point Software, companies are discovering that employees routinely copy and paste internal documents, code, contracts, and sensitive data directly into ChatGPT to summarize text, draft emails, or automate tasks. Data from LayerX shows that forty-five percent of workers use AI tools regularly, and seventy-seven percent paste confidential information directly into their queries. The catch: most of this happens on personal accounts that companies don't monitor. Security experts call it shadow IT—technology used outside official company controls. A massive blind spot for security departments. Group-IB found more than two hundred twenty-five thousand credentials linked to OpenAI and ChatGPT accounts being sold on the dark web after being stolen.
AI is also resharpening the tools of the attackers themselves. Phishing emails now arrive written by artificial intelligence—no spelling errors, no generic messages. They're perfectly composed, personalized, and far more convincing. According to Brightside AI, phishing campaigns generated with AI achieve click rates of fifty-four percent, compared to twelve percent for traditional phishing. The old walls have come down. What replaces them remains unclear.
Citações Notáveis
The problem is no longer that passwords are weak. The problem is that passwords themselves have stopped being enough.— Security analysis in the report
Credential stuffing works because millions of people use the same password for email, Netflix, and online banking.— Verizon data cited in the investigation
A Conversa do Hearth Outra perspectiva sobre a história
Why does a Facebook account cost forty euros but corporate access costs thousands? What's the actual difference in value?
A Facebook account is personal—it might have some embarrassing information, but it's a dead end for most attackers. Corporate access is a door into a company's entire network. Once you're inside, you can steal intellectual property, deploy ransomware, hold the company hostage. That's why Initial Access Brokers exist. They're specialists in finding those doors.
You mentioned that ninety-four percent of people reuse passwords. That seems almost willfully reckless.
It is, but it's also human. Asking someone to remember a unique, complex password for fifty different services is asking them to do something their brain isn't built for. So they don't. They use the same password everywhere, and when one service gets breached, they're exposed everywhere.
The part about employees pasting secrets into ChatGPT—that's almost absurd. They're handing their own credentials to AI?
Not intentionally. A worker wants to summarize a contract quickly, so they paste it into ChatGPT. They don't think about what's in that contract—maybe a password, maybe an API key, maybe a client list. It's shadow IT. It happens on their personal account, outside company oversight. The company has no idea it's happening.
And AI is also making phishing more effective. So the attackers are getting smarter at the same time users are getting more careless.
Exactly. Traditional phishing emails were obviously fake—generic greetings, spelling mistakes, awkward phrasing. AI-generated phishing is indistinguishable from a real email from your boss or your bank. The click rate jumped from twelve percent to fifty-four percent. That's a massive shift in the attacker's favor.
What does this mean for someone trying to actually protect themselves?
Change your passwords everywhere, use a password manager so you're not reusing them, and be extremely careful what you paste into AI tools. But honestly, individual behavior can only do so much. The real problem is systemic. Companies need to monitor what employees are doing with AI. Users need better tools. The whole infrastructure of password-based authentication is breaking down.