Hackers have a few different goals when it comes to using stolen data.
For the most part, it narrows down to using the data themselves to steal identities or to sell the stolen data on the dark web to thieves who will then create accounts with the information. Some data breaches are discovered after months’ old or even years’ old information is discovered online, as in the Yahoo data breach that found around one billion email addresses and passwords available.
But in a newly discovered event, hackers used the stolen information only minutes after it was posted to the web. How do security experts know? Because they planted the information themselves.
Researchers posted a trove of fake email addresses, passwords, credit card information, and more to a known site for accessing stolen data, then waited to see what happened.
The information was posted for 100 fake identities on two different dates, once in April and once in May. In April, it took one and a half hours before thieves attempted to use the information. In May, it took only nine minutes.
The Federal Trade Commission, who established the research project, actually uncovered an interesting behavior set among the thieves. They were differentiated into two different types of user. The first type “tested” out the information to see if it was actually valid, while the other group pounced on it immediately and attempted to make high-dollar purchases with it.
It literally takes only minutes for stolen information to be put to harmful purposes.
But there are still ways to reduce your risk of having your data used for identity theft, or at the very least to minimize the damage that thieves can do with it. Changing your account passwords regularly can mean that even if a thief finds or purchases your credentials, they won’t be able to use them for long.
Another helpful tool is two-factor authentication, something you should consider using on your most sensitive accounts. This process means the thief not only has to have your account number and password but also have access to your smartphone to receive a text message with an instant one-time use PIN or code. The FTC’s researchers found that the fake information in their project was not used by thieves when the accounts had two-factor authentication enabled.