Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Stolen Apple account credentials can be acquired from 'dark web' markets for just $15

Last updated

Account credentials for Apple's online services are being sold by online scammers for an average of $15.39, a report into stolen account sales on the 'dark web' reveals, but despite the seemingly low cost, Apple-based accounts appear to be priced more than individual user accounts for a considerable number of other online destinations.

A person's entire online identity can be worth less than $1,200 to online criminals, according to research by VPN comparison site Top10VPN into the secretive online markets. The firm's Dark Web Market Price Index for February 2018 shows there to be a wide difference in price for account credentials, ranging from the hundreds of dollars for finance-related services down to sub-dollar accounts.

Apple's $15.39 price on the list indicates it to be one of the more valuable offerings outside of the expected high-ticket listings. It is likely the use of the same account across Apple's various digital storefronts, as well as access to the Apple Music streaming service and the potential personal data archive on iCloud, makes it a potentially more attractive account type to acquire than others with fewer uses.

The list puts Apple against other "Entertainment Logins," which typically provide access to online content services. Compared to the $15 of Apple, Netflix is its nearest competitor in the category at $8.32, followed by Twitch at $2.08 and Ticketmaster at $2.07.

For social media accounts, Facebook is seen to be the most valuable at $5.20 per account, with LinkedIn, Twitter, and Instagram following at $2.07, $1.66, and $1.28 respectively.

Credentials for email accounts, usually treated as a main attack vector for other online services due to the high amount of personal information available to attackers, are worth even less. The popular Gmail and Yahoo accounts typically sell for just $1.04 each, while oddly AOL is the most expensive account in the category to acquire at $4.16.

Notably, Apple accounts also sell for more than credentials for accounts managed by major telecommunications firms in the U.S. The top end of the category lists Verizon at $15, followed by AT&T for $14.64, T-Mobile accounts at $10.51, and Rogers at $10.39, while Xfinity accounts fetch just $1.77 each.

None of the online shopping logins beat Apple either, though Macys is closest at $15.34 per account, with eBay and Amazon lagging behind at $12.48 and $9 respectively.

At the top end of the scale are financial services, topped by working PayPal logins selling for $247 per account and Western Union logins for $101. Online banking, debit card, and credit card details fetch $160.15, $67.50, and $50 in turn.

Proof of a person's identity, such as scans of utility bills or other forms providing sensitive details that could be used for scams, are traded for an average of $29.59, while passport scans are more expensive at $62.61 each.

The report was compiled by analyzing thousands of listings for stolen identification, hacked accounts, and personal information relevant to U.S. users that surfaced on three of the most popular dark web marketplaces. Relevant listings were categorized and combined to create average sale prices.

The price of each type varies depending on a number of factors, including funds available in accounts, the ease of accessing information that can be used in potentially more lucrative ways, and the ability to hijack the account for scams and other uses. Bundles containing large swathes of sensitive details about individuals are also popular on these markets.

While Apple has taken steps to protect the privacy of its users, such as the inclusion of intelligent tracking prevention and differential privacy technology in Safari to prevent user data from being abused by nefarious websites, but users also have to take their own measures to safeguard their accounts. Apple provides the option to add two-factor authentication to accounts, which requires a secondary check to be made before an account can be accessed from a new device.