Cyber hackers trade more than 100,000 online passwords

As part of our ongoing analysis of the growing menace of cyber crime, an investigations unit set up on behalf of this paper’s parent company, Johnston Press, asked data experts to find out what information is being bought and sold to aid identity fraud.

They discovered that 34,793 records from Sunderland had been traded - such as email addresses and passwords - with the SR4 postcode, covering areas of the city such as Chester Road, High Barnes, Millfield and Pallion, most popular.

In South Shields, another 20,919 records had been purchased, with the NE34 area - including Harton, Horsley Hill, Marsden, Simonside and Brockley Whins - bearing the greatest risk.

Further down the A19, in Hartlepool, the experts found evidence that 8,732 pieces of information had been traded with the TS25 postcode - covering the likes of Seaton Carew, Owton Manor and the Fens - leading the way.

The information was provided for us by undercover moles monitoring transactions taking place within encrypted chatrooms on the dark web.

Emma Mills, chief operating officer of London-based C6 Intelligence Information Systems, which runs the hasmyidentitybeenstolen.com website, said such figures should act as a wake-up call to businesses and individuals alike to improve their online security.

She added: “We don’t clearly understand the impact of having our identities compromised and how long and painful it is to re-build that genuinely. It causes problems with applying for credit or any other form of account.”

One site visited by our investigations team allowed users to bulk purchase Paypal accounts for $1 per account, with a minimum purchase of 100 at a time.

The store, which also purported to sell Ebay accounts, offered an 80 per cent working guarantee.

As another example, we were told that a person’s streaming service account details - a username and password - could be seen as innocuous.

But profiles can then be “enriched”, often over a series of months or even years, before hackers pounce.

If, like half of all internet users, a person uses the same password for multiple accounts then those Netflix login details could be crucial to gaining access to a person’s email address - and with it a host of other accounts simply by pressing the “forgotten password” button.

Once the identity is rich enough, fraudsters can open credit card accounts in a person’s name, buy goods and transfer money.

They can also sell on the so-called ”full person profile” in bulk.

Modern gangs have a sophisticated hierarchy, Ms Mills said, operating in similar ways to a credit bureau, working from postcode area to postcode area, gathering details from a range of sources.

“They will have a group of people searching the electoral role, for example,” she added.

“They will start on a postcode and start working through it.

“If someone knows your email, where you live and your date of birth it becomes quite a rich record.

“Once that information is gathered they can then sell it to a gang to ‘phish’ for your banking details.

“They will sit between you and the genuine site watching your keystrokes on the computer, they will know when you are logged on to your internet banking account.”

Details of how many online addresses had been targeted in your specific postcodes are available by visiting hasmyidentitybeenstolen.com