The data goldmine: Why forgetting to log out can cost you dearly

David Crookes finds out how much stolen Twitter accounts, hacked eBay pages and more are really worth.

Click to follow
The Independent Tech


Worth? £70

Bought by? Identity thieves and rogue cold callers.

How is the data obtained? Some thieves pretend to be a customer and talk customer service representatives into providing data. Sometimes – rarely – insiders sell records.

What can they do with it? Verified numbers can be used to find out where you are or where you have been at a certain time. "If a thief knew a number, they could do a reverse trace and find out where you live," says Raj Samani, VP CTO for McAfee EMEA.

Are you in danger? The more a thief knows about you, the more at risk you become.

How can you protect it? Companies use software to prevent data leaks. They train staff to spot thieves.

Expert view: "Rogue companies are making up to £30,000 a month, just on the trade of illegal information," says Raj Samani.


Worth? 3-6 per cent of the balance.

Bought by? Financial thieves.

How is the data obtained? Via fake websites or emails which trick victims into inputting their information.

What can they do with it? Withdraw cash or launder money.

Are you in danger? You could lose your entire life savings.

How can you protect it? Many banks have lots of added security – such as HSBCs Secure Key. Always go direct to a bank's website.

Expert view: "Cybercriminality was worth as much as £100bn last year," says Norton's Con Mallon. "Much of it is conducted by organised crime gangs with very large food chains."


Worth? £2+ or often up to 20 per cent of the balance

Bought by? Money launderers

How is the data obtained? Keylogging malware.

What can they do with it? A stolen gambling account will often be run in conjunction with a stolen credit card. A thief will credit the stolen account and then export winnings to a temporary bank account. Money can then be filtered out by Western Union or a mule.

Are you in danger? Winnings can be wiped and thieves could grab your username, payment card, security questions and bank account details. Three million account details were stolen from Betfair last September.

How can you protect it? Regularly change your password and check bank and card statements.

Expert view: "Hackers who steal these types of information rarely go on to commit the fraud," says Dave Whitelegg, of "They tend to sell it on. When they have lots of records, they break them down into small pieces, just like a jewellery thief would do."


Worth? 50p to £2 (for just the card)

Bought by? There are up to a dozen forums and sites trading credit card details. Anti-Virus maker McAfee says a full card (name, address, phone number, credit card details, password and pins) can fetch between £20 and £50.

How is the data obtained? Often via malware on a victim's machine, network attacks and skimming (running a card through a copy machine).

What can they do with it? Spend.

Are you in danger? You would have to prove your details were obtained fraudulently and that you had taken all necessary steps to protect them.

How can you protect it? Look out for the closed padlock symbol in your browser on retail websites and ensure the URL has https:// before the domain name.

Expert view: Dave Whitelegg of "Carders are not typically hackers. They tend to be in their early 20s and loners."


Worth (ie, how much would cybercriminals typically pay)? 0.02p

Bought by? Spammers

How is the data obtained? Not logging off or locking your device.

What can they do with it? Spammers can post rogue adverts on your account.

Are you in danger? Someone could be posting under your name, undermining your reputation.

How can you protect it? If using a public computer, ensure it doesn't remember your password. Put a lock on your phone's homescreen.

Expert view: "Prices fluctuate daily, even hourly, dependent on demand and quality of the supply," says Jonathan Krause, formerly of the Hi-Tech Crime Unit at New Scotland Yard and now boss of IT security firm Forensic Control. "Fred Bloggs' account with 28 followers would be worthless, but if you got the password for Stephen Fry's, with its two million followers, that's different."


Worth? 0.06p (if more than 100 friends)

Bought by? Spammers.

How is the data obtained? Often key logging: working out what you are typing and sending the information to thieves.

What can they do with it? Post spam links on your wall. People who are in your Friends list tend to be personal and more trusting, so they are more likely to click through.

Are you in danger? Your personal information will be at their fingertips.

How can you protect it? Keep your anti-virus package up-to-date. Don't store important personal information on Facebook.

Expert view: "You need to understand how data is stored and learn what steps you can take to protect it," says Forensic Control's Jonathan Krause. "Electronic storage of personal information isn't going to go away, so familiarise yourself with the basics and then keep up to date."


Worth? £50

Bought by? Financial thieves. Unchecked or unverified PayPal accounts without email sell for £6.50, a verified account without email for £10 and one with email for £13.

How is the data obtained? Thieves trick users into divulging information using phishing attempts.

What can they do with it? They can launder money or run up massive bills.

Are you in danger? The theft of a PayPal account has similar consequences to the theft of a bank account.

How can you protect it? Be careful when inputting your PayPal password that you are doing so on a machine scanned for viruses. Change your password often and ensure you are buying from a secure website.

Expert view: "Thieves can go after individuals or groups using malware and once they are into an account, they can pull all sorts of information: financial and personal," says Con Mallon, anti-virus software developer Norton's internet security expert.


Worth? 0.000025p

Bought by? Spammers.

How is the data obtained? Harvesting programs scour the web for text containing an @ character. Some newsletters use unsubscribe functions to verify addresses.

What can they do with it? Send lots of advertising junk. Usually for Viagra.

Are you in danger? You'll become a spam haven.

How can you protect it? Use a spare email address when registering on websites. Don't allow your email address to be published online.

Expert view: "Email addresses remain the biggest market, with a million verified email addresses ranging from £25 to £210," says security expert Eddy Willems. "They are cheaper than others, due to the basic nature of the information."


Worth? £8

Bought by? Financial thieves

How is the data obtained? Often from fake eBay emails, asking for accounts verification to be sent to

What can they do with it? They can use your account – and your reputation – to encourage people to buy items from them.

Are you in danger? Your hard won feedback can be in tatters. Personal data is also compromised.

How can you protect it? Only type passwords when you are safe.

Expert view: "If someone gets an email and password from one account, they could try it on others and strike lucky," warns David Emm from Kaspersky Lab.


Worth? Very little in financial terms

Bought by? Spammers or people behind distributed denial of service attacks are after "bot-infected" computers.

How is the data obtained? Internet bots are placed on your machine. They run automated tasks over the internet.

What can they do with it? A bot-infected computer could be used to attack websites or for a spam or rogueware campaign, sending out thousands of emails to victims.

Are you in danger? Most who have a bot-infected computer don't know.

How can you protect it? Be wary of clicking on shortened URLs. They can hide malicious links.

Expert view: "Researchers look at the murkier parts of the internet where criminals come together and buy, sell and barter data," says Con Mallon, Norton internet security expert. "Prices fluctuate massively. We found £9.30 bought 10,000 bots."