Login only once: how hackers use long-leaked passwords

Criminals can harm citizens years later by using logins and passwords from a decade ago, Kaspersky Lab experts come to this disappointing conclusion in their research. Details can be found in the Izvestia article.

The chronology of falling into the trap

In 2025, 88.5% of attacks were aimed at stealing accounts from online services. Personal data (full name, address) became the target in 9.5% of cases, and bank card data in 2%, according to a study by Kaspersky Digital Footprint Intelligence.

The stolen data is turned into a commodity, systematically processed, and used for subsequent targeted attacks, sometimes years after the initial leak.

Photo: IZVESTIA/Yulia Mayorova

The analysis of cybercriminalists shows three main ways of collecting data by criminals:

Sending by e—mail is a classic method, but it is losing popularity due to delays and blockages.;
Using Telegram bots is the fastest way: data arrives in real time, and using one-time bots makes it difficult to track it.;
Automated control panels are professional tools that provide attackers with a web interface for managing attacks, automatically verifying data, and analyzing statistics.

This data is used for immediate monetization (withdrawing money, paying for goods); subsequent attacks (phishing or hacking other services); targeted attacks and blackmail (especially when stealing biometrics, document scans, or corporate accounts).

Alexander Vurasko, Director of Development at the Solar AURA External Digital Threat Monitoring Center, Solar Group, points to the increasing role of malicious bots in popular messengers.

— As accurately noted in the [Kaspersky Lab] study, very often mechanisms for sending data from phishing sites to a Telegram bot are used to obtain information.

Entertaining logic: how scammers speculate on the topic of microloans after the winter holidays

The attackers are taking advantage of the financial difficulties of Russians due to New Year's expenses and long vacations.

The political context

— The market is influenced by many factors. For example, in the last four years, politically or ideologically motivated attacks have been recorded, as a result of which information is not sold, but is made publicly available," says Vurasko.

Photo: IZVESTIA/Yulia Khramtsova

If we talk about the Russian shadow market, in recent years, the most common attackers have been stealing accounts in messengers, primarily Telegram.

— Such phishing attacks are distinguished by the fact that data is not accumulated for subsequent sale, and account theft occurs immediately at the time of the attack itself. Phishing sites allow you to bypass two-factor authentication: the victim enters a confirmation code on the phishing site himself, so there is simply no reliable protection mechanism other than user vigilance.

Vurasco distinguishes attacks by type and by the data that gets to the attackers as a result of these attacks.

— The first group is phishing: the instant theft of an account or the accumulation of an array of credentials to gain access to certain accounts (the proportion of theft of bank card data in Russia in recent years has been negligible, so it's primarily about credentials).

The expert considers attacks using steeler Trojans to be the second group.

"This is the theft of credentials — this is where databases of compromised accounts are accumulated in the format of URL, login, password, which are subsequently sold,— says Vurasko.

Photo: IZVESTIA/Eduard Kornienko

Another type is attacks on websites or an organization's network infrastructure. They can be as destructive as possible, but as a result of such attacks, attackers rarely gain access to credentials, primarily personal data of customers or employees.

"This is also important, but it usually doesn't lead to an immediate compromise of credentials," says Wurasko. — Often such databases are shared for free, because the main goal is to destroy the organization's infrastructure.

Deceptive content: how scammers speculate on the issue of paying dividends

The attackers promise money to people born before a certain year.

The demand for dossiers is growing

The cost of services in the field of illicit trafficking in personal data increased by about 5%, according to estimates by Viktor Ievlev, Director of Information Security at the Garda company.

"The cost of collecting personal data in some cases can reach up to 120 thousand rubles, depending on the method and complexity of the attack,— Ievlev told Izvestia. — The cost of information search and collection services through OSINT has also increased by about 5%.

Photo: IZVESTIA/Yulia Mayorova

According to him, more than 200 offers to collect information about a potential victim may appear in a month.

— And even more often, services for providing complete dossiers on citizens have become in demand, which often entails targeted phishing against certain categories of citizens, — says the expert.

Stolen data is rarely used instantly. They enter the black market by going through several stages:

— wholesale: data from various attacks are combined into archives (dumps) and sold "in bulk" at a price starting from $50;
— sorting and verification: analytical buyers verify the validity of data, combine information from various leaks into a single dossier on a person and prepare for resale;
— specialized retail: verified data is sold on darknet forums and via Telegram. Prices vary: A crypto exchange account costs an average of $105, access to an online bank is $350, and access to a social network is only $3.;
— use for targeted attacks: the collected dossiers allow for sophisticated attacks, for example, whaling on top managers. Scammers use old leaks and Open Sources (OSINT) to compose a convincing phishing email, referring to real details from the victim's past.

According to Kaspersky Lab

Who sells and to whom

Usually, personal data is sold by those who stole it, hackers and cyber groups, says Viktor Ievlev. Their main clients are scammers.

— This is done primarily for the sake of money — the bases are resold on shady sites, in private chats or through intermediaries.

Fraudsters need up-to-date information about people in order to more accurately attack citizens and companies: write and call on behalf of banks or government agencies, select approaches to the victim and, as a result, try to gain access to accounts on "Public Services", banking applications and other online services.

Photo: IZVESTIA/Dmitry Korotaev

"For example, the data of users of one of the social networks banned in the Russian Federation was leaked: since March 2022, more than 17 million records with personal data of Russian citizens have been stolen from there," says Ievlev. — Such leaks almost always lead to an increase in fraudulent attacks, because attackers have more information for plausible scenarios.

Presumably, we are talking about a leak from Instagram (owned by Meta, the organization is recognized as extremist and banned in the Russian Federation), a total of 17,015,503 social network IDs, 16,553,662 user names, 6,233,162 e-mail addresses, 3,494,383 phone numbers, 12,418,006 names and 1,335,727 were found in the dump. addresses.

Botanic Hell: How DDoS Attackers destroyed Russia in 2025

In 2026, the retail sector may be at high risk.

Sampling is more expensive

The data seller is, one might say, a separate criminal caste, says Alexander Vurasko.

— They sell both individual large databases and samples. For example, an attacker wants to hack a dozen or two Facebook accounts (owned by Meta, the organization is recognized as extremist and banned in the Russian Federation)," says the cybercriminalist. — He can create a phishing site himself, promote it and attract victims, or he can buy data from stylers or from an already established network of phishing sites. At the same time, he can operate with parameters, for example, if he needs data from Facebook users from Russia. Naturally, samples are always more expensive. Or he can dig for free into old used logs that are posted to the public.

Photo: IZVESTIA/Sergey Konkov

Buyers of such databases usually know in advance why they need this information. This may be personal data for calling or sending phishing emails, or credentials for account theft.

Strings are worth their weight in gold

The most valuable data for cybercriminals is data that helps them to "target" the victim more accurately and increase the credibility of communication, Viktor Ievlev believes. We are talking about a combination of "phone – e-mail – name – address", nicknames and identifiers, as well as any information that can facilitate the restoration of access to accounts or bypass checks to get to other people's accounts, banking products and other digital services.

—Then the attackers usually try to collect as much information about the person as possible,— says Ievlev. — Data from various leaks are glued together and supplemented with what can be found in open sources, such as social networks, ads, registries, and public mentions. The result is a detailed profile of a person or an employee of a company, and it's much easier to come up with a convincing phishing or social engineering scenario for such a profile.

A dangerous combination

More and more services are thinking about forced two-factor authentication due to the high risks of account hacking.

Photo: IZVESTIA/Yulia Mayorova

— It is more than possible to log in to the service using a login –password pair, — says Alexander Vurasko. — Most of the Internet services are at risk, especially since phishing can easily bypass two—factor authentication, at least the types that are used on publicly accessible sites.

The most at risk are services that are easy to monetize: messengers, social networks, accounts in delivery services and marketplaces.

"However, almost all data has some value," the expert concluded.

Переведено сервисом «Яндекс Переводчик»

To share: