Ever wondered why would anyone bother to steal something like one billion Yahoo user account names, passwords and email addresses? At first glance, such information doesn’t seem like the most valuable asset. But to those who know how to make use of it, this data is a great tool to commit identity theft, fraud, or simply drain an unsuspecting victim’s banking account. Because of that cybercriminals are willing to pay for your stolen information. Here’s how much.

Stolen data.jpg

Like all markets, the one for stolen data is also run by the forces of supply and demand. The price of your information is determined not so much by how potentially profitable or damaging it could be – but rather by how clumsily it is protected. The easier certain types of information are to steal, the greater abundance of such information is out there for sale – hence, the lower price. And unfortunately, some of the things that may damage your life the most are actually pretty cheap.

Medical records: fraction of a cent to $2.50

The thing about medical records is that they are probably the easiest to steal. Hospitals tend to use legacy systems, neglect updating their software, and disregard security concerns altogether. In the same time, complete medical records can include everything from a person’s full name and date of birth, through their Social Security Number, to financial and account information, insurance, and government identifiers.

Sounds scary. But the scarier part is that such an awesome toolkit for identity theft comes at a maximum price of about $2.50, according to McAfee. Most medical records, however, are sold for fractions of a cent.

Paid service accounts: $2 to $15

Hackers and cybercriminals don’t bother only with obvious things like bank account info. According to a report by Trend Micro, the credentials for services like Netflix, Hulu Plus, and Spotify are sold at prices of $2 to $9 apiece. And those for Sirius Satellite Radio can cost up to $15. Why would anyone buy that? Enjoying some free entertainment at your expense is just part of the reason.

Most of their value, however, comes from the fact that those services are linked to financial instruments, thus creating a backdoor for accessing credit card information. As a bonus, the user is used to seeing charges for these services in their credit card statements, so they often don’t spot any fraudulent charges.

Payment card data: $5 to $45

Surprisingly, credit cards are not much higher on the pricelist. Their value varies by region, with US-issued ones being the cheaper kind, while those from the EU are the most expensive – due to US cards lacking the built-in EMV chip that provides extra security. And the price cards are sold at is also determined by how additional much information is included in the package.

Just a valid credit card number, referred to as “a random” by sellers, can cost between $5 and $8 for a US card, and $25 to $30 for a EU one, according to McAfee. The more personal information about the user you add to that, the more the price increases, until you get to fullz type offerings that also include the bank account ID number, the user’s date of birth, billing address, PIN number, Social Security number, and even the username and password used to manage an account. With the latter, a criminal can completely hijack an account. Such a fullz pack costs just $30 for a US card and $45 for a EU one.

Pay service credentials: $20 to $300

There’s not that much a criminal can do with an online payment service account, other than simply drain it. So, the price of credentials for services like PayPal depend solely on how much money is in the accounts. In the abovementioned report, McAfee estimates the prices at $20 to $50 for an account that holds up to $1,000. When the amount of the money in the account is in the range of $5,000 to $8,000, the price of credentials for it is about $200 to $300.

Bank login credentials: $190 to $1,200

Banking login credentials offer criminals similar options, but with some extra secrecy and the ability to transfer funds safely to bank accounts of their own. And the price of such credentials on the stolen data marketplace again ranges depending on geography and the balance of the victim’s account. The price could be as low as $190 for an account with $2,000 in it, to $900 for a UK account with $16,000 in it, or $1,200 for a US account with a $20,000 balance.

There are two main takeaways from the prices listed above. First, information that can inflict serious damage to a person – from committing fraud while using their identity, to making their savings vanish – is often sold for less than $100. And the second takeaway is that these prices are so low because individuals and institutions alike often neglect cybersecurity. Which makes it all the more imperative for everyone to take it seriously.