After a data breach, stolen credentials follow a well-established path through underground markets to active exploitation. Understanding this journey helps you respond faster and protect yourself better.
When a company or service is breached, the attackers typically extract the database of user credentials within hours of initial access. The first step is cracking any hashed passwords — depending on the hashing algorithm used, this can take minutes (for MD5-hashed passwords) to years (for properly salted bcrypt or Argon2 hashes). Plainttext passwords or those hashed with weak algorithms are immediately available; strong hashes require more processing time or may be left in encrypted form for bulk sale.
Freshly stolen credential databases are typically either sold privately to a small number of trusted buyers on private dark web forums, or auctioned to the highest bidder. Large, high-quality databases — particularly those containing verified credentials for banking or e-commerce sites, or databases with additional personal information like HKID numbers, to Spot and Avoid Attacks on Your Phone">Your Phone Number">phone numbers, and addresses — command premium prices. A verified database of credentials for a Hong Kong Data Breaches: What to Do">major Hong Kong bank could sell for significant sums in cryptocurrency on dark web markets.
Within days to weeks, credentials that have been validated against target services (i.e., confirmed to still work) are listed on dark web "combo list" markets or automated credential stuffing services. Some dark web services offer a subscription model where buyers can request credential checking against specific target sites. The full cycle from breach to active exploitation can complete in as little as 72 hours for high-profile targets, though many breached databases circulate for years before being fully exploited.
Once credentials are available, they are exploited through several distinct attack pathways. Credential stuffing is the primary method for testing large lists — automated tools test each email/password pair against a list of target sites (banking portals, e-commerce sites, email providers, social media) and collect successful logins. Successful logins are flagged for manual follow-up or automated account takeover, depending on the target value. The success rates are typically low (1-3% of tested credentials result in successful logins to other sites) but the volume is so high that even small percentages yield millions of compromised accounts.
Account takeover (ATO) attacks on individual high-value targets are a more targeted use of stolen credentials. An attacker who has identified that a particular person has significant financial accounts will use their stolen credentials to attempt login, then use the compromised email account to reset passwords on banking and investment platforms. In Hong Kong, this has been seen targeting individuals with significant holdings in local banks and investment platforms, where the combination of email access and partial knowledge of the victim's personal information allows fraudulent requests to succeed.
Targeted spear phishing is another exploitation pathway, particularly when the breach included not just passwords but also personal information. Attackers can craft highly convincing emails that reference the victim's actual account details, transaction history, or personal information from the breach, making them far more likely to succeed than generic phishing attempts. The availability of HKID numbers, phone numbers, and residential addresses from local data breaches enables this kind of personalisation for Hong Kong victims.
Dark web monitoring services scan underground markets, paste sites, and private forums for evidence of your credentials being listed for sale or distributed. Services like Have I Been Pwned (free), Mozilla Monitor (free), and the monitoring features built into paid tiers of Bitwarden, Dashlane, and 1Password all provide some level of dark web credential monitoring. The coverage is not complete — private sales on closed forums and freshly stolen databases that have not yet been publicly distributed will not appear — but they provide effective early warning for the majority of credential exposures.
Google Password Manager and Apple Keychain also include breach monitoring against Google's and Apple's respective breach intelligence databases. While these are less comprehensive than dedicated dark web monitoring services, they are automatic for anyone using those platforms and provide a baseline level of monitoring at no additional cost. The best approach is to use multiple monitoring sources simultaneously: HIBP notifications for your email addresses, your password manager's built-in monitoring, and HKCERT security alerts for Hong Kong-specific breaches.
Commercial dark web monitoring services aimed at individuals — including those offered by identity protection companies and some credit monitoring services in Hong Kong — provide varying levels of coverage and responsiveness. When evaluating these services, key questions are: how frequently do they scan known dark web markets; what data elements do they monitor (email only, or also phone, HKID, addresses); and how quickly do they alert when new data is found. Free services are generally adequate for email/password monitoring; paid services add more data elements and faster alerting.
The most powerful protection against dark web credential exploitation is ensuring that any stolen credential provides attackers with access to only one account — the one that was breached — rather than acting as a master key across your entire digital life. This is achieved through unique passwords for every account, combined with two-factor authentication, so that even a validated credential from a dark web database cannot access your account without also having the second factor. This limits the value of your credentials on the dark web market, making you a lower-value target for follow-on attacks.
Minimising your personal information exposure reduces the effectiveness of personalised attacks that use breach data. Review your social media privacy settings, be selective about which services you provide your real phone number and address to (use separate numbers or addresses for less trusted services where possible), and use unique email addresses or aliases for different service categories. If your HKID number is included in a breach, report this to the Privacy Commissioner for Personal Data (PCPD) and consider the implications for identity verification services you use.
When you are notified of a breach, prioritise speed of response over thoroughness. The window between a breach being added to dark web monitoring databases and credentials being actively exploited can be as short as hours for high-profile targets. Change the affected password immediately, review whether the same password was used elsewhere, enable 2FA on the affected account if not already active, and monitor for suspicious account activity or phishing attempts. Act first, then do the thorough review.
