It's getting easier to buy stolen usernames and password online. The online marketplace PayIvy offers stolen credentials to sites like Netflix, Spotify, HBO Go, PayPal and others for as little as $1 apiece, and the number of listings is growing quickly.
Anyone looking to buy stolen information online would normally have to navigate the Dark Net, the Internet's difficult-to-reach criminal underbelly that trades in bitcoin and other forms of cryptocurrency. But PayIvy and a handful of other sites now advertise stolen account information – also from DirecTV, Playstation, Xbox Live, Steam, Adobe and Microsoft -- to anyone with a PayPal account. Brain Krebs, the respected cybersecurity journalist, highlighted PayIvy in a post Wednesday in which he spoke with a PayPal about how odd it is that PayPal users could buy PayPal accounts with their own, well, PayPal.
“PayPal proactively monitors sellers with PayPal accounts who use the PayIvy platform to ensure the products they are selling are in compliance with out [Acceptable Use Policy], and we take appropriate action when violations are discovered,” Jack Christin Jr., associate general counsel at PayPal, told Krebs.
The owner of PayIvy, identified on the site's forums as the username Sh1eld, makes money off the site by offering “premium” accounts, an option that enables users to monitor their sales. There are also tutorials on how users can avoid having their PayPal accounts suspended or terminated by the company, Krebs reported.
How long PayIvy will be able to stay online remains to be seen, but it certainly won't be the last marketplace of its kind. Frequent data breaches have made it possible for identity thieves to sell unwitting customers' personal information for bulk and on the cheap. The easiest way to avoid finding your own information listed for sale is to change your password frequently, to keep an eye on your billing information and to use two-factor authentication.