Identity thieves used stolen data 9 minutes after it was posted online

Posted at 9:48 AM, May 26, 2017

NEW YORK (CNNMoney) -- When personal data is dumped online, it can take just nine minutes for bad guys to start using it, according to a report from the Federal Trade Commission.

Over the course of three weeks in April and May, the FTC analyzed what happens when hacked personal data is shared online.

Researchers created 100 fake consumers and gave them fictitious personal information like names, emails and passwords, and either a credit card, Bitcoin wallet, or online payment account. Then they posted the collection of data on a site popular with leaking stolen credentials, once on April 27 and a second time on May 4.

According to Dan Salsburg, acting chief at the FTC's Office of Technology Research and Investigation, the the FTC observed two types of identity thieves -- those who want to test credit cards' authenticity to resell them, and those who tried making big purchases on things like clothing or hotels.

"There are people laying there in wait, ready to pounce on stolen credentials," Salsburg told CNNTech.

Nine minutes after the publication on May 4, thieves began using the data -- a Twitter bot picked up the posting, which could have helped speed up hacking attempts. On April 27, it took one and a half hours before the fake credentials were used.

All told, there were over 1,200 attempts to access accounts belonging to the fake consumers. That includes a total of $12,825.53 attempted credit card purchases and 493 attempts to access emails.

There are ways you can prevent cybercriminals from using your data, even if it's published online. Salsburg said some of the test accounts were protected by two-factor authentication, a security feature that requires a second code in addition to your password (usually texted to your phone) to log in to your account.

It's not a perfect solution -- if your phone gets stolen, thieves could have access to your backup codes. But it is a simple and effective security tool.

Identity thieves did not access the fake accounts with two-factor authentication enabled.