Hacked.com icon

hacked.com

How Much Do Hacked Accounts Cost on the Dark Web? What Actually Matters

Updated February 26, 2026By Aaron Weaver
Dark Web

Stolen accounts get traded because they unlock outcomes: money movement, impersonation, advertising spend, access to other systems, or a reliable channel to contact your customers. The exact dollar amount attached to a login is volatile and rarely changes what you should do next.

The practical question is whether an attacker still has access, what they can do with it, and which recovery controls (email, phone number, trusted devices, admin roles) decide the outcome if something goes wrong.

Stabilize access first

  1. Secure your primary email inbox. If an attacker controls your email, they control password resets for everything else. Change your email password, enable multi-factor authentication (MFA), review sign-in history, and verify recovery email and phone settings.
  2. Change passwords for any account that matters, then force sign-out everywhere. Use unique passwords (a password manager helps) and use the provider's option to sign out other sessions. Start with email, banking, payroll, cloud storage, and any social accounts connected to your business.
  3. Turn on MFA that is not SMS-based when you can. Prefer an authenticator app or security key over text-message codes. If you already had MFA on when the compromise happened, rotate it: re-enroll MFA and remove unknown devices.
  4. Look for persistence. Review account settings for forwarding rules, delegated access, connected apps, OAuth authorizations, new admin users, new recovery emails or phone numbers, and added payment methods.
  5. Assume reuse. If the password was reused anywhere, treat every reused account as compromised until proven otherwise.
  6. Contain financial and identity risk. If money could have moved, contact your bank or card issuer quickly. If identity data was exposed, use the FTC's identity theft guidance to choose the right next steps.

Rule of thumb: If you cannot secure the email inbox tied to your accounts, treat every other recovery step as temporary.

What "for sale" usually means

Most people imagine a single searchable marketplace with a neat product listing for their login. Real-world trading is messier. Access can be:

  • Bundled. Credentials may be sold together with browser session tokens, cookies, device fingerprints, and the victim's usual geo to reduce friction.
  • Repurposed. A buyer may never "use" your account directly. They may use it to reset other accounts, impersonate you, or seed a later fraud attempt.
  • Shared. Multiple actors can hold the same password from different leaks. If you only change one account, the next compromise can look like "they came back" even when it is a different group.

There is also a hard constraint: you generally cannot prove your account is listed without monitoring criminal ecosystems, which is unreliable and can create new risk. For most victims, the safer approach is to assume exposure when you see compromise signals, then remove the attacker's leverage.

If you want a grounded explanation of what the dark web is and how criminal trade typically works, start with how the dark web is used by criminals.

Why criminals resell accounts

Most attackers do not want to "own" your account long term. They want to convert access into something else, fast. Resale is common because it:

  • Turns stolen access into cash without taking on the risk of using it themselves.
  • Lets a specialist do the next step, such as fraud, ad abuse, extortion, or lateral movement into a company network.
  • Bundles access (email + device sessions + cookies + MFA prompts) into a product that is easier to reuse.

This is why focusing on a price list is usually a distraction. Your goal is to break the chain: remove access, remove persistence, and reduce what the account can do if it is stolen again.

What makes an account valuable to an attacker

What the attacker has Why it matters Defensive move
Access to your email inbox Enables password resets, invoice impersonation, and interception of verification codes. Secure email first, remove forwarding rules, review recovery options, and sign out all sessions.
Active sessions (cookies, "remembered" devices) Can bypass a password change and sometimes bypass MFA prompts for a period of time. Use "sign out everywhere" and revoke active sessions and connected devices.
Payment methods or billing accounts Enables direct fraud or ad spend on your dime. Remove unknown payment methods, set spend limits where possible, and enable purchase alerts.
Admin roles in work tools Turns one login into broader access: more accounts, data export, user creation, and policy changes. Review admin users, enforce least privilege, and require MFA for all admin roles.
Verified identity and aged accounts Trusted accounts impersonate you more effectively and are harder for automated defenses to flag. Add stronger MFA, limit public data, and tighten recovery signals (email, phone, backup codes stored safely).
SMS-based MFA control (SIM swap risk) Text codes are easier to intercept than app-based MFA. Move to authenticator or security keys and ask your carrier about port-out protection.

Do not: Pay anyone who claims they can "remove" your account from dark web markets. The only durable fix is to revoke access and rotate the credentials and recovery signals that made the access valuable.

How stolen logins usually happen

Attackers do not need movie-style hacking to take accounts. Most compromises come from repeatable methods:

  • Phishing and fake login prompts: messages that push you to sign in or "verify" quickly.
  • Credential stuffing: reusing leaked passwords against other sites where you used the same password.
  • Infostealer malware: malicious software that extracts saved passwords, browser sessions, and cookies.
  • Support impersonation: someone pretending to be a vendor, bank, or internal IT to get access or convince you to approve an MFA prompt.

For a grounding definition and examples, see what phishing is.

If you suspect an infostealer, treat the device as part of the incident

Infostealers change the recovery problem. Rotating passwords helps, but if the device is still compromised, the new credentials can be captured again. This is one reason "they got back in" can happen even after a password change.

Common signals include unusual browser behavior, new extensions you did not install, new login sessions that appear immediately after you log in, or multiple unrelated accounts being taken over in a short window.

If an infostealer is plausible:

  • Do not reuse the same device for recovery. Use a known-clean device to change your email and critical passwords first.
  • Remove unknown browser extensions and downloaded software. If you do not recognize it, treat it as suspect.
  • Update OS and browsers. Apply security updates before you re-authenticate to sensitive accounts.
  • Run a reputable malware scan. If you manage devices centrally, run scans and isolate endpoints with detections.
  • Rotate sessions after cleanup. Sign out of all sessions again and remove unknown devices from account settings.

If you run a business or creator account, check for high leverage abuse

Some accounts get targeted not for resale value, but for what the attacker can do immediately.

  • Advertising accounts: attackers add payment methods, run ads, and leave you with billing disputes and a disabled ad account.
  • Social media: attackers monetize by scam posts, DMs to followers, or brand impersonation.
  • Customer email: mailbox access enables invoice fraud, supplier impersonation, and "we changed our bank details" scams.
  • Admin consoles: one admin account can create new admins, export data, and weaken security settings.

If this is a workplace incident, treat it as an organizational event, not an individual mistake. Use what to do if your business or employees are hacked as a baseline containment sequence.

If you cannot regain access, change the goal

Sometimes recovery is not immediate. Accounts can be locked, disabled, or bound to a device you no longer control. When that happens, change the goal from "get back in" to "prevent compounding damage".

  • Secure what controls resets. Email inboxes, phone numbers, and the devices that receive MFA prompts.
  • Protect money movement. Banks, cards, ad platforms, and payroll providers should get direct attention even while you wait on platform support.
  • Notify the right people internally. If you run a business, employee accounts, finance workflows, and customer communications are all in scope.

If you need a structured recovery sequence for an account you cannot access, start with account recovery steps when you cannot log in, then work outward to the systems that depend on it.

Safety note: Do not go hunting for your credentials in criminal forums. It does not change the recovery steps and can expose you to scams and malware.

If you suspect your credentials were exposed

You cannot reliably prove an account was listed for sale, and you usually do not need to. The safer posture is to assume exposure when you see any of these signals:

  • Unexpected password reset emails or MFA codes.
  • New login alerts from unfamiliar locations or devices.
  • Unknown inbox rules, forwarding, delegated access, or third-party permissions.
  • New connected apps or browser sessions you do not recognize.
  • People reporting messages you did not send.

Rotate passwords, remove unknown access, and move to stronger MFA.

Evidence to preserve (without collecting sensitive data)

During recovery it is easy to destroy the information you later need for support, banking disputes, or incident reconstruction. Preserve what you can while staying privacy-safe.

  • Timestamps: when you first noticed the issue, when password resets happened, when money moved.
  • Provider alerts: screenshots of login alerts, MFA prompts, and device lists.
  • Message artifacts: if phishing is involved, keep the original message in your system so your IT team can extract headers safely.

If the incident involves customer data, you may also need a breach response plan. Start with what to do if you are the victim of a data breach to structure containment, legal review, and notification decisions.

After recovery: watch for persistence and recurrence

Account recovery is not finished when you regain access. Many takeovers fail for the attacker at first, then succeed later because a persistence mechanism was missed or because the same password was reused elsewhere.

For the next 2 to 4 weeks, watch for signals that your controls are still being tested:

  • Repeated reset attempts. Password reset emails, repeated MFA prompts, or notifications that someone is trying to access the account.
  • New sessions you did not create. Fresh logins from new devices or locations shortly after you secured the account.
  • Settings changes. New forwarding rules, new connected apps, new recovery options, or new payment methods.
  • Secondary account compromises. A different account gets taken over shortly after the first. This can indicate reuse or a compromised device.

If you see these signals, repeat the sequence: sign out everywhere, remove unknown access, rotate credentials, and revisit device hygiene. The goal is to make the account boring to steal and hard to keep.

Hardening that changes outcomes

  • Use unique passwords everywhere. Password reuse is what turns a single leak into multiple takeovers. See common password mistakes for the patterns that usually fail.
  • Turn on MFA and keep backup codes safe. If you use MFA, store backup codes offline and treat them like keys.
  • Reduce your control plane attack surface. Email, phone number, and trusted devices decide most recovery outcomes. Secure them more than everything else.
  • Build a reporting habit. If this is a business environment, make it easy for employees to report suspicious messages and unexpected MFA prompts before damage spreads.

If you are prioritizing, start with accounts that control resets (email), money movement (banking, cards, ad spend, payroll), and identity (phone number and carrier). Those are the places where attackers can create irreversible loss quickly.

Backup codes and recovery keys are easy to ignore until you need them. Store them offline, and do not keep them in the same inbox that would be used to reset the account.

For identity theft recovery in the US, the most reliable starting point is the FTC: IdentityTheft.gov.

There is no stable market price that tells you whether a compromise is serious.

What matters is the attacker's leverage: whether they can reset passwords, keep sessions alive, impersonate you credibly, or move money.

If you systematically remove those levers, resale value becomes irrelevant and repeat compromise becomes much harder.