CNN: The password problem: Hundreds of millions of accounts are compromised every year in data breaches through phishing, malware and other types of attacks. More than 11.6 billion records have been breached since 2005, according to a running tally by California-based nonprofit Privacy Rights Clearinghouse. Those accounts are often then dumped on hacker forums or put up on the dark web, a collection of websites that can only be accessed by a special type of browser called Tor (it stands for The Onion Router, and dark web sites end with .onion).
Originally created by the US Navy in 2002 to enable anonymous online communication, the system’s enhanced encryption and anonymity means it’s often used for illegal activity, including drug sales.
Hackers buy databases of stolen passwords and bombard other websites with them until one works, a fairly common technique known as credential stuffing. They also run variations of the password with different combinations, according to Beenu Arora, CEO of Atlanta-based cybersecurity firm Cyble. If one of those passwords works on another service — a bank, for example — it can then be posted or sold on the dark web again.