On the dark web, a batch of thousands or even millions of U.S. citizens' personal and business emails cost on average only $9.99, according to the latest study by NordVPN. However, voters' emails are more valuable — this data can be bought for $99.99 per batch.

"The math is a no-brainer here — the access to your accounts does not cost even a penny,” said Gediminas Brencius, head of product at NordPass. “This calculation hints at how invaluable our online data is — we simply give it out to hackers ourselves. Besides experts' warnings, many of us still provide our email addresses to untrusted companies and fail with basic password hygiene: we use weak passwords, forget to change them regularly, and share credentials using insecure channels.”

The study dug into a market on the dark web that has sold items worth $17.3 million. Having analyzed data from more than 50 countries, independent researchers found many online credentials usually used to launch broad scams and hacks. Personal and business email addresses from the U.S. cost, on average, $9.99 — less than from most other countries. The most expensive are EU citizens' personal emails — their set costs $199.99.

However, the research also demonstrated that U.S. voters are more valuable than those of any other country. A batch of voters' emails from the U.S. costs around $99.99, while from Canada, for example, a batch of the same type of emails costs only $9.99. While it may seem strange that hackers differentiate the voter category from others on the dark web, it suggests a demand for data that comes from official public bodies.

In addition to leaked emails, researchers also found over 2.1 billion email and password combinations on the studied market, and they are sold at very low prices. Globally, a batch of email and password combinations costs $11.79.

Based on the research, leaked emails comprise 6% of the analyzed market on the dark web. Most of them are personal email addresses, followed by voter and business email addresses. Other popular items sold on the dark web are identity documents (for example, IDs, passwords, and driving licenses) and financial information (for example, payment card data and bank or crypto accounts).

Researchers also confirmed the hackers operating on the dark web are not revealing their actual location. Instead, the location they indicate hints at where the demand for their sold items lies or where they have better conditions to operate their businesses. The U.S., Sweden, France, China, and Gibraltar are the most common locations hackers choose.

"First, we ourselves make it too easy to steal our online credentials,” Brencius said. “Second, businesses we trust, often even our workplaces, do not always take cybersecurity seriously enough, which leads to our data, including email addresses, being sold on the dark web.” 

He shared some tips below on how to avoid the consequences of having your credentials placed on the dark web.

  1. Take better care of password hygiene. NordPass research shows that the most popular password worldwide in 2021 was "123456," followed by other simple variations of numbers or letters. Because these types of passwords are too easy to crack, it is recommended to use password generators to create strong passwords. Also, it is worth changing passwords at least every three months and using only end-to-end encrypted channels to share them.
  1. Carefully evaluate the sites to trust. While sharing an email address with an online shop or any other business seems to be an innocent act, the reality is that an email address, if in the wrong hands, can make people victims of scams or hacks.
  1. Know and monitor your accounts. Knowing the exact number of your online accounts is essential to spotting suspicious activity. Turning on the security settings for all accounts might save some headache — once the account notes a login from an unknown device or location, the user receives a notification. Modern password managers offer data breach scanners that check a password’s strength and inform if your data appeared in any data breaches.