Stolen personal data of UK citizens is selling for as little as £10 on the dark web, offering hackers all the information needed to carry out online fraud and identity theft, The Independent has discovered.

So-called fullz – hacker slang meaning a “full ID” package – of UK citizens are being listed on several popular online black markets. A full ID package typically contains an individual’s name, address, online passwords, banking data and other key identifying information.

Security researchers say the illicit trade of such data is being fuelled by a seemingly ceaseless succession of high profile hacks. In 2018 alone hundreds of millions of people’s data was exposed through breaches at firms including British Airways, Marriott hotels and Facebook.

Stolen information is posted on to the dark web – a hidden section of the internet only accessible using specialist software – where cyber criminals are able to buy and sell the data.

One seller operating on a popular dark web marketplace listed personal data of UK citizens for just £10 of bitcoin – the semi-anonymous cryptocurrency commonly used to carry out transactions.

The vendor offered a sample of the data available, providing the name, address, occupation, date of birth, maiden name and other details of a Polish-born woman who resides in Bristol.

Surfing the dark web Show all 6 1 /6 Surfing the dark web Surfing the dark web Guns on the dark web Guns for sale on a dark web market place, August 2018 Screenshot Surfing the dark web Dream Market vendor guidelines Some popular market places on the dark web still abide by a set of standards, despite selling illegal goods and services Screenshot Surfing the dark web 'Mystery box' for sale on the dark web A 'mystery box' for sale on the dark web, August 2018. Scam listings for the boxes first began appearing on the dark web after fake videos of people opening them trended on YouTube Screenshot Surfing the dark web Religious texts on the dark web Religious and banned texts can be found on the dark web, allowing people to bypass censors in countries that suppress free speech Screenshot Surfing the dark web Seeking help and advice on the dark web The Hidden Guru site on the dark web, offering 'knowledge from beyond', August 2018 Screenshot Surfing the dark web Hidden Guru Waiting for a response from the dark web's Hidden Guru, August 2018 Screenshot

Dark web analyst Simon Migliano describes fullz as “the key to online fraud” and warns demand for such data appears to be on the rise.

“This information on its own can be used to open lines of credit, such as credit cards and loans, which are then drained by cyber criminals,” he told The Independent. “There’s a whole spectrum of pricing for fullz, depending on the likelihood of profit from using that information.”

As the head of research at the security firm Top10VPN, Mr Migliano monitors the illicit trade of such information through the dark web market price index. Other data available on dark web markets include login credentials for dating apps, streaming services, online shopping sites and social media profiles.

Adding the value of all hacked data, he estimates that a person’s entire online identity would be worth around £820 if they were to have accounts at all the sites listed on the index.

Potential hackers are even able to seek out guides on these dark web marketplaces that provide information on carrying out crimes, such as a £6 “How to obtain loans guide”, which gives step-by-step instructions on how to take out a loan using stolen data.

The creator of the guide claims it can be used worldwide and does not require “special skills” to follow the instructions.

Prices for personal data can vary significantly from seller to seller, though generally the most valuable is that of bank accounts and other financial services such as PayPal login credentials. But more significant than the individual prices such data is listed at, according to one dark web researcher, is the scale of the overall problem.

“Talking about pricing distracts from the broader issue: data is for sale, everywhere, all the time, often for incredibly low prices,” said Emily Wilson, a researcher at dark web monitoring firm Terbium Labs. “We should be talking about the ease of access fraudsters have in exploiting this data, and about how the public has little to no sense of how much of their data has been compromised – precisely because of the amount of effort that goes into identifying the individual prices of identity data over addressing systemic insecurities.”

Cyber experts frequently warn that it is not a question of whether a person has been hacked, but how many times. Checking your email address on a site such as Have I Been Pwned – an online database of public data breaches, leaks and hacks – often uncovers several instances of personal information being compromised.

“Sadly, in the current age and time, no one is immune to the theft of personal data,” said Andrei Barysevich, a researcher at threat intelligence firm Recorded Future.

“In the same way we learned to accept the dangers of flu viruses and developed simple approaches to minimise the risk, we must learn very simple, yet effective cyber hygiene practices.”

An example of a UK ‘fullz’ for sale on a dark web market (The Independent)

Such practices include using different passwords for all websites and apps, enabling two-factor authentication on accounts that support it, and signing up for credit monitoring services that provide notifications of any changes to credit profiles.

“There’s no point in worrying about your data being stolen and sold on the dark web. It’s probably already happened,” dark web analyst Mr Migliano said.

“The key is to be sensible in your online behaviour, minimise risks and take prompt action when something does happen. The sooner you deal with compromised personal data, the easier and less painful it will be.”

How can you stay safe online?

Most web users can take a number of simple steps to avoid the possibility of having their identities stolen online.

Monitoring who you accept into your social media circles can prevent fraudsters accessing personal information stored on your profile.