Constella Web Logo white e1703116556868

Constella Intelligence Publishes 2021 Identity Breach Report

201015 Alto 4iQ Constellate Fotografia Mesa de trabajo 02 scaled 1

At Constella Intelligence, we make it our mission to defeat digital risk, and we are proud to work with some of the world’s largest organizations to safeguard what matters most. It’s once again time to bring you our 2021 Annual Identity Breach Report, and without a doubt, this year has been an exceptional one.

To provide insight on the breach economy and the tactics, techniques, and procedures leveraged by threat actors to exploit the digital ecosystem in times of crisis, we published our 2021 Identity Breach Report, titled “PII Fuelling the Threat Economy: How Crisis Creates Targeted Vulnerabilities for Individuals, Executives, and Brands.” In 2020, Constella Intelligence’s threat intelligence team detected over 8,500 breaches and leakages circulating in dark markets and underground forums, representing nearly 12 billion records. 


In 2020, our threat intelligence team detected over 8,000 breaches consisting of over 12billion records.

Key Findings from Constella’s 2021 Identity Breach Report include: 

  • Nearly 60% of the data breaches analyzed exposed some form of PII, and 72% of these breaches included passwords. 
  • Over 40% of executives from a sample of Fortune 500 companies in the Energy and Telecommunications sectors were exposed in a breach over the last five years.
  • Fortune 500 companies in Energy and Telecommunications have had their corporate domains exposed in approximately 11k breaches/leakages since 2016, and over 40% of these exposures occurred since 2020, indicating worsening security of corporate credentials.
  • Out of a sample of 55 Fortune 500 Energy executives, nearly 1/4 have had their passwords exposed. 
  • Constella observed the sale of vaccine doses—such as AstraZeneca, Pfizer, Moderna, and Sputnik—in multiple dark marketplaces ranging from as little as $8 to as much as nearly $850.
  • Crypto-Currency, News, and Healthcare industries saw 120%, 110%, and 51% increases (respectively) in breaches and leakages compared to 2019.
  • Compared to the findings in Constella’s 2020 Identity Breach Report, the price of personal records transacted in dark marketplaces, including passports (+1,185%), and driver’s licenses (+328%), ID cards (+642%) increased significantly, possibly due to increased demand for false identification records during the pandemic.

2020 transformed the digital ecosystem and breach economy, creating new cyber vulnerabilities. The COVID-19 pandemic changed our everyday lives, with citizens now relying on new digital solutions and continuing to work from home. Cyber threat actors seek to exploit these changes as they generate new vulnerabilities. 

New vectors of exploitation enabled by the COVID-19 pandemic resulted in items like vaccines, fraudulent vaccine certificates, and other COVID-19 related items being sold in dark marketplaces and underground forums. Constella’s research analyzed the value of personally identifiable information (PII), drawing links between the breach economy, PII, and a range of emerging digital threats to executives and brands. Notably, Constella observed an exorbitant spike in the price of sensitive personal records sold in the deep and dark web, with the price of driver’s licenses, passports, and ID cards increasing significantly from the previous year analyzed – plausibly due to an increased demand for personal records during the pandemic. Constella’s 2021 Identity Breach Report also includes a deep dive into the top companies in the Energy and Telecommunications sectors that appeared in the Fortune Global 500 list, demonstrating increasing exposure and vulnerability of companies in the sector, employees, and executives over the past year.

Executives are the Target

With the pandemic forcing many to use digital solutions to conduct business, threat actors were provided increased access to individuals’ work and personal information. Targeting employees and executives to obtain access to corporate networks not only puts organizations at risk but jeopardizes company and executives’ reputations as well. More and more each day, executives and employees are being exploited as access points for inflicting financial and reputational damage on companies. 

Pulled from a sample of executives from Fortune 500 telecommunications companies, we found that 43% had their corporate credentials exposed in a breach or leakage since 2016, and 100% of them had been exposed on breaches from data brokers sites. In a similar sample of executives from Fortune 500 energy companies, we found that 45% had their corporate credentials exposed in a breach or leakage since 2016


identity breach report executive exposures

Exposures of executives’ corporate credentials are immense and have been sharply increasing over the past two years.


The Year(s) of COVID-19

2020-2021 has unarguably been the year of COVID-19. Everyone and every industry have been greatly affected by changes brought on by COVID-19. Deep and dark markets exemplified the central significance of the pandemic to the public, private, and digital spheres. Constella observed the exploitation of the COVID-19 pandemic to be a recurrent theme in dark markets, including the sale of vaccine doses — such as AstraZeneca, Pfizer, Moderna, and Sputnik — in multiple dark marketplaces ranging from as little as $8 to as much as nearly $850.


identity breach report vaccines for sale in dark markets

Vaccines identified for sale in dark marketplaces range from as little as $8 to as much as $850.


The Service Industry: Critical Services At Risk

Impacted sectors like Energy and Telecommunications evidence the dramatic growth in the breach economy. Notably, the “Services” industry, which includes utilities, telecommunications, energy, food and transportation companies, accounted for over 20% of breaches examined, a 62% increase from 2019. This is possibly due to increased reliance on these industries during the COVID-19 pandemic. Services, Gaming and Gambling, Social & Dating, and Retail stood out as the most affected sectors. Moreover, our research evidence that in certain sectors, the breach economy is growing, and executives are being targeted, with over 40% of executives from a sample of Fortune 500 companies in the Energy and Telecommunications sectors exposed in a breach over the last five years.

The top 20 Fortune 500 energy companies saw a dramatic increase in exposures. Over the past five years, nearly 60% of records exposed in the Energy sector occurred since 2020. The Telecommunications industry has also seen a notable increase in corporate credentials exposed. Looking at data over the past five years, over 40% of their breaches occurred in the past two years. Moreover, 80% of employee exposures in the Telecommunications sector since 2016 occurred in the past two years, indicating worsening usage of corporate credentials. 


identity breach report sectors most affected


Dark Market Economy: Dramatic Rise in the Price of Personal Records

The dark market continues to thrive as our communities move their everyday functions online. For years, threat actors have been selling various items, including passports, drivers’ licenses, and other ID cards, on the dark market. But since the pandemic, these markets have expanded to include COVID-related items. 

Our threat intelligence teams have identified vaccines — real or otherwise — and fake vaccine certificates for sale in underground markets. The prices of vaccines for sale in several dark markets vary by brand. AstraZeneca’s average price is an exorbitant $848.50; Pfizer is selling for $483.75; Moderna goes for $193.60; while Sputnik costs an average of only $8. As far as other COVID items, German vaccine certificates are being sold for an average of $22.35, and COVID-19 antigen tests sell for an average $25 flat. Cryptocurrency is the exclusive form of payment.

Other items, like passports and drivers’ licenses, which were already sold on the dark market, saw significant increases in cost, jumping 1,185% and 328%, respectively. Travel restrictions across the world likely contributed to these increases.


identity breach report average prices of records for sale in dark markets

Global restrictions may have increased demand for, and thus prices of, personal ID records in dark marketplaces in 2020.


Disinformation and Deepfakes: Another Threat Fuelled by PII

Threat actors are becoming more advanced in the art of creating deepfakes and spreading disinformation. Deepfakes, which is an image, video, or audio impersonation of someone powered by AI, have already been used in a wide array of contexts, including in the production of “fake news” and manipulated content or malicious impersonations with the objective of obtaining sensitive data for financial gain or influencing public opinion for corporate or political reputational damage.

Constella’s intelligence analysts identified several threats related to social media accounts for sale or social media bots for automating account interactions to generate likes, views, subscribers, or post customized comments. Additionally, entire accounts have been identified for sale, varying in price based on the account’s creation date. These synthetic accounts—that can potentially be used to launch networks of coordinated bots for disinformation—are often fuelled by stolen and repurposed PII, again evidencing the multifaceted value of PII for threat actors in the digital sphere. 

Our threat intelligence analysts identified several capabilities related to the production of deepfake content online. Constella’s intelligence analysts have also identified users that offer to produce deepfakes, which are highly effective tools for duping employees into sharing confidential information. This can lead to exposure of sensitive data or the facilitation of unapproved transactions. There have already been cases of corporate funds being transferred to malicious actors using synthetic audio content to impersonate high-level executives seeking additional credentials or the direct transfer of funds by employees.

“During the past year and a half, I’ve observed increased cybercrime activity in the dark web, as well as the surface, social, and deep webs. Right now, there are billions of breached and leaked identity records circulating throughout these open sources. Threat actors leverage these compromised credentials to build digital profiles and personalize their attacks—phishing scams, disinformation campaigns, account takeover, and more—while targeting enterprises and individuals alike.

Identifying and tracking sources of criminal activity, specifically in the dark web, is a worthwhile investment to: stay one step ahead of attackers to proactively identify exposures; identify breached credentials to prevent further damage; and gain insights into all stages of criminal activity, from planning to attack. The sooner organizations and individuals know about the breach, change credentials, and lock down networks, the less damage occurs.”

– Alberto Casares, VP of Risk Protection at Constella Intelligence


Vulnerabilities created throughout the COVID-19 crisis established 2020 as a record-breaking year in the digital and cyberintelligence ecosystems. Threat actors have become sharper than ever at targeting executives and other individuals in order to obtain information about both themselves and their employers. opening up endless possibilities for the exploitation of attack vectors through new TTPs. For both companies and individuals to stay safe in an increasingly dangerous threat landscape, it is important that they take the proper steps to detect when their personal data has been leaked or stolen. At Constella, we pride ourselves in the ability to do just that, and to safeguard our partners and clients from digital risk. 

Download the full 2021 Identity Breach Report to see the rest of our findings, including detailed analysis of the techniques, tactics, and procedures of threat actors in deep and dark markets in 2020 and key metrics on the trends identified over the past year by our expert threat intelligence analysts.