Hackers trade 100,000 items of online ID from Edinburgh

The information, which could include online passwords, can be sold on to be used in so-called phishing scams to extort money.

While there is no way of knowing how many people in the city may have had their accounts compromised, experts said the sheer volume of information being sold should act as a “wake-up call”.

Across the UK, an investigation by The Scotsman and its sister titles in Johnston Press, showed nearly 11 million sets of identity details belonging to Britons, being traded.

Our investigations unit teamed up with London data firm C6 to examine the true extent of the booming identity trade.

A total of 115,333 pieces of identity information apparently from the Edinburgh area were found being traded, with the most affected postcodes being EH1 and EH4.

Dark web marketplaces are now even offering money back guarantees for bulk purchases of people’s account passwords, which can come coupled with one or more of email addresses, credit card numbers, usernames and even personal details such as first cars and mothers’ maiden names.

The worrying numbers have been collated over several of years by a team of “cyber moles” embedded in the dark web, observing wholesale transactions through encrypted chat rooms.

Emma Mills, chief operating officer of C6, which runs the hasmyidentitybeenstolen.com website, said the rapidly growing number of people at risk of being defrauded needs to act as a wake-up call.

She said: “As consumers we have never really paid the price for fraud. We’re used to the banks picking up the credit and debit card losses, we don’t see the downside to ourselves of being careless with our personal information.

“We don’t clearly understand the impact of having our identities compromised and how long and painful it is to re-build that genuinely – it causes problems with applying for credit or any other form of account.”

Often the online marketplaces sell only partial information about an individual that can then be fleshed out over a period of time.

One site visited by journalists allowed users to bulk purchase Paypal accounts for US$1 per account, with a minimum purchase of 100 at a time.

The store, which also purported to sell EBay accounts, offered an 80 per cent working guarantee.

On its own, a person’s streaming service account details – a username and password – could be seen as innocuous. But profiles can then be “enriched”, often over a series of months or even years.

If, like half of all internet users, a person uses the same password for multiple accounts, login details could be crucial to gaining access to a person’s email address – and with it a host of other accounts simply by pressing the “forgotten password” button.

Once the identity is “rich” enough, fraudsters can then open credit card accounts in a person’s name, buy goods and transfer money.

They can also sell on the so-called “full person profile” in bulk.

“If someone knows your email, where you live and your date of birth it becomes quite a rich record,” Ms Mills said.

“Once that information is gathered they can then sell it to a gang to ‘phish’ for your banking details.”

Chief Inspector Scott Tees, Police Scotland Safer Communities, said: “Anyone who feels they have fallen victim to cybercrime in any form is always encouraged to come forward and report it to us.

“If you suspect you have been targeted, please contact us on 101.

“The most effective way for people to protect their identity and avoid fraud online is to stay secure. Prevention is key.”