Brinztech Alert: Unauthorized Mail Access Sale is Detected for Many Domains

Dark Web News Analysis

A threat actor on a known cybercrime forum is making an extraordinary claim to be selling unauthorized access to over 170,000 email accounts. According to the seller’s post, the compromised accounts span 12,000 different domains and include both corporate and personal email addresses. The seller is using professional tactics to market the access, including providing video proof and offering to use a trusted escrow service for transactions. The price for access reportedly varies based on the domain, country, and quantity of accounts purchased.

This claim, if true, represents the sale of a massive “supermarket” for corporate and personal fraud. Access to legitimate email accounts is a highly valuable commodity for criminals, as it is the primary tool for launching some of the most damaging cyberattacks. This includes Business Email Compromise (BEC), where an attacker uses a real employee’s mailbox to trick colleagues or partners into sending fraudulent wire transfers. The sheer scale of this offering suggests the credentials were likely harvested through large-scale phishing campaigns or widespread infostealer malware infections.  

Key Cybersecurity Insights

This alleged access sale presents a critical and widespread threat:

• A “Supermarket” for Business Email Compromise (BEC): The most severe risk is that this service provides a one-stop-shop for BEC attacks. Criminals can purchase access to a real employee’s email account and use that trusted identity to send fraudulent invoices or payment instructions to partners, colleagues, or clients, making the scam nearly impossible to detect.
• Widespread Account Takeover and Data Theft: For each of the 170,000 compromised accounts, an attacker has the “keys to the kingdom” of that user’s digital life. They can read all historical and incoming emails to steal sensitive data, trade secrets, and PII. They can also use the “forgot password” feature on other websites to methodically take over all of the victim’s other online accounts.
• Indication of a Massive, Ongoing Credential Harvesting Operation: The source of 170,000 credentials across 12,000 unique domains is not a single data breach. This is the product of a large-scale, continuous credential harvesting operation, almost certainly powered by widespread phishing campaigns or infostealer malware.

Mitigation Strategies

In response to the constant threat of email account compromise, all organizations and individuals must prioritize email security:

• Mandate Multi-Factor Authentication (MFA) Universally: This is the single most important defense against this threat. A password alone is no longer a sufficient defense for email. Enforcing MFA ensures that even if an employee’s password is stolen, the attacker cannot log in to their mailbox without the second factor.  
• Conduct Continuous Security Awareness Training: The most common way email accounts are initially compromised is through phishing. Organizations must provide continuous and engaging security awareness training to teach employees how to spot and report sophisticated phishing attempts before they give away their credentials.  
• Deploy Proactive Credential Monitoring: All businesses must use services that actively monitor dark web forums and marketplaces for their corporate email addresses and domains. This provides an early warning when an employee’s credentials have been compromised, allowing the security team to force a password reset and prevent a full breach.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com