Stolen credentials belonging to South Africans are being sold for as little as R100 on the dark web, underscoring the growing wave of data breaches hitting the country.
This is according to cyber security experts in e-mail interviews with ITWeb amid the rising number of data breaches among local organisations.
The dark web is a hidden part of the internet that isn’t indexed by standard search engines like Google or Bing and requires special software – most commonly Tor Browser – to access.
It sits within the broader deep web (everything online that isn’t publicly searchable, like e-mail inboxes or banking portals), but the dark web is deliberately concealed and anonymised. This makes it attractive for privacy-focused users such as journalists and activists – but also for illegal activities.
Because identities are harder to trace, the dark web has become known for marketplaces where stolen data (like passwords or ID numbers), hacking tools and other illicit goods are bought and sold.
KNOW MORE
Cyber security professionals can join hundreds of industry peers at ITWeb Security Summit Cape Town 2026 and ITWeb Security Summit 2026 in Johannesburg, where expert speakers will explore how organisations can stay resilient in the face of AI-driven attacks and an increasingly complex threat landscape.
Standard Bank recently confirmed a data breach involving unauthorised access to certain client information, including personal identifiers, while stressing that core banking systems were not compromised.
Its subsidiary Liberty Group also experienced a related incident exposing customer data, prompting forensic investigations.
In the public sector, Statistics South Africa reported a cyber security breach affecting internal HR systems, raising concerns about government exposure.
More recently, Polmed, the medical aid scheme for members of the South African Police Service, disclosed a potential data breach involving sensitive member information, further underscoring the vulnerability of healthcare and financial data.
Collectively, these incidents point to an escalating and sustained pattern of data breaches targeting critical institutions across the country.
Modus operandi
Shayimamba Conco, security evangelist for Africa at Check Point Software Technologies, says on the dark web, criminals now operate like online businesses, selling tools and services that allow almost anyone to launch attacks.
“In South Africa, there has been a sharp increase in stolen usernames and passwords, often collected using malicious software. Attackers are also using automation and AI [artificial intelligence] to scale their efforts, meaning organisations are being targeted more frequently and more efficiently than before.
Dr Manny Corregdor, CEO of information security firm Telspace Africa, says there are several different ways in which credentials could end up on dark web marketplaces.
The first is infostealer malware, where the victim installs credential-stealing malware (malicious software) on their device.
“Once the device is infected, the malware silently extracts all stored login information, whether saved in browsers or on the device itself,” says Corregdor.
He adds that cyber criminals are increasingly using phishing and social engineering to harvest credentials – sending targeted e-mails or attachments that trick victims into “logging in”, with AI now enabling highly-personalised, convincing attacks that are far harder to detect.
At the same time, he points out that large-scale data breaches are fuelling the trade, with stolen usernames, passwords, ID numbers and financial details packaged and sold on dark web forums.
These marketplaces offer a wide range of sensitive data, from corporate access credentials and banking information to personal identity records, medical data, social media accounts and even verified entry points into company networks.
According to Conco, the most common data being sold on the dark web includes e-mail addresses and passwords, often in large batches.
However, he notes that criminals are increasingly trading more advanced information, such as browser session data, which can allow them to access accounts without even needing a password. Financial details, access to company systems and sensitive business documents are also commonly sold, depending on the value of the target, he adds.
“Stolen credentials are surprisingly cheap. Basic login details can cost just a few rand, while access to more valuable systems, such as company networks, can still be sold for under R100 in some cases. Because there is so much stolen data available, prices are low, making it easy for cyber criminals to buy what they need and launch attacks,” says Conco.
Corregdor notes that pricing on the dark web is dynamic, and depends on factors such as the freshness of the data, its completeness, the seller's reputation and whether security controls such as multi-factor authentication can be bypassed.
Get specialised tools
He says the encrypted and anonymous nature of the dark web makes it extremely difficult for security teams to detect exposed credentials or data leaks without specialised tools.
“While organisations can deploy dark web monitoring services that scan forums, breach databases and threat actor marketplaces for compromised credentials, or rely on threat intelligence feeds that flag when their data appears online, these approaches are not foolproof. Even free tools such as Have I Been Pwned can help identify known breaches, but no solution guarantees full visibility.
Corregdor also notes that monitoring should extend beyond the dark web to include the surface and deep web for broader coverage.
Conco concurs that organisations usually find out through specialised monitoring services that scan the dark web for leaked data linked to their business.
“In some cases, they only become aware after suspicious activity occurs, such as unusual login attempts or accounts being misused. This is why continuous monitoring is important, as it helps detect exposure early before it leads to a bigger incident.”
If information is found on the dark web, Conco urges that organisations need to act quickly. “This includes changing affected passwords, enabling additional security measures like multi-factor authentication, and logging users out of active sessions.
“It is also important to investigate how the data was exposed and to check whether attackers have gained further access. Strengthening overall security and educating users can help prevent the same issue from happening again.”
Share
