Fullz for sale: What it means for your security posture

“Fullz” is a slang term used by cybercriminals trading in stolen data. It refers to data packages that contain full sets of data needed to steal someone’s identity. A typical fullz package includes name, address, Social Security number, date of birth, and even credit card details. 

In the highly evolved and mature cybercrime economy, the sale of that data—often originally exposed in corporate and institutional data breaches—enables huge amounts of identity theft and fraud. If you’re a criminal buying fullz, you’re getting everything you need to start committing fraud. 

The underground market for this information is thriving. Prices can vary widely, from just a few dollars to hundreds per record. Here’s a typical posting, with upshop33 hosting an auction for what appears to be nearly 16,000 records, each including social security numbers and driving licenses. 

Cybersecurity implications

The implications for cybersecurity are twofold. In the first place, it’s clear that organizations of any size that are storing personally identifiable information need to employ best security practices to protect it from being breached. That includes advanced email protection, network protection, and application protection. 

But it also means that vast amounts of usable credentials and other personal data are already out there, for sale on the dark web, ready to be used to gain a foothold in your network. It’s why we sometimes call this the “post-breach” era. That reality demands a more robust approach to access controls. 

Zero trust for the post-breach era

At a bare minimum, multi-factor authentication can guard against many attempts to use stolen credentials. But in the era of vast stores of fullz data offered to the highest bidder, a well-implemented zero-trust strategy can provide a far higher level of security. 

With the zero trust model, every user, device, location, time, and application must be authenticated and authorized before accessing any resources, regardless of whether they are inside or outside the network. This significantly reduces the risk of unauthorized access even by criminals who have acquired fullz data packages including credentials.

The dark-web market for stolen data is thriving, creating a new reality for cybersecurity professionals. The key to success is to remain adaptable, and to respond strategically to an ever-changing threat landscape.