In the past year, numerous data breaches have led to countless account numbers and personally identifiable records being stolen. When that happens, the cache of information finds its way to the commerce sites on the dark web. In this segment on NPR, reporter Stacy Vanek Smith interviews cybersecurity journalist Brian Krebs to follow the data.

Krebs make the whole process sound remarkably easy. And for most hackers, it is. The main reason, he says: “It’s 2018 and we’re still stuck with stupid passwords.”

Hackers know they can sell account credentials on the dark web the same way retailers sell blenders on legitimate websites. According to Krebs, a big draw for those who buy stolen account information is to exploit points programs. For instance, a person who has built up points with a merchant, like Best Buy for example, could find themselves eventually with a points deficit. Explaining how it works, Krebs says, “I could in theory sign into your Best Buy account, change your address, and you would be none the wiser when they send me a set of $400 Bose headphones.”

While many may think they’re not a target, Krebs sets the record straight. “You have probably 20, 30 sets of credentials stored in your browser or on your computer that have value. You may not think that they do, but they absolutely do. And this service … puts a pretty fine point on that.”

Get the full story at NPR.