What happens when stolen personally identifiable information (PII) is made public? Recently, the Federal Trade Commission (FTC) attempted to answer this question by designing and conducting a study to track the use of stolen information.

To mimic a real-life situation, the FTC created a database of around 100 fake individuals using popular names based on census data, addresses from across the country, email addresses with common naming conventions, phone numbers that corresponded to the addresses, and one of three types of payment information (an online payment service, a bitcoin wallet, or a credit card).

On two different occasions, the FTC posted the fake data to a website on the dark web commonly used by hackers to purchase stolen information. The results were astonishing. The thieves responded quickly—even within minutes in one instance. After the second posting, it took just nine minutes before someone purchased and tried to use the data.


Overall, there were more than 1,200 attempts to access the payment, email, and credit card accounts. After the first posting, there were 119 unauthorized access attempts; following the second, there were 1,108. Access attempts by unique IP addresses varied drastically (see below), illustrating that multiple thieves attempted to steal data—not just one. Ultimately, data was used to pay for clothing, hotels, online dating memberships, and even pizza.

So, what’s the takeaway? From this data, the FTC concluded the following:

  • Criminals are actively looking to buy and profit from stolen user data.
  • If account data becomes public, it will be purchased and used—quickly!
  • Popular paste sites, where stolen PII data is often dumped, should be actively monitored by email services, payment services, and other application providers, especially when they suspect they have been breached.
  • Two-factor authentication (2FA) can provide protection against stolen credentials.

Multifactor Authentication Is a Cost-Effective Way to Stop Data From Being Stolen

As illustrated by the FTC research, companies must work hard to protect the user data that’s in their care. Criminals will jump on any data that becomes public. It doesn’t matter if the user is an employee, a student, partner, contractor, vendor, or customer. Organizations must work proactively to protect ALL users.

As the final FTC takeaway highlights, best practices alone aren’t enough. It’s also essential to protect sensitive PII data by controlling access to it with two factor authentication that requires two out of the following three types of identity verification:

  • Something users know (e.g. password)
  • Something users have (e.g. token)
  • Something users are (e.g. fingerprint)

However, to truly protect identity and account data, we suggest taking things one step further by enforcing multifactor authentication (MFA). Whereas 2FA requires two types of self-identification methods, MFA requires users to present all three, which truly adds an extra layer of protection. Plus, the good news is that MFA is easier and more cost-effective to deploy than you might think.

There are many frictionless MFA options—such as OTP, push, Bluetooth, fingerprint biometrics, and facial recognition—that no longer require a compromise between security and convenience. The best of these MFA solutions ensure that those with access are fully verified and trusted by addressing the shortcomings of passwords—or in some situations, even eliminating them entirely. For example, RapidIdentity PingMe™ and the RapidIdentity mobile app integrate with an MFA server to create an alternative to outdated password solutions. The app eliminates password fatigue by enabling users to verify their identities through push notifications sent directly to their mobile phones. This frictionless MFA solution can be applied to on-premise and cloud-based systems and even at the device level, should critical data be stored locally.

It only takes minutes for data to be sold and used. The best way to prevent this from happening is to ensure that data is never stolen to begin with by putting additional layers of protection in place with two factor authentication or multifactor authentication. Modern, smartphone-based MFA provides additional security layers to your critical systems and sensitive data. For the right people and systems, MFA is extremely cost-effective, especially when you consider the total cost of dealing with a significant breach.