What is the Cost of Your Data on the Dark Web?

By Andréanne Bergeron, Security Researcher, and Renaud Bergeron, Criminology Intern (University of Montreal)

What is the most valuable type of data to threat actors? To answer this question, we analyzed 348 real data breach listings spanning from 2008 to 2026 from dark and clear web marketplaces.

We actually found that personal health records are the most valuable to threat actors, commanding approximately $300 per record. PINs follow at $196. Credit card numbers, which occupy an outsized share of both public attention and organizational security investment, rank eighth at just $17. 

The gap between cultural perception and market reality is itself a finding: the asset most defenders treat as the crown jewel of breach data is, by the collective valuation of the threat actor population, a mid-tier commodity. Meanwhile, the data categories that receive the least security investment (email addresses, phone numbers, IP addresses) trade for under a dollar each, not because they are harmless, but because they are so abundant that supply has driven the price to near zero. They remain the raw material from which most intrusions begin. This article presents the full pricing hierarchy, explains the market logic behind it, and outlines what it means for defensive prioritization.

Key Takeaways About the Cost of Data on the Dark Web

• Personal data has a clear hierarchy of value in underground markets. Health records dominate by a large margin (~$300 per record), far exceeding financial data like credit cards (~$17), which are often assumed to be the most valuable.
• Context and data combinations strongly influence price. Some seemingly low-value items (e.g., license plates) appear highly valuable because they are typically bundled with richer datasets, highlighting the importance of data context.
• Common data types are cheap but still highly dangerous. Email addresses, phone numbers, and IP addresses are inexpensive (<$1), not because they are harmless, but because they are widely available and often reused across breaches making them key entry points for attacks.
• Underground market pricing provides a practical risk signal for defenders. Data value estimates can help prioritize security efforts: protect high-value categories like health data more aggressively, while recognizing that low-value data may still drive high-volume attack pathways.

Methodology 

Pinning a standalone price to any single piece of personal information is harder than it sounds. Most data is sold in bundles: a breach listing might include names, email addresses, physical addresses, and bank account numbers for millions of users, all priced as a single package. 

To isolate the value of each individual PII type, we built a decomposition model that normalizes each bundle by number of affected users and year of sale (adjusted to 2026 USD), then iteratively attributes price contributions across PII types based on which combinations appear together. Records containing only one user and one PII type received higher weighting, as they provide the cleanest signal.

The dataset spans breaches from 2008 to 2026, affecting anywhere from a few hundred to 2.7 billion users, and covers 25 distinct PII categories.

What the Market Is Actually Telling Us

The results, presented in the graph below, reveal a market that is far more stratified than most defenders assume, and the hierarchy that emerges from the pricing data deserves careful unpacking.

The Highest-Value Category of PII

Personal health data commands a substantial premium over every other category, averaging roughly $300 per record. PINs follow at $196, while bank account numbers and driver’s licenses average around $69 and $67 respectively. By contrast, credit card numbers, despite receiving disproportionate public attention and security investment, rank eighth at approximately $17 per record.

This pricing hierarchy reflects how threat actors evaluate permanence, exploitability, and long-term monetization potential. Health records are particularly valuable because, unlike financial credentials, they cannot easily be cancelled or replaced and enable a broad range of fraud and extortion schemes over extended periods of time (we explore why health data has become the most valuable category of PII in a dedicated companion post, coming soon).

Mid-Tier: Financial Data and Identity Documents

Credit card numbers rank eighth at $17 per record. This relatively modest valuation reflects the narrow monetization window: once a card is reported compromised, its value drops to zero. The market has priced in this temporal constraint. Financial data remains valuable but is treated as a short-lived, high-turnover commodity rather than a durable asset.

The License Plate Anomaly

The license plate anomaly warrants specific attention, as it represents one of the more counterintuitive findings in the dataset. Our model attributes a value of approximately $62 to license plate data which is roughly fifteen times the $4 assigned to social security numbers (SSNs), despite the fact that SSNs form the backbone of identity verification across US financial and government systems, while license plates are, by definition, publicly visible.

The most parsimonious explanation is not that the market has mispriced these assets in isolation, but rather that license plates rarely appear in isolation. They tend to surface in high-value breach bundles alongside vehicle ownership records, insurance data, and location histories. The price attributed to them in those contexts reflects the combination value of the bundle rather than the standalone utility of the plate number itself. This is a useful methodological reminder that dark web pricing is a relational phenomenon: the value of any individual data type is inseparable from the company it keeps.

The Commodity Floor: Cheap but Dangerous

At the opposite end of the spectrum, email addresses ($0.83), phone numbers ($0.97), and IP addresses ($1.15) function as market commodities in the most literal sense. They are widely available, rarely unique to any single breach event, and contribute only marginally to the pricing of more sophisticated data bundles. Their low valuations should not, however, be mistaken for irrelevance. These categories serve a distinct function in the threat actor’s operational toolkit: they are the infrastructure of initial access, the raw material from which phishing campaigns, credential stuffing operations, and social engineering attacks are constructed. Their abundance is precisely what makes them cheap, and their cheapness is precisely what makes them ubiquitous. The price reflects the dynamics of supply, not the magnitude of potential harm.

Defense Prioritization for Security Teams

Market pricing gives defenders a rare, attacker-calibrated signal for risk prioritization. A few implications stand out:

• Health data deserves its own security tier. Most data classification frameworks treat it as sensitive PII alongside financial data. The $300 price point suggests it should be treated as a category unto itself, with stricter access controls, more aggressive monitoring, and heightened scrutiny on any third party that touches it.
• The cheapest data is still the most common breach vector. Email addresses and credentials may be nearly worthless individually, but they are how most intrusions begin. Low market price does not mean low threat, it means high volume.
• Breach monitoring should be weighted by data type. Not all exposure is equal. An organization whose employee health benefit records surface on a dark web forum faces a qualitatively different risk than one whose email list leaks. Knowing what’s out there (and how it’s priced) is the starting point for an accurate response.
  

The underground market for personal data is efficient and unsentimental. The prices it sets reflect real attacker utility. Security teams that understand that logic are better positioned to anticipate where the next high-value target will be.