Nearly 20m items of personal data were traded illegally over the internet in the first half of this year, as more people went online.
The amount of illegal data in circulation is on track to quadruple from 2010 by the end of this year, according to research by Experian, the credit checking agency.
The sharp rise came as consumers have more accounts online than before, making transactions online, from bank payments to utility and council tax bills. The average Briton now has about 26 accounts online and those aged 25-34 have about 40 accounts.
Despite efforts to toughen sanctions against companies who do not properly safeguard their customers' data, the amount being circulated by criminals has continued to grow.
Data are sold by hackers on auction-like black market sites, where information to authenticate credit card accounts sells for $1-$30 an account depending on the card credit limit. Passwords for email accounts sell for $1-$20.
About 90 per cent of illegally traded personal data involves the combination of an account name and password, Experian said. The most prevalent form of identity theft is account takeover, where someone simply begins using a consumer's email or bank account. Fraudsters can also set up new accounts in a user's name, running up bills which can take a long time to sort out with creditors.
Peter Turner, managing director at Experian Consumer Services in the UK and Ireland, said consumers had become too complacent when they went online.
"Although 14 per cent of Britons admit to being concerned about the risk of online ID theft, many more, 43 per cent, have no such worries," he said.
People's behaviour can make them more prone to having their data hacked. Three-fifths of internet users never log out of websites and a quarter never check whether a website they are visiting is marked with an image of a security padlock to denote that it is a secure site.
Consumers also frequently reuse the same password for many sites â€“ a quarter use a single password for most of their accounts, according to research from Experian this year. Many also use simple, easy-to-crack passwords, such as dictionary words or names of pets. Mr Turner recommends having unique passwords for at least the main email account and for any online banking services.
As part of its research Experian set up eight fake email accounts to see what would happen when hackers got hold of the details. All eight were taken over within five hours, by criminals based in countries ranging from Albania to South Africa.
The first messages to be read in the account were emails related to passwords, followed by messages between friends and family.
Experian tracked about 9.49m items of personal data being traded in 2010, rising to 19.04m last year and likely to be nearly 40m by the end of 2012.