The answer varies from one hacker to the next, but the short answer is 'not very long.' The more precise answer, at least in the case of New Egg and British Airways, (both of whom were hacked recently) is, 'just over one week.'
According to a recent report published jointly by RiskIQ and Flashpoint, credit card information stolen from both companies is already available for sale. In fact, by the time you read these words, it may already be in use by other hackers who purchased the data on the Dark Web.
The two companies identify "Group 6" as being the group behind the New Egg and British Airways attack. They highlighted the fact that the attack was extraordinarily selective. The group specifically targeted organizations guaranteed to have a high volume of both traffic and completed transactions.
The report features screenshots of an ad posted on the Dark Web advertising a dump of more than 500,000 credit card numbers and complete payment details being sold at prices ranging from $9 to $50 each.
In spite of this, British Airways continues to insist that there have been no verified instances of compromised card numbers from their system. Unfortunately, BA's word on the matter is scant comfort and no protection whatsoever.
ESET UK cyber security expert Jake Moore offered this advice to BA users, and others who may have had their payment information compromised:
"If your data was included in this (or any) breach, and if you haven't already, you'll need to take action to protect yourself. Call your bank or card issuer, cancel the card and request a new card. No bank will ever mind being contacted for you being cautious."
Excellent advice all around.