Update, Jan. 23, 2025: This story, originally published Jan. 21, has now been updated with details from a new report revealing how some stolen passwords belonging to cybersecurity vendors are being sold for $10 each on the dark web, as well as further technical information and analysis regarding how threat actors use malware to steal passwords.
It seems that, despite the evolution of passkey adoption, passwords are in the news once more for all the wrong reasons. Whether it’s a new list of hacked passwords that you should change immediately if used on any of your accounts, or a critical password-stealing threat lurking stealthily in your email, a light is being shone upon the insecurity of passwords. Now a new security alert has been issued as researchers confirm that malware has stolen more than 1 billion passwords. Here’s what you need to know.
1 Billion Passwords Stolen By Malware
The 2025 Breached Password Report from the Specops Software research team is as worrying as it is new. Published Jan. 21, the report is an analysis of more than a billion passwords that have been stolen by malware. Yes, you read that right: one billion compromised credentials. To say that this number should be a concern to everyone, consumers and organizations alike, must surely qualify as the understatement of the year so far. “Even if your organization’s password policy is strong and meets compliance standards, Darren James, senior product manager at Specops Software, said, “this won’t protect passwords from being stolen by malware.” In fact, James continued, Specops researchers have seen “many stolen passwords in this dataset” that exceed length and complexity requirements established by numerous cybersecurity policies and regulations. Throw password reuse into the mix, and it’s hardly a surprise that the situation is now not only frightening but critically dangerous as far as account compromises are concerned.
In total, 1,089,342,532 stolen passwords captured over a 12-month period were analyzed for this report.
Across 2024, the Specops threat intelligence team collected data on the theft of credentials by malware, data that was then meticulously analyzed to provide insight into how users are choosing and abusing passwords. “By examining real-world password data and analyzing the techniques used by attackers,” the researchers said, “we hope to provide you with actionable insights and recommendations to enhance your security protocols and protect against the threat of malware-stolen credentials.”
How Threat Actors Use Malware To Steal Passwords—An Analysis
There are cybercriminals and hackers, and then there are initial access brokers. This particular breed of threat actor specializes in trading stolen credentials, including passwords that are then used by hackers to gain initial access, as the name rather gives away, to target networks or accounts. But where do these initial access brokers get the passwords from? Good question, and the answer is most commonly, low-level threat actors use malware, specifically infostealers, to obtain them. “Understanding how infostealers work can help in developing better security practices and defenses against them,” the Specops analysis stated, “it’s important to keep software up to date, use strong and unique passwords, and employ multi-factor authentication where possible.”
The infostealer malware password attack flow can be demonstrated as follows.
Infection: Infostealers can infect a system through various means, such as phishing emails, malicious downloads or exploiting vulnerabilities in software.
Persistence: To ensure they can continue to gather data over time, infostealers often establish persistence mechanisms such as malicious registry entries, system file modifications or even adding themselves to startup processes.
Data collection: Infostealers search for and collect sensitive information by targeting browsers (extracting saved passwords, cookies, and autofill data,) email clients (login credentials and other data,) FTP client, file systems and the clipboard.
Exfiltration: Stolen data is then moved by way remote command and control servers using web protocols, email and FTP servers.
Evasion: In order to evade detection, infostealers can employ code obfuscation, compression, stealthy communications and rootlets to hide on the system.
Execution: Infostealers can be programmed to run at specific times or under certain conditions to avoid suspicion. “For example,” the report said, “they might only activate when the user is not actively using the computer.”
These Passwords Can Be Bought For $10—What You Need To Know
A new report from security researchers at Cyble has revealed that account credentials, including passwords, from a number of significant cybersecurity vendors have been stolen and made available for sale on dark web illicit cybercriminal marketplaces. I won’t be naming the vendors here on the basis that to do so could cause more security problems than doing so would address.
The credentials, from some of the biggest cybersecurity vendors, and numbering in the thousands according to Cyble researchers, just goes to prove that the issue of malware stealing passwords extends way beyond just consumers. The blame has been put firmly on info stealers here, the reach of which appears to have no bounds. The Cyble threat intelligence data analysis found credentials to everything from internal accounts to customer accounts, from cloud and web-based environments, including “security company enterprise and development environments that could pose substantial risks.”
Unlike the 1 billion stolen passwords in the Specops report which stretched back across the last 12 months, the Cyble data is fresher and more worrying as a result. Because such credentials have a limited shelf life, especially when you consider these belong to security professionals at large cybersecurity organizations, as the older they are, the more likely it is they would have been changed, “Cyble researchers looked only at credentials leaked since the start of the year,” the report said. With 13 of the largest enterprise and consumer security companies forming the basis of the analysis, Cyble found credentials from them all on the dark web. “The credentials were likely pulled from info stealer logs,” the researchers said, “and then sold in bulk on cybercrime marketplaces.” This reflects the methods used more generally by password-stealing malware and the hackers who then sell them on via criminal markets. Most of the stolen passwords, Cyble reported, would appear to have been from customer credentials that are meant to protect the access to management and account interfaces, and the sensitive information available beyond those boundaries. All of the cybersecurity vendors in the Cyble analysis, however, also had “access to internal systems leaked on the dark web,” the report stated.
Now, it has to be said that the accounts in question would, one would hope and assume, be protected by multiple layers of security including two-factor authentication. This doesn’t, however, mean that the discovery of these passwords is not a highly serious issue. “Even if accounts are protected by multi-factor authentication,” Cyble said, “leaked credentials can aid hackers in reconnaissance and system exploitation.” By way of example, Cyble highlighted how one of the largest security vendors “may have more sensitive accounts exposed” because company email addresses were also listed among the credentials for several sensitive accounts, including developer and product account interfaces and customer data. “Depending on the privileges granted to those accounts,” Cyble warned, “the exposure could be substantial.”
And, even if all the accounts were 2FA-protected, there’s still that hacker reconnaissance issue to consider. Advanced criminal and hacking groups use this to provide them with information regarding the systems used by a target, including locations of sensitive data and potential vulnerabilities that can be exploited. “Other sensitive information exposed by info stealers could include URLs of management interfaces that are unknown to the public,” Cyble warned, “which would give hackers further recon information.” The solution, beyond the usual best practices, Cyble said, must include dark web monitoring as an early warning system. “Dark web monitoring is an under-appreciated and cost-effective security tool for one very big reason,” Cyble said, “ credential leaks frequently come before much bigger security incidents like data breaches and ransomware attacks.”
Analyzing 1 Billion Compromised Passwords
The Specops researchers said that, of the more than a billion compromised passwords analyzed, a staggering 230 million of them actually met the standard complexity requirements found in numerous organizations and used by many consumers a result. If proof is needed that these requirements are past their sell-by date, this is it. A password with over eight characters, including a capital, a numeric, a special character and so on, is not fit for purpose. Indeed, to further emphasize this point, the analysis found more than 350 million passwords exceeding 10 characters in the dataset; 92 million of those were 12 characters in length. Size, when it comes to credentials, really isn’t everything—although, that said, “long and strong” remains a valid motto, the researchers said, when it comes to password construction. I usually recommend using a unique and randomly generated password of 20 characters using a password manager.
“Hackers favor malware-stolen credentials as they’re easy to obtain, use, and sell,” the researchers said, with the most commonly used information-stealing malware found to be Redline, Vidar and Raccoon Stealer. The report itself goes into more depth on this and is well worth a read. The real takeaway from the analysis, in my never humble opinion, is that malware is one of the main reasons that reusing your passwords is so dangerous. I’ve already mentioned password managers in passing, and now I’m going to advise that all consumers download one of the leading players in this space such as 1Password or Bitwarden and use that application to do a security audit of their passwords. Ensure all your passwords are unique and strong, replace any that have been reused, and do so as a matter of some urgency unless you want to find yourself added to the 1 Billion stolen passwords list.
