3.9 Billion Passwords Stolen--What You Need To Know

https://www.forbes.com/sites/daveywinder/2025/02/23/hackers-share-39-billion-stolen-passwords-what-you-need-to-know/

ByDavey Winder, Senior Contributor. Davey Winder is a veteran cybersecurity writer, hacker and analyst.

Update, Feb. 23, 2025: This story, originally published Feb. 22, has been updated with a new warning from the head of engineering at NordPass about how AI is coming for your passwords next and how to protect against the threat.

Considering just how many infostealer malware warnings have been issued recently, from macOS-specific threats, to those targeting a broad sweep of Gmail and Outlook email users, there can be little doubting that cybercrime actors are coming for your passwords. Now the true reach of the infostealer malware threat has been laid bare by a threat intelligence agency which specializes in leveraging dark web data, and the picture it paints is a scary one. Here’s what you need to know.

Infostealers Behind 3.9 Billion Stolen Passwords Shared By Hackers

More than 4.3 million machines were infected by infostealer malware across 2024, responsible for an astonishing 330 million credentials being compromised, according to the latest KELA state of cybercrime report, published Feb. 20. And if you thought that was a shocking number, I hope you are sitting down as it gets even worse. The KELA analysts said they had observed 3.9 billion passwords “shared in the form of credentials lists that appear to be sourced from infostealer logs.” Just three strains of this insidious malware threat, Lumma, StealC, and Redline, were responsible for 75% of all infected systems. “Underground economies, from malware-as-a-service to stolen credential marketplaces, contributed to a powerful infrastructure supporting a range of malicious activities,” David Carmiel, CEO at threat intelligence analysts KELA, said.

Malicious activity that includes the likes of both ransomware attacks and espionage campaigns. “Infostealers’ appeal,” the report suggested, “lies in their efficiency and scalability, enabling attackers to compromise large volumes of accounts, both personal and corporate.” By doing so, this particular malware menace becomes something of a self-fulfilling password theft prophecy, with lists of compromised credentials being sold on underground criminal marketplaces that are used to aid further attack campaigns and garner more credentials that can be sold and so on. Almost 40% of the infected machines to be found within KELA’s “data lake” included credentials for sensitive corporate systems such as content management systems, email, Active Directory Federation Services, and remote desktop. In all, accounting for nearly 1.7 million bots and 7.5 million compromised credentials. “Based on KELA’s analysis,” the report stated, “the dataset primarily (almost 65%) contained personal computers that had corporate credentials saved on them and thus obtained by infostealer malware."

More at link.