©2021 Reporters Post24. All Rights Reserved.
It seems that, despite the evolution of passkey adoption, passwords are in the news once more for all the wrong reasons. Whether it’s a new list of hacked passwords that you should change immediately if used on any of your accounts, or a critical password-stealing threat lurking stealthily in your email, a light is being shone upon the insecurity of passwords. Now a new security alert has been issued as researchers confirm that malware has stolen more than 1 billion passwords. Here’s what you need to know.
1 Billion Passwords Stolen By Malware
The 2025 Breached Password Report from the Specops Software research team is as worrying as it is new. Published Jan. 21, the report is an analysis of more than a billion passwords that have been stolen by malware. Yes, you read that right: one billion compromised credentials. To say that this number should be a concern to everyone, consumers and organizations alike, must surely qualify as the understatement of the year so far. “Even if your organization’s password policy is strong and meets compliance standards, Darren James, senior product manager at Specops Software, said, “this won’t protect passwords from being stolen by malware.” In fact, James continued, Specops researchers have seen “many stolen passwords in this dataset” that exceed length and complexity requirements established by numerous cybersecurity policies and regulations. Throw password reuse into the mix, and it’s hardly a surprise that the situation is now not only frightening but critically dangerous as far as account compromises are concerned.
In total, 1,089,342,532 stolen passwords captured over a 12-month period were analyzed for this report.
Across 2024, the Specops threat intelligence team collected data on the theft of credentials by malware, data that was then meticulously analyzed to provide insight into how users are choosing and abusing passwords. “By examining real-world password data and analyzing the techniques used by attackers,” the researchers said, “we hope to provide you with actionable insights and recommendations to enhance your security protocols and protect against the threat of malware-stolen credentials.”
How Threat Actors Use Malware To Steal Passwords—An Analysis
There are cybercriminals and hackers, and then there are initial access brokers. This particular breed of threat actor specializes in trading stolen credentials, including passwords that are then used by hackers to gain initial access, as the name rather gives away, to target networks or accounts. But where do these initial access brokers get the passwords from? Good question, and the answer is most commonly, low-level threat actors use malware, specifically infostealers, to obtain them. “Understanding how infostealers work can help in developing better security practices and defenses against them,” the Specops analysis stated, “it’s important to keep software up to date, use strong and unique passwords, and employ multi-factor authentication where possible.”
The infostealer malware password attack flow can be demonstrated as follows.
Infection: Infostealers can infect a system through various means, such as phishing emails, malicious downloads or exploiting vulnerabilities in software.
Persistence: To ensure they can continue to gather data over time, infostealers often establish persistence mechanisms such as malicious registry entries, system file modifications or even adding themselves to startup processes.
Data collection: Infostealers search for and collect sensitive information by targeting browsers (extracting saved passwords, cookies, and autofill data,) email clients (login credentials and other data,) FTP client, file systems and the clipboard.
Exfiltration: Stolen data is then moved by way remote command and control servers using web protocols, email and FTP servers.
Evasion: In order to evade detection, infostealers can employ code obfuscation, compression, stealthy communications and rootlets to hide on the system.
Execution: Infostealers can be programmed to run at specific times or under certain conditions to avoid suspicion. “For example,” the report said, “they might only activate when the user is not actively using the computer.”
Analyzing 1 Billion Compromised Passwords
The Specops researchers said that, of the more than a billion compromised passwords analyzed, a staggering 230 million of them actually met the standard complexity requirements found in numerous organizations and used by many consumers a result. If proof is needed that these requirements are past their sell-by date, this is it. A password with over eight characters, including a capital, a numeric, a special character and so on, is not fit for purpose. Indeed, to further emphasize this point, the analysis found more than 350 million passwords exceeding 10 characters in the dataset; 92 million of those were 12 characters in length. Size, when it comes to credentials, really isn’t everything—although, that said, “long and strong” remains a valid motto, the researchers said, when it comes to password construction. I usually recommend using a unique and randomly generated password of 20 characters using a password manager.
“Hackers favor malware-stolen credentials as they’re easy to obtain, use, and sell,” the researchers said, with the most commonly used information-stealing malware found to be Redline, Vidar and Raccoon Stealer. The report itself goes into more depth on this and is well worth a read. The real takeaway from the analysis, in my never humble opinion, is that malware is one of the main reasons that reusing your passwords is so dangerous. I’ve already mentioned password managers in passing, and now I’m going to advise that all consumers download one of the leading players in this space such as 1Password or Bitwarden and use that application to do a security audit of their passwords. Ensure all your passwords are unique and strong, replace any that have been reused, and do so as a matter of some urgency unless you want to find yourself added to the 1 Billion stolen passwords list.
