Security Alert Issued After Billions of Passwords Stolen
A person wearing glasses types on his keyboard, surrounded by a cloud of passwords. 1 Billion Passwords Stolen by Malware.getty
This article, originally published on January 21, has been updated with additional technical information and analysis of how malicious actors are using malware to steal passwords.
It seems that despite the shift in password adoption, passwords are once again making headlines for all the wrong reasons. Whether it's a new list of hacked passwords that you should change immediately if they're used on any of your accounts, or a critical password theft threat hiding in plain sight in your email, a spotlight is shining on password insecurity. A new security alert has been issued after researchers confirmed that malware has stolen more than a billion passwords. Here's what you need to know.
1 Billion Passwords Stolen by Malware
The 2025 Hacked Passwords Report from research team Specops Software is as disturbing as it is new. Published on January 21, the report is an analysis of more than a billion passwords that have been stolen by malware. Yes, you read that right: a billion compromised credentials. To say that this figure should concern everyone, consumers and organizations, is perhaps the understatement of the year so far. "Even if your organization's password policy is strong and meets compliance standards, it doesn't protect passwords from being stolen by malware," said Darren James, senior product manager at Specops Software. In fact, James continued, Specops researchers have seen "numerous stolen passwords in this dataset" that exceed the length and complexity requirements set by many cybersecurity policies and regulations. Add to this the reuse of passwords and it is no surprise that the situation is not only scary, but also extremely dangerous when it comes to account compromises.
A total of 1,089,342,532 stolen passwords captured over a 12-month period were analyzed for this report. In 2024, Specops' threat intelligence team collected data on malware-stolen credentials, which was then meticulously analyzed to provide insight into how users choose and abuse passwords. "By examining real-world password data and analyzing the techniques used by attackers," the researchers said, "we hope to provide insights and recommendations to improve your security protocols and protect against the threat of malware-stolen credentials."
How Threat Actors Use Malware to Steal Passwords – An Analysis
There are cybercriminals and hackers, and then there are early access brokers. This particular category of threat actor specializes in trading stolen credentials, including passwords that are then used by hackers to gain initial access, as the name suggests, to targeted networks or accounts. But where do these early access brokers get the passwords? Good question, and the answer is more often than not, low-level threat actors use malware, especially information thieves, to get by. "Understanding how information thieves operate can help you develop best security practices and defenses against them," the Specops analysis said "It's important to keep your software up-to-date, use strong and unique passwords, and use multi-factor authentication where possible.
The password stealer malware attack flow can be shown as follows.
Infection: Information thieves can infect a system through various means, such as phishing emails, malicious downloads, or by exploiting vulnerabilities in software.
Persistence: To ensure that they can continue to collect data over time, information thieves often create persistence mechanisms, such as malicious registry entries, system file modifications, or even adding to the process of departure
.
Evasion: To avoid detection, information thieves can use code obfuscation, compression, secret communications and rootkits to hide in the system. Execution: Information thieves can be programmed to execute at specific times or under certain conditions to avoid suspicion. "For example," the report says, "they can be activated only when the user is not actively using the computer."
Analysis of a Billion Compromised Passwords
The Specops researchers said that of the more than a billion compromised passwords analyzed, 230 million actually met the standard complexity requirements found in many organizations and used by many consumers. If you need proof that these claims are past their sell-by date, here it is. A password with more than eight characters, including a capital letter, a number, a special character, etc., is not suitable for its intended use. In fact, to further emphasize this point, the analysis found more than 350 million passwords longer than 10 characters in the dataset; 92 million of them were 12 characters. Credential length isn't everything, although "long and strong" remains a valid motto when it comes to password construction, the researchers say. In general, we recommend using a unique 20-character password randomly generated with a password manager. "Crackers favor credentials stolen by malware because they are easy to obtain, use, and sell," the researchers said, with the most common malware used to steal information being Redline, Vidar, and Raccoon Stealer. The report itself goes into great depth on this topic and is well worth reading. The real takeaway from the analysis, in my humble opinion, is that malware is one of the main reasons why reusing your passwords is so dangerous. I've already mentioned password managers, and now I'd recommend that all consumers download one of the major players in the industry, like 1Password or Bitwarden, and use that app to do a security check on their passwords. Make sure all your passwords are unique and strong, replace any that are reused, and do so urgently, unless you want to find yourself added to the list of a billion stolen passwords.