Security Alert Issued After Billions of Passwords Stolen

Security Alert Issued  After Billions of Passwords Stolen

A person wearing glasses types on his keyboard, surrounded by a cloud of passwords. 1 Billion Passwords Stolen by  Malware.getty
This article, originally published  on January 21, has been updated with  additional technical information and analysis  of how  malicious actors  are using malware to steal  passwords.
It seems  that despite the  shift in password adoption, passwords are once  again making headlines for all the wrong reasons. Whether it's a new list of hacked passwords that you should change immediately if  they're used on any of your accounts, or a critical  password theft threat  hiding in plain sight in your email, a  spotlight is  shining on password insecurity. A new security alert has been issued  after researchers  confirmed that malware has stolen more than  a billion passwords. Here's what you need to  know.
1 Billion Passwords Stolen  by Malware
The 2025  Hacked Passwords Report from  research team Specops Software is as  disturbing as it is new. Published  on January 21, the report is an analysis of more than a billion passwords that have been stolen by malware. Yes, you read that right:  a billion compromised credentials. To say that this  figure should concern everyone, consumers and  organizations, is perhaps the understatement of the year so far.  "Even if your  organization's password policy is strong and meets compliance standards,  it doesn't protect passwords from being stolen by malware," said Darren James, senior product manager at Specops  Software. In fact, James continued, Specops researchers have seen  "numerous stolen passwords in this  dataset" that exceed  the length and complexity requirements  set by  many cybersecurity policies and regulations.  Add to this the reuse  of passwords and  it is no surprise that the situation is not only  scary, but  also extremely dangerous  when it comes to account  compromises.
A total of 1,089,342,532 stolen passwords captured over a 12-month period were analyzed for this  report. In 2024,  Specops' threat intelligence team collected data on  malware-stolen credentials, which was then meticulously analyzed to provide insight into how users  choose and  abuse passwords. "By examining real-world password data and analyzing the techniques used by attackers," the researchers said, "we hope to provide insights and recommendations to  improve your security protocols and protect against the threat of malware-stolen  credentials."
How Threat Actors Use Malware  to Steal  Passwords – An Analysis
There are cybercriminals and hackers, and then there are  early access brokers. This particular  category of threat actor specializes in trading stolen credentials, including passwords that are then used by hackers to gain initial access, as the name  suggests, to  targeted networks or accounts. But where do these  early access brokers get the  passwords? Good question, and the answer is  more often than not, low-level threat actors use malware,  especially information thieves, to  get by. "Understanding how  information thieves operate can help  you develop best security practices and defenses against  them," the Specops analysis  said "It's important to keep  your software  up-to-date, use strong and unique passwords, and  use multi-factor authentication where  possible.
The password stealer malware attack flow can be  shown as  follows.
Infection: Information thieves can infect a system through various means, such as phishing emails, malicious  downloads, or  by exploiting vulnerabilities in  software.
Persistence: To ensure  that they can continue to  collect data over time,  information thieves often  create persistence  mechanisms, such as malicious registry entries, system file  modifications, or even adding to  the process of departure
.
Evasion: To avoid detection,  information thieves can  use code obfuscation, compression,  secret communications and  rootkits to hide  in the  system. Execution: Information thieves can be programmed to  execute at specific times or under certain conditions to avoid suspicion. "For example," the report  says, "they  can be activated only when the user is not actively using the  computer."
Analysis of a Billion Compromised Passwords
The Specops researchers said  that of the more than a billion compromised passwords analyzed, 230 million actually met the standard complexity requirements found in  many organizations and used by many  consumers. If  you need proof that these  claims are past their sell-by date,  here it is. A password with  more than eight characters, including a  capital letter, a  number, a special  character, etc., is not  suitable for  its intended use. In fact, to further emphasize this point, the analysis found more than 350 million passwords  longer than 10 characters in the dataset; 92 million of  them were 12  characters. Credential length isn't  everything, although "long and strong" remains a valid  motto when it comes to password  construction, the researchers say. In general, we recommend using a unique  20-character password randomly generated  with a password  manager. "Crackers favor credentials  stolen by malware because they are easy to obtain, use, and sell," the researchers said, with the most  common malware used to  steal information being Redline,  Vidar, and Raccoon Stealer. The report itself goes into  great depth on this  topic and is well worth  reading. The real takeaway from the analysis, in my humble opinion, is that malware is one of the main reasons  why reusing your passwords is so dangerous.  I've already mentioned password  managers, and now  I'd recommend that all consumers download one of the  major players in  the industry, like 1Password or  Bitwarden, and use that  app to do a security  check on their passwords.  Make sure all your passwords are unique and strong, replace any that  are reused, and do so  urgently, unless you want to find yourself added to the  list of a billion stolen  passwords.