This article includes additional technical details and analysis explaining how cybercriminals use malware to steal passwords.
Despite the growing adoption of passkeys, passwords are making headlines again for all the wrong reasons. From fresh lists of compromised passwords that require immediate action to critical malware threats silently stealing login credentials from your email, the spotlight is firmly on password vulnerabilities.
A recent security alert has raised significant concerns, as researchers have confirmed that more than 1 billion passwords have been stolen by malware. Here’s everything you need to know about this alarming development and how to protect yourself.
This event highlights the need for people and organizations to use better security measures. Using unique passwords and turning on multi-factor authentication can help protect important information.
1 Billion Passwords Stolen By Malware
The 2025 Breached Password Report from the Specops Software research team brings alarming news. Released on January 21, the report analyzes over a billion passwords stolen through malware. That’s right—more than one billion compromised credentials. Calling this a cause for concern for individuals and organizations would be an understatement.
Darren James, senior product manager at Specops Software, explained that even if an organization has a firm password policy that meets compliance standards, it cannot prevent malware from stealing passwords. James noted that the Specops team found “many stolen passwords in this dataset” that met or exceeded the length and complexity requirements of various cybersecurity policies and regulations.
When you factor in the common practice of reusing passwords, it’s no surprise that this situation has escalated from concerning to critically dangerous regarding account security.
The report analyzed a staggering 1,089,342,532 stolen passwords gathered over a 12-month period.
Throughout 2024, the Specops threat intelligence team tracked credential theft by malware and carefully studied the data to understand how users were creating and misusing passwords. The researchers explained, “By reviewing real-world password data and studying the methods attackers use, we aim to give you practical insights and recommendations to strengthen your security measures and defend against the risk of malware-stealing credentials.”
Read Also: Gmail and Outlook at Risk: Hidden Email Threats Detected
How Threat Actors Use Malware To Steal Passwords—An Analysis
Among cybercriminals and hackers, there’s a specific group known as initial access brokers. These threat actors focus on trading stolen credentials, including passwords, which hackers then use to gain entry—just as their name suggests—to targeted networks or accounts.
So, where do these brokers get the passwords? The answer often lies with lower-level threat actors who use malware, particularly infostealers, to harvest them.
“Knowing how infostealers work is important for improving security practices and defenses,” the Specops analysis said. “You should keep your software updated, use strong and unique passwords, and turn on multi-factor authentication whenever you can.”
The process of an info stealer malware password attack can be broken down into the following steps:
Infection:Infostealers get into a system through different ways, like phishing emails, harmful downloads, or taking advantage of software flaws.
Persistence: To keep access and keep stealing data, infostealers often use methods like making harmful changes to system files, adding themselves to startup programs, or creating dangerous registry entries.
Data Collection: Info stealers target sensitive information by accessing browsers (to extract saved passwords, cookies, and autofill data), email clients (to capture login credentials and other details), FTP clients, file systems, and clipboard data.
- Exfiltration: The stolen data is transferred to remote command and control servers using web protocols, email, or FTP servers.
- Evasion: To avoid detection, infostealers use techniques such as code obfuscation, compression, stealthy communication methods, and rootkits to remain hidden within the system.
- Execution: Infostealers can be designed to operate only under specific conditions or at scheduled times to minimize suspicion. For instance, the report noted, “they might activate only when the user is not actively using the computer.”
Read Also: Google’s Gmail—Do You Need A New Email Account or Not?
Analyzing 1 Billion Compromised Passwords
According to the Specops researchers, out of the billion compromised passwords analyzed, an astonishing 230 million met the standard complexity requirements commonly used by organizations and individuals. This shows how these old password rules are no longer enough. A password with more than eight characters, plus uppercase letters, numbers, and symbols, just doesn’t cut it anymore. The analysis also found that over 350 million passwords in the dataset were longer than 10 characters, and 92 million were 12 characters long.
This shows that length alone is not enough to guarantee security.
The researchers still stressed the need for “long and strong” passwords. They suggest using unique, randomly generated passwords that are at least 20 characters long, and storing them safely with a password manager.
“Hackers like using malware-stolen login details because they’re simple to get, use, and sell,” the researchers explained, pointing out that Redline, Vidar, and Raccoon Stealer are the most popular types of info-stealing malware. The report dives deeper into this subject and is definitely worth checking out.
The key takeaway from the analysis is that reusing passwords poses a significant security risk, especially in the context of malware. I strongly recommend using a password manager like 1Password or Bitwarden to mitigate this. These tools can help you perform a security audit of your passwords.
Ensure that all your passwords are unique and strong, and replace any that have been reused. Address this promptly to avoid becoming part of the 1 billion stolen passwords statistic.