3.9 Billion Passwords Stolen—What You Need To Know

By Davey Winder, Senior Contributor. Feb 23, 2025, 07:35am

Considering just how many infostealer malware warnings have been issued recently, from macOS-specific threats, to those targeting a broad sweep of Gmail and Outlook email users, there can be little doubting that cybercrime actors are coming for your passwords. Now the true reach of the infostealer malware threat has been laid bare by a threat intelligence agency which specializes in leveraging dark web data, and the picture it paints is a scary one. Here’s what you need to know.

Infostealers Behind 3.9 Billion Stolen Passwords Shared By Hackers

More than 4.3 million machines were infected by infostealer malware across 2024, responsible for an astonishing 330 million credentials being compromised, according to the latest KELA state of cybercrime report, published Feb. 20. And if you thought that was a shocking number, I hope you are sitting down as it gets even worse. The KELA analysts said they had observed 3.9 billion passwords “shared in the form of credentials lists that appear to be sourced from infostealer logs.” Just three strains of this insidious malware threat, Lumma, StealC, and Redline, were responsible for 75% of all infected systems. “Underground economies, from malware-as-a-service to stolen credential marketplaces, contributed to a powerful infrastructure supporting a range of malicious activities,” David Carmiel, CEO at threat intelligence analysts KELA, said.

Malicious activity that includes the likes of both ransomware attacks and espionage campaigns. “Infostealers’ appeal,” the report suggested, “lies in their efficiency and scalability, enabling attackers to compromise large volumes of accounts, both personal and corporate.” By doing so, this particular malware menace becomes something of a self-fulfilling password theft prophecy, with lists of compromised credentials being sold on underground criminal marketplaces that are used to aid further attack campaigns and garner more credentials that can be sold and so on. Almost 40% of the infected machines to be found within KELA’s “data lake” included credentials for sensitive corporate systems such as content management systems, email, Active Directory
Federation Services, and remote desktop. In all, accounting for nearly 1.7 million bots and 7.5 million compromised credentials. “Based on KELA’s analysis,” the report stated, “the dataset primarily (almost 65%) contained personal computers that had corporate credentials saved on them and thus obtained by infostealer malware.”

To help mitigate the threat from infostealer malware, KELA recommended that multi-factor authentication be implemented across all accounts, critical systems isolated to limit the opportunity for lateral movement by attackers, and advanced email filtering solutions deployed to prevent phishing attempts. If you value your accounts and your data, then you better take action sooner rather than later. The threat actors certainly aren’t waiting and KELA analysts only expect the infostealer threat to your passwords to increase during 2025.

The AI Threat To Your Passwords

Ever since a story about an AI-powered hack targeting Gmail users that was published here at forbes.com Oct. 13, 2024, went viral, there has been no doubting the real-world threat that AI poses to your passwords. Now, Ignas Valancius, the head of engineering at password manager NordPass, has warned that while weak passwords can be cracked in just a matter of seconds, AI can “crack even stronger ones in the same amount of time.” Large language models can and will, Valancius said in an email conversation, “be used to brute force passwords and organize dictionary attacks more often.”

Advising that we should all be mindful that the time it takes to guess, socially engineer, or just go nuclear and brute force passwords is going to drop dramatically across 2025 due to the use of AI tools, Valancius said, “I’m not saying that super long, random 18-character passwords are at immediate risk. But shorter ones – they could be in danger. This is why it’s vital to make sure you look after your passwords properly, and that includes everything from their creation to their management and use.

Valancius recommended the following when it comes to password hygiene:

The longer it is, the better. Just be sure not to use your name or other personal information.

Since long random passwords are very hard to remember, creating a passphrase might be a good workaround.

Use different passwords for different accounts and never reuse them.

Another option is switching to passkeys. They combine biometric verification with cryptographic keys, offering a safer and more convenient alternative to passwords.

This story was originally featured on Forbes.com

Davey Winder

Senior Contributor | Cybersecurity

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here. 

Davey has spent more than 30 years as a freelance technology journalist. The author of 25 published books, Davey’s work has appeared in The Times, The Sunday Times, The Guardian, The Observer, PC Pro, The Register, Infosecurity Magazine, SC Magazine, IT Pro and TechFinitive to name but a very few. 

Along the way, he has picked up a bunch of awards from his peers, including:

‘Most Educational Content’ (2021 European Blogger of the Year Awards) – ‘Cyber Writer of the Year’ (2020 Security Serious Awards) – ‘Enigma Award’ (2011 BT Security Awards)  – ‘Security Journalist of the Year’ (2010 BT Security Awards) – ‘Security Journalist of the Year’ (2008 BT Security Awards) – ‘Security Journalist of the Year’ (2006 BT Security Awards) – ‘Technology Journalist of the Year’ (1996 BT Technology Journalism Awards)