Update, Feb. 23, 2025: This story, originally published Feb. 22, has been updated with a new warning from the head of engineering at NordPass about how AI is coming for your passwords next and how to protect against the threat.
Considering just how many infostealer malware warnings have been issued recently, from macOS-specific threats, to those targeting a broad sweep of Gmail and Outlook email users, there can be little doubting that cybercrime actors are coming for your passwords. Now the true reach of the infostealer malware threat has been laid bare by a threat intelligence agency which specializes in leveraging dark web data, and the picture it paints is a scary one. Here’s what you need to know.
Infostealers Behind 3.9 Billion Stolen Passwords Shared By Hackers
More than 4.3 million machines were infected by infostealer malware across 2024, responsible for an astonishing 330 million credentials being compromised, according to the latest KELA state of cybercrime report, published Feb. 20. And if you thought that was a shocking number, I hope you are sitting down as it gets even worse. The KELA analysts said they had observed 3.9 billion passwords “shared in the form of credentials lists that appear to be sourced from infostealer logs.” Just three strains of this insidious malware threat, Lumma, StealC, and Redline, were responsible for 75% of all infected systems. “Underground economies, from malware-as-a-service to stolen credential marketplaces, contributed to a powerful infrastructure supporting a range of malicious activities,” David Carmiel, CEO at threat intelligence analysts KELA, said.
Malicious activity that includes the likes of both ransomware attacks and espionage campaigns. “Infostealers’ appeal,” the report suggested, “lies in their efficiency and scalability, enabling attackers to compromise large volumes of accounts, both personal and corporate.” By doing so, this particular malware menace becomes something of a self-fulfilling password theft prophecy, with lists of compromised credentials being sold on underground criminal marketplaces that are used to aid further attack campaigns and garner more credentials that can be sold and so on. Almost 40% of the infected machines to be found within KELA’s “data lake” included credentials for sensitive corporate systems such as content management systems, email, Active Directory
Federation Services, and remote desktop. In all, accounting for nearly 1.7 million bots and 7.5 million compromised credentials. “Based on KELA’s analysis,” the report stated, “the dataset primarily (almost 65%) contained personal computers that had corporate credentials saved on them and thus obtained by infostealer malware.”
To help mitigate the threat from infostealer malware, KELA recommended that multi-factor authentication be implemented across all accounts, critical systems isolated to limit the opportunity for lateral movement by attackers, and advanced email filtering solutions deployed to prevent phishing attempts. If you value your accounts and your data, then you better take action sooner rather than later. The threat actors certainly aren’t waiting and KELA analysts only expect the infostealer threat to your passwords to increase during 2025.
The AI Threat To Your Passwords
Ever since a story about an AI-powered hack targeting Gmail users that was published here at forbes.com Oct. 13, 2024, went viral, there has been no doubting the real-world threat that AI poses to your passwords. Now, Ignas Valancius, the head of engineering at password manager NordPass, has warned that while weak passwords can be cracked in just a matter of seconds, AI can “crack even stronger ones in the same amount of time.” Large language models can and will, Valancius said in an email conversation, “be used to brute force passwords and organize dictionary attacks more often.”
Advising that we should all be mindful that the time it takes to guess, socially engineer, or just go nuclear and brute force passwords is going to drop dramatically across 2025 due to the use of AI tools, Valancius said, “I’m not saying that super long, random 18-character passwords are at immediate risk. But shorter ones – they could be in danger. This is why it’s vital to make sure you look after your passwords properly, and that includes everything from their creation to their management and use.
Valancius recommended the following when it comes to password hygiene:
The longer it is, the better. Just be sure not to use your name or other personal information.
Since long random passwords are very hard to remember, creating a passphrase might be a good workaround.
Use different passwords for different accounts and never reuse them.
Another option is switching to passkeys. They combine biometric verification with cryptographic keys, offering a safer and more convenient alternative to passwords.
