Experts sound alarm on infostealer malware after login details exposed

Cybercriminals have intensified their efforts to steal and sell online passwords, experts warn. The alarm comes after the discovery of online datasets containing billions of exposed account credentials. 

The 30 datasets comprised a whopping 16 billion login credentials across multiple platforms, including Apple, Google and Facebook, and were first reported by Cybernews researchers last week. 

The exposures were identified over the course of this year by Volodymyr Diachenko, co-founder of the cybersecurity consultancy Security Discovery, and are suspected to be the work of multiple parties.

“This is a collection of various data sets that appeared on my radar since the beginning of the year, but they all share a common structure of URLs, login details and passwords,” Diachenko told CNBC. 

According to Daichenko, all signs point to the leaked login information being the work of “infostealers” — malware that extracts sensitive data from devices, including usernames and passwords, credit card information and online browser data. 

While the lists of logins are likely to contain many duplicates as well as outdated and incorrect information, the overwhelming volume of findings puts into perspective how much sensitive data is circulating on the web. 

It should also raise alarms on how infostealers have become the “cyber plague” of today, Daichenko said. “Someone, somewhere, is having data exfiltrated from their machines as we speak.”

Daichenko was able to detect the exposed data because their owners had temporarily indexed them on the web without a password lock. Inadvertently shared data leaks are often caught by Security Discovery, but not at scales seen so far this year.

According to Simon Green, president of Asia-Pacific and Japan at Palo Alto Networks, the sheer scale of the 16 billion exposed credentials is alarming and certainly notable, but not entirely surprising for those on the front lines of cybersecurity. 

“Many modern infostealers are designed with advanced evasion techniques, allowing them to bypass traditional, signature-based security controls, making them harder to detect and stop,” he added.

Consequently, there’s been an uptick in high-profile infostealer attacks. For example, in March, Microsoft Threat Intelligence disclosed a malicious campaign using infostealers that had affected nearly 1 million devices globally. 

Infostealers typically gain access to victims’ devices by tricking them into downloading the malware, which can be hidden in everything from phishing emails to phony websites to search engine ads.

The motive behind infostealer attacks is usually financial, with attackers often looking to directly take over bank accounts, credit cards, and cryptocurrency wallets or commit identity fraud. 

Cybercriminals can use stolen credentials and other personal data for purposes such as crafting highly convincing, personalized phishing attacks and blackmailing individuals or organizations. 

According to Palo Alto’s Green, the scale and dangers of those types of infostealers have intensified, thanks to the growing prevalence of underground markets that offer “cybercrime-as-a-Service,” in which vendors charge customers for malicious tools, sensitive data and other illicit online services.

“Cyber crime-as-a-Service is the critical enabler here. It has fundamentally democratized cybercrime,” Green said.

Those underground markets — often hosted on the dark web — create demand for cybercriminals to steal personal information and then sell that to scammers. 

In that way, data breaches become about more than just the individual accounts — they represent a “vast, interconnected web of compromised identities” that can fuel subsequent attacks, Green said. 

According to Diachenko, it’s likely that at least some of the compromised login datasets he identified had or will be traded to online scammers. 

On top of that, malware kits and other resources that can help to facilitate infostealer attacks can be found on those markets. 

CNBC has reported on how the availability of those tools and services has significantly lowered technical barriers for aspiring criminals, allowing sophisticated attacks to be executed at a massive, global scale. 

The report found that infostealer attacks grew by 58% in 2024.

With the increasing prevalence of malware and online usage, it’s now fair to assume that most people will, at some point, come in contact with an infostealer threat, said Ismael Valenzuela, vice president of threat research and intelligence at cybersecurity company Arctic Wolf.

In addition to frequent password updates, individuals will need to be more alert about the increasing amount of malware hiding in illegitimate software, applications and other downloadable files, Valenzuela said. He added that the use of multi-factor authentication on accounts has become more important than ever.

From a corporate perspective, it’s important to adopt a “zero trust architecture” that not only constantly authenticates the user, but also authenticates the device and user’s behavior, he added.  

Governments have also been doing more to crack down on infostealing activities in recent months.

In May, Europol’s European Cybercrime Centre said it had collaborated with Microsoft and global authorities to disrupt the “Lumma” infostealer, which it called “the world’s most significant infostealer threat.”