23 hours Ago By Davey Winder, Senior Contributor
Five infostealers publish hundreds of millions of passwords online. That passwords have reached their collective sell-by date is not new news. You only have to look at the growing threat from millions of devices infected by infostealer malware , threat actors employing automatic password hacking machines in attacks, and zero-day exploits specifically targeting Windows passwords , for proof of that.
Here’s the thing, even with two-factor authentication added to the login credentials mix, you are still not safe. 2FA bypass attacks , employing attacker-in-the middle and session cookie stealing tactics, weaken even that defense. As if that all wasn’t worrying enough, I’m sorry to report that your password could already be compromised and available to hackers.
Here’s what you need to know, why you need to act now, and what action must be taken. Hackers don’t break in, they log in. This, I’m sad to say, has increasingly become the reality for threat actors today.
After all, why go to the trouble of finding vulnerabilities to exploit or using complex attack methodologies when there are readily available lists of compromised credentials out there to purchase? Heck, many of these lists are even available to download for free from criminal forums online. The culprit? The rise of infostealer malware. According to the latest IBM X-Force Threat Intelligence Index , published April 17, there has been an 84% increase in the number of infostealers being delivered by phishing emails per week.
As well as the phishing tactics, X-Force analysts said that other increasingly popular attack vectors include “ SEO poisoning and Google Ads , drive-by attacks, and software supply chain compromises.” Early data for 2025, the X-Force report warned, has revealed an increase of 180% in the infostealer delivery threat compared to 2023. “This upward trend fueling follow-on account takeovers,” it stated, “may be attributed to attackers leveraging AI to create phishing emails at scale.
’ What’s more, these are not just idle threats, for want of a better term. They are incredibly effective. In 2024, the X-Force report confirmed that some eight million adverts on the dark web and in criminal forums, each containing lists of hundreds of stolen credentials, were found in relation to the top five infostealer malware threats.
That’s at least 800 million passwords, likely more, listed online and represents just the tip of this nefarious cyber-iceberg. With the same threat actors that are distributing these lists of stolen passwords also selling custom adversary-in-the-middle attack services to bypass 2FA protections, according to the X-Force researchers, there is little doubt that you need to take action, and take it now. The good news is that it’s pretty easy to protect yourself against both threats, and highly effective once that protection is in place.
Better still, you get increased protection against criminal hackers while, at the same time, getting a more straightforward method of securely signing in to your accounts. It really is a win-win situation. So, what is the solution: stop using passwords, use passkeys instead.
A Google spokesperson told me that its internal research has revealed “security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.” The same message can be heard in the advice that a Microsoft spokesperson provided. “We recommend switching to Passkeys wherever possible and using authentication apps such as Microsoft Authenticator, which warn users about potential phishing attempts.
”.
