International 
Politics 
Local 
Finance 
Sports 
Entertainment 
Lifestyle 
Technology 
Literature 
Science 
Health 
1 year ago
30
1 billion passwords have been stolen by malware.
gettyIt seems that, despite the evolution of passkey adoption, passwords are in the news once more for all the wrong reasons. Whether it’s a new list of hacked passwords that you should change immediately if used on any of your accounts, or a critical password-stealing threat lurking stealthily in your email, a light is being shone upon the insecurity of passwords. Now a new security alert has been issued as researchers confirm that malware has stolen more than 1 billion passwords. Here’s what you need to know.
ForbesGoogle ‘Perpetual Hack’ Attack Steals Passwords And 2FA—Act NowBy Davey Winder
1 Billion Passwords Stolen By Malware
The 2025 Breached Password Report from the Specops Software research team is as worrying as it is new. Published Jan. 21, the report is an analysis of more than a billion passwords that have been stolen by malware. Yes, you read that right: one billion compromised credentials. To say that this number should be a concern to everyone, consumers and organizations alike, must surely qualify as the understatement of the year so far. “Even if your organization’s password policy is strong and meets compliance standards, Darren James, senior product manager at Specops Software, said, “this won’t protect passwords from being stolen by malware.” In fact, James continued, Specops researchers have seen “many stolen passwords in this dataset” that exceed length and complexity requirements established by numerous cybersecurity policies and regulations. Throw password reuse into the mix, and it’s hardly a surprise that the situation is now not only frightening but critically dangerous as far as account compromises are concerned.
In total, 1,089,342,532 stolen passwords captured over a 12-month period were analyzed for this report.
Across 2024, the Specops threat intelligence team collected data on the theft of credentials by malware, data that was then meticulously analyzed to provide insight into how users are choosing and abusing passwords. “By examining real-world password data and analyzing the techniques used by attackers,” the researchers said, “we hope to provide you with actionable insights and recommendations to enhance your security protocols and protect against the threat of malware-stolen credentials.”
ForbesMillions Of Sign-In-With-Google Users Warned Of Data-Theft VulnerabilityBy Davey Winder
Analyzing 1 Billion Compromised Passwords
The Specops researchers said that, of the more than a billion compromised passwords analyzed, a staggering 230 million of them actually met the standard complexity requirements found in numerous organizations and used by many consumers a result. If proof is needed that these requirements are past their sell-by date, this is it. A password with over eight characters, including a capital, a numeric, a special character and so on, is not fit for purpose. Indeed, to further emphasize this point, the analysis found more than 350 million passwords exceeding 10 characters in the dataset; 92 million of those were 12 characters in length. Size, when it comes to credentials, really isn’t everything—although, that said, “long and strong” remains a valid motto, the researchers said, when it comes to password construction. I usually recommend using a unique and randomly generated password of 20 characters using a password manager.
“Hackers favor malware-stolen credentials as they’re easy to obtain, use, and sell,” the researchers said, with the most commonly used information-stealing malware found to be Redline, Vidar and Raccoon Stealer. The report itself goes into more depth on this and is well worth a read. The real takeaway from the analysis, in my never humble opinion, is that malware is one of the main reasons that reusing your passwords is so dangerous. I’ve already mentioned password managers in passing, and now I’m going to advise that all consumers download one of the leading players in this space such as 1Password or Bitwarden and use that application to do a security audit of their passwords. Ensure all your passwords are unique and strong, replace any that have been reused, and do so as a matter of some urgency unless you want to find yourself added to the 1 Billion stolen passwords list.
ForbesMicrosoft Password Attack Warning As High-Speed Hackers StrikeBy Davey Winder
English (US)