Billions of Passwords Are Being Stolen Right Now — And Most People Have No Idea How
The biggest threat to your accounts right now isn't a massive new hack. It's infostealer malware — silent software that harvests your passwords in seconds and sells them for $10 on the dark web.
Last year, headlines announced that 16 billion passwords had been leaked from platforms including Google, Apple, and Facebook. The number was alarming. It was also misleading.
Security researchers at BleepingComputer quickly clarified that this was not a new breach of those platforms. It was a compiled dataset — a massive aggregation of credentials stolen over many years from hundreds of different services, assembled into one place and circulating among cybercriminals. None of the named platforms had been newly compromised.
The clarification matters. Not because the threat is smaller than the headline suggested — it isn't — but because understanding what is actually happening is the only way to protect yourself against it.
The real story is infostealer malware. And it is considerably more serious than a recycled credential dump.
What Infostealer Malware Actually Is
An infostealer is a category of malware with one purpose: to silently extract credentials, browser cookies, saved passwords, and authentication tokens from an infected device, then transmit everything to a remote server controlled by criminals — usually within minutes of infection, often without any visible sign that anything has happened.
According to Pen Test Partners, in 2025 infostealers became the fastest-growing malware category, overtaking ransomware in deployment and spread. The most prevalent families — Lumma Stealer, RedLine, StealC, and Vidar — are all available as malware-as-a-service. Anyone can rent access for between $250 and $1,000 per month and receive a dashboard, automatic updates, and support. The U.S. Department of Justice and FBI, working with Microsoft, seized 2,300 domains associated with the Lumma Stealer operation in May 2025. Parts of the infrastructure survived the takedown and the operation resumed activity within weeks — underscoring how resilient this ecosystem has become.
How Your Device Gets Infected
The infection methods that delivered the most infostealers in 2025 do not rely on sophisticated exploits. They rely on normal user behavior.
Fake software downloads — pirated software, free versions of paid tools, game cheats, and key generators are among the most common delivery mechanisms. The download appears to work as expected. The infostealer installs silently alongside it.
Malicious search advertisements — attackers purchase search ads for popular software names, directing users to convincing lookalike download pages. The downloaded file installs the legitimate software and the infostealer simultaneously.
ClickFix attacks — a method that surged 517% in 2025. The user is shown a fake error message, CAPTCHA, or support page that instructs them to open a Terminal or PowerShell window and paste a command to "fix" a problem. The command installs the infostealer. The critical rule: no legitimate software, website, or support page will ever ask you to paste a command into a Terminal or PowerShell prompt. If any site asks you to do this — regardless of how official it looks — close it immediately.
Fake software updates — popups claiming a browser, media player, or system component needs updating, delivering malware instead.
Pen Test Partners documented a macOS attack in 2025 where attackers used Google Ads and lookalike domains to redirect users to a fake Homebrew installer page visually indistinguishable from the legitimate one. The command on the page used a forced-copy button concealing a malicious payload appended after the legitimate command — meaning the user never saw what they were actually running.
What Gets Stolen and What Happens Next
Once an infostealer executes, it moves fast. A typical infostealer will harvest saved passwords from every browser on the device, session cookies that allow access to logged-in accounts without a password, cryptocurrency wallet details, saved credit card information, and credentials stored in unsecured password managers.
The stolen data is compiled into what criminals call a "log" — a package containing everything extracted from one infected device — then sold on cybercrime markets. KELA's 2025 infostealer report found that 330 million credentials were stolen from 4.3 million infected devices in 2024 alone. The top three infostealer strains — Lumma, StealC, and RedLine — accounted for over 75% of infected machines.
Verizon's 2025 Data Breach Investigations Report found that credentials stolen by infostealers played a role in 54% of ransomware incidents — meaning that for more than half of ransomware attacks against organizations, the initial access came from credentials harvested by malware on an employee's device, often a personal computer used for work.
Why Session Cookies Are More Dangerous Than Passwords
Most people understand the risk of a stolen password. Fewer understand the risk of a stolen session cookie — and infostealers harvest both.
When you log into a website, the server issues a session cookie to your browser. This cookie is what keeps you logged in — it proves to the server that you already authenticated. An infostealer that steals this cookie can use it to access your account from a different device without needing your password or your two-factor authentication code, because the session is already authenticated.
This is why enabling two-factor authentication, while still important, is not a complete defence against infostealer infections. If the malware runs while you are already logged in, it can take the session token directly.
Who Is Most at Risk
According to KELA's research, personal unshared computers are the most frequently infected category, representing 35.7% of all infostealer cases. The reason is consistent: personal devices typically lack the security controls that corporate IT enforces — endpoint detection, forced updates, multi-factor authentication, and monitoring.
The risk extends beyond individuals. In today's hybrid work environment, personal computers routinely contain corporate credentials. Around 90% of organizations that were breached in 2024 had their credentials available for sale on dark web marketplaces for just $10 to $15 per account.
What to Do
Be specific about where you download software. Download only from the official website of the developer, accessed directly — not through search results, not through links in emails or messages, not through third-party download aggregators. This eliminates the majority of infostealer delivery methods.
Do not follow paste-and-run instructions from websites. No legitimate software installer requires you to open a terminal and paste a command. Any site or popup asking you to do this should be closed immediately.
Use a dedicated password manager, not your browser. This distinction matters. Infostealers are specifically designed to dump passwords saved in browsers — Chrome, Edge, and Safari store credentials in locations that malware can access directly. A dedicated password manager like Bitwarden or 1Password encrypts its database separately, making it significantly harder for smash-and-grab malware to extract. Either way, using unique passwords for every service means a credential stolen from one account cannot be used elsewhere.
Enable two-factor authentication on critical accounts. Two-factor authentication does not protect against session cookie theft, but it protects against password-only attacks and provides an alert when someone attempts access with a correct password.
If you suspect infection, revoke all active sessions immediately. Changing your password alone is not enough — stolen session cookies remain valid even after a password change. Go to the security settings of your important accounts (Google, Apple, email, banking) and use the option to "sign out of all devices" or "revoke all active sessions." This invalidates any stolen cookies and forces every device to re-authenticate from scratch.
Keep software updated. Infostealers increasingly exploit outdated browser extensions, media players, and system components. Keeping software current removes known vulnerabilities from the attack surface.
Check Have I Been Pwned. The service maintains a database of known breach datasets and will alert you if your email address appears in new compilations.
The Bottom Line
The 16 billion password headline was not wrong — a dataset of that scale exists and circulates. But it was not a new breach. It was a symptom of a larger, ongoing problem: infostealers operating at industrial scale, infecting personal devices through convincing social engineering, and feeding a credential economy where your login details can be purchased for less than a coffee.
In 2025, infostealers became the fastest-growing malware category, overtaking ransomware in deployment and spread. The attacks do not require sophisticated technology. They require a user to do one thing that looks routine — click a link, download a file, paste a command.
Understanding how the infection happens is more useful than any specific number. The number changes. The method does not.