Summary:
Cybersecurity researchers at Specops are delivering a new report regarding a major password-related security issue. According to them, over 1 billion passwords were stolen by malware in 2024. Millions of the compromised passwords met standard password complexity requirements. Common base terms like “qwerty,” “guest,” and “student” are frequently used as password foundations. Redline, Vidar, and Raccoon Stealer emerged as the top three credential-stealing malware, demonstrating the sophistication and persistence of its affiliates. These information stealers harvest credentials from various sources including web browsers, email clients, and even VPN clients. Users often employ the same or slightly modified passwords across multiple accounts, including work, personal, and online services. This is a risky practice as reusing work passwords on personal devices and less secure platforms significantly increases the potential for compromise. Stolen credentials provide attackers with direct access to valuable data, including personal information, financial records, and corporate secrets. These stolen credentials can compound into an onslaught of further attacks and persistence techniques.

Security Officer Comments:
As observed in this Specops report, millions of complex passwords being successfully exfiltrated in a year underscores that defenders and employees must assist each other in implementing additional security measures for sensitive credentials. Common weak passwords like “123456” and “admin” continue to plague systems, revealing a significant gap in user awareness and education. The Malware-as-a-service cybercrime model is certainly a major factor in the volume of theft that occurred in 2024. The report highlights the issues defenders continue to face when combatting weak password practices individual end users cling to despite the risks they pose. Continuing to reuse similar passwords for all accounts can cause a compromise on systems that house sensitive data by credential stuffing those similar passwords for access after finding them on accounts that have weaker security.

Suggested Corrections:
Considering these dangerous implications, security experts recommend organizations implement stronger password policies and regularly scan Active Directory for compromised passwords for immediate remediation. Educating users about weak passwords, and staying updated on threats and vulnerabilities to defend against emerging attacks is essential. Lastly, implement Multi-Factor Authentication (MFA) to add an extra layer of security beyond passwords.

Multi-factor authentication (MFA) is by far the best defense against the majority of password-related attacks, including credential stuffing and password spraying, with analysis by Microsoft suggesting that it would have stopped 99.9% of account compromises. As such, it should be implemented wherever possible; however, depending on the audience of the application, it may not be practical or feasible to enforce the use of MFA.

In order to balance security and usability, multi-factor authentication can be combined with other techniques to require for 2nd factor only in specific circumstances where there is reason to suspect that the login attempt may not be legitimate, such as a login from:

• A new browser/device or IP address.
• An unusual country or location.
• Specific countries that are considered untrusted.
• An IP address that appears on known block lists.
• An IP address that has tried to login to multiple accounts.
• A login attempt that appears to be scripted rather than manual.

Additionally, for enterprise applications, known trusted IP ranges could be added to an allow list so that MFA is not required when users connect from these ranges.

Link(s):
https://hackread.com/redline-vidar-raccoon-malware-stole-1-billion-passwords-2024/

https://info.specopssoft.com/hubfs/whitepapers/2025_Breached-Password-Report_EN.pdf