Advisory ID: NCC-CSIRT-2025-008
Summary:
Recent research by Cybernews has found about 30 leaked data collections containing nearly 16 billion stolen login details, the largest number ever recorded. Most of this information was gathered through infostealer malware (e.g., RedLine, Raccoon, Vidar, etc.), rather than through direct hacks of major companies. Although the data comes from many separate incidents, its massive size and recent nature make it a serious threat for large-scale misuse of login credentials.
Damage/Probability: HIGH/Critical
Product(s):
- Windows OS
- Web browsers
- Password managers
Version(s):
- Windows OS (all types and versions)
- Web browsers (all types and versions)
- Password managers (all types and versions)
Platform(s):
- Google (Gmail, Workspace)
- Apple (iCloud, Apple ID)
- Microsoft (Outlook, Office 365)
- Facebook / Meta
- GitHub
- Telegram
- Amazon
- Banking and fintech platforms
- Government (.gov) and enterprise accounts
Description:
Infostealer malware stole over 16 billion usernames, passwords, and session tokens from infected systems in a massive credential leak. Attackers delivered the malware through phishing emails, fake software installers, and malicious advertisements.
Once compromised, users executed the malware, which harvested the following from their systems:
- Credentials stored in browsers
- Session cookies and tokens are used to bypass multi-factor authentication (MFA)
- Autofill and clipboard data
The attackers then exfiltrated the stolen data to servers they controlled and compiled it into large breach datasets. This data enables them to take over accounts, perform credential stuffing attacks, commit identity theft, and bypass MFA protections.
This incident does not stem from a vulnerability in a specific product. Instead, it results from a widespread malware campaign targeting endpoint users worldwide.
Consequences:
-
Account takeover, session hijacking, and identity theft across widely used online platforms.
-
Organizational risk due to the exposure of corporate and government email credentials.
-
Data can be used for phishing, financial fraud, or business email compromise (BEC).
Solution:
A. Immediate Actions for All Users:
- Change all passwords, prioritize financial, corporate, and administrative accounts.
- Enable Multi-Factor Authentication (MFA), prefer non-SMS methods (e.g., authenticator apps, hardware keys)
- Adopt passkeys/passwordless methods where available (Apple, Google, Facebook)
- Use reputable password managers to generate and store complex, unique credentials.
- Run endpoint malware scans to detect and remove infostealer infections).
- Monitor account activity and respond quickly to unauthorized access.
B. Organizational Measures:
- Enforce regular password rotations and MFA policies.
- Deploy EDR solutions and threat intelligence tools to detect infostealer presence (e.g., Hudson Rock, commercial EDR suites)
- Educate users on phishing and malware risks; implement training programs.
- Audit use of session tokens and cookies; enforce token invalidation on password reset.
- Restrict access to sensitive systems using least-privilege and enforce robust logging.
References: