Author: Andrew Mikhaliuk, CEO of CoreWin
When a team of researchers from Cybernews uncovered a massive data leak, it sent shockwaves through the world of information security. We’re talking about over 16 billion accounts — one of the largest breaches in history. What’s striking is not just the number, but the method of data acquisition: infostealers played a key role in the leak. Infostealers is a malicious software that steals information directly from users’ devices.
As the director of a software distribution company, I was both shocked and deeply concerned. This incident is a wake-up call — a stark reminder of how modern threats continue to exploit old vulnerabilities, and how easily hackers can bypass even the most advanced defenses when users or organizations neglect basic cybersecurity hygiene.
In this article, I’ll share my perspective on the incident, break down its causes, and outline what IT leaders — CIOs, CISOs, and CTOs — can do to protect their businesses from similar threats in the future.
Infostealers: A Technical Breakdown of the Leak
What exactly happened? Researchers uncovered around 16 billion account records, including URLs, usernames, and passwords. That’s roughly two compromised accounts for every person on the planet. The structure of the data points to a common attack method — infostealers: malicious programs that silently and invisibly steal personal data directly from users’ devices.
How infostealers work? Unlike traditional attacks targeting the servers of large companies, infostealers infiltrate users’ devices directly. This usually happens when a user downloads a malicious file — for example, pirated software, game mods, or infected PDFs from phishing emails. Once on the device, the infostealer quietly collects virtually all valuable information: saved browser passwords, cookies, session tokens, corporate network credentials, and even browsing history.
The stolen data is instantly transmitted to the attackers. In such cases, neither a strong password nor perimeter security can help — because the attacker has direct access to the data right on the user’s device.
Why Was the Scale of the Leak So Massive?
Several key factors contributed to the unprecedented scale of this breach:
- The Rise of Infostealers. Infostealers have become increasingly popular. Today, there are even infostealer-as-a-service (MaaS) offerings — malicious tools available to virtually anyone on the dark web. This has led to the global spread of such malware.
- The Human Factor. People continue to open dangerous attachments and download untrusted software, often unaware of the risks involved.
- Lack of Multi-Factor Authentication (MFA). Many companies still neglect to implement MFA. This is especially dangerous because even the strongest password alone is not enough to protect against threats when MFA is missing.
These factors combined to make a leak of this magnitude possible — and they clearly show that modern threats often exploit human weaknesses and gaps in security practices.
Hidden Layers of the Leak: What Lies Beneath the Surface
At first glance, this leak might seem straightforward: hackers stole a massive number of passwords and accidentally exposed them online. But a deeper look reveals some important nuances.
Structure and Origin of the Data
The leaked password files were highly structured — each entry included a URL, login, and password. This format strongly indicates that the data was harvested using infostealers. In other words, this wasn’t the result of a direct breach of major companies like Google or Facebook. Instead, the real victims were end-user devices. From there, attackers extracted login credentials for popular services.
These databases contain logins not only for popular services, but also for government portals, GitHub, and Telegram. This indicates that attackers exploited the weakest link — end-user devices and the users themselves.
The Real Scale of the Leak
Hackers didn’t attack millions of people at once — this is the accumulated result of several separate campaigns. The data is distributed across approximately 30 individual databases, each originating from a different “operator” or specific infostealer campaign. The size of the databases varies: from 16 million to 3.5 billion records.
Some databases had names that hinted at specific attack targets: for example, one referenced the Russian Federation, another — Telegram. This suggests a degree of targeting and regional focus in some of the attacks.
Mistakes Made by the Hackers
Interestingly, all this data was stored completely unprotected for some time — in open cloud storage, without any security measures. That’s exactly how researchers found it. The hackers accidentally made the data publicly accessible for a short period, which allowed researchers to detect the leak in time.
This raises a troubling question: how many more such unprotected storage locations might exist that we still don’t know about?
Exploited Weak Points
The main vulnerability exploited by the hackers was the common habit of storing passwords directly in browsers. Infostealers can easily extract not only passwords, but also session cookies and tokens — allowing attackers to gain access even without a password, bypassing two-factor authentication (2FA).
Companies often fail to invalidate active sessions after a password change, which creates an additional risk. Moreover, many organizations don’t use dark web monitoring and have no idea whether their data is circulating online. Those that do engage in threat intelligence and regularly monitor leaks can respond to incidents more quickly and reduce risks to their business.
These less obvious details highlight how important it is to look deeper — beyond standard protection methods — and pay attention to the human factor and internal procedures. These were the key weaknesses in this leak, and they are exactly what company leaders need to focus on.
How This Incident Will Impact the IT Sector and Business: Real Risks
The leak of over 16 billion accounts is not just another sensational headline — it’s a serious wake-up call for every company. Let’s take a closer look at the real threats businesses now face.
Unprecedented Access to Accounts
In effect, attackers have gained access to billions of active passwords and sessions. This means that even if only a small fraction of these credentials are successfully used, millions of accounts could potentially be compromised. The situation has become a systemic threat to any company, regardless of its size or industry.
Catastrophic Scenarios
What can attackers do with this kind of access? Almost anything:
- Account Takeover. For example, an attacker could log into corporate email, change the password, and demand ransom — or use the account for further attacks or spam campaigns.
- Theft of Data and Money. With access to financial systems or internal communications, an attacker could initiate unauthorized transfers or steal sensitive information.
- Sophisticated Phishing Campaigns (BEC). With real employee data, attackers can craft highly convincing phishing attacks to trick your partners into giving up money or information.
- Ransomware Attacks. Infostealers are often the first stage in a ransomware attack. The stolen credentials may be sold to intermediaries (Initial Access Brokers), who then provide direct access to corporate networks for ransomware deployment.
Reputational and Financial Damage
Leaks like this always undermine the trust of clients and partners. If the leak leads to a real incident — such as the theft of personal data or money — a company may face serious financial losses and fines from regulatory authorities (for example, under GDPR).
Domino Effect in the IT Industry
16 billion records represent a massive resource for automated attacks. Attackers can launch large-scale password spraying scripts and use the stolen data for highly targeted phishing campaigns.
IT companies will be forced to spend even more resources on protection — strengthening authentication, monitoring, and attack prevention. This leak once again proves that passwords as the primary method of protection are no longer sufficient. Without additional layers of security (MFA, hardware tokens, behavioral analysis), companies become an easy target.
In summary: This incident has become a serious test for businesses. It clearly demonstrated that ignoring modern threats is a direct path to disaster. Now, leaders and specialists must urgently rethink their approach to security and act proactively.
How to Protect Your Business from Infostealers: Practical Recommendations for CIOs, CISOs, and CTOs
This leak is a clear reminder that protecting business data must be priority number one. Below are practical tips for IT leaders and security professionals to significantly reduce the risks posed by infostealers.
Security and Network Architecture
Zero Trust Principle and Network Segmentation
The perimeter has long ceased to be a reliable line of defense. Implement a Zero Trust architecture that verifies every request — even those originating from inside the network. Segment your corporate network so that compromising one device doesn’t automatically grant access to other resources.
Secure Access for Remote Employees (BYOD)
Today, employees often use personal devices for work. Implement containerization or isolated work environments. Ensure that only devices meeting your security standards (updates, encryption, antivirus) are allowed to access corporate systems. Where possible, manage devices centrally using MDM solutions.
Cloud Proxies and SASE Architecture
Use Secure Access Service Edge (SASE) cloud solutions to control traffic from remote employees, even when they work outside the office. This provides an additional layer of protection against malware and unauthorized access.
Policies and Processes
Prohibit Password Storage in Browsers
Browsers are the easiest target for infostealers. Implement corporate password managers that allow employees to store complex passwords in a secure, encrypted format.
Mandatory Multi-Factor Authentication (MFA)
MFA must be applied everywhere: VPN, corporate email, critical systems. Use modern methods — hardware keys (YubiKey), one-time codes, or push notifications. This significantly reduces the risk of compromise even if passwords are leaked.
Patch Management Policy
Critical software updates should be installed quickly — ideally within 24–48 hours of release. Timely patching directly affects protection against newly discovered vulnerabilities actively exploited by hackers.
Access Rights Restriction (Least Privilege)
Review employee access rights. Minimize them to what’s strictly necessary. Use Privileged Access Management (PAM) for high-privilege accounts. This significantly reduces risks in case a single account is compromised.
Regular Training and Attack Simulations
Conduct regular cybersecurity hygiene training. Simulate phishing attacks within the company to keep employees alert. A “Think Before Click” culture should become part of your organizational DNA.
What Technologies Should Be in Your Security Arsenal Today
Technical tools don’t replace policies and culture, but they are the foundation of modern protection. If your company takes security seriously, below is a must-have set of technologies against infostealers and similar threats.
Endpoint Detection and Response (EDR)
Modern endpoint protection solutions must be installed on all workstations and servers. EDR systems detect both known malware signatures and behavioral anomalies — for example, when a program starts reading passwords from a browser or copying cookie files.
Choose EDR solutions with automatic response capabilities (such as host isolation or network disconnection) and centralized management for your security team. For example, Wazuh.
DLP and Traffic Monitoring
Infostealers exfiltrate collected data over the network — sometimes encrypted, sometimes in plain text. That’s why it’s important to have:
- SIEM systems — to detect anomalous traffic; for example, Wazuh.
- DLP solutions — to filter leaks of confidential information. For example, Netwrix Endpoint Protector.
If traffic is being sent from an office PC to a foreign server at 3 a.m., that’s an incident that must be detected.
Email and Web Access Protection
One of the most common entry points for infostealers is through phishing emails and malicious websites. Implement:
- A Secure Email Gateway with AI and sandbox analysis;
- DNS filters and web access protection solutions.
This allows threats to be detected before the user even opens them.
Advanced Identity Management and UEBA
User and Entity Behavior Analytics tools help detect abnormal user activity — for example, if an accountant suddenly exports the client database, or if an account is accessed at night from another continent. For example, Netwrix Threat Manager.
Modern IAM solutions can automatically block access, require MFA, or check new passwords against breach databases (e.g., via the HaveIBeenPwned API). For example, Netwrix Identity Manager (formerly Netwrix Usercube).
Threat Intelligence and Leaked Password Monitoring
Finally — continuous monitoring of the dark web for your company’s credentials. If employee or service credentials appear in leaks, it’s crucial to find out in time.
This can be implemented either through an in-house Threat Intelligence function or via specialized services. The response must be immediate: analysis, password reset, account blocking, isolation. For example, ResilientX UEM.
Conclusions: A Digital Crash Test and Survival Strategy
The incident involving the leak of 16 billion passwords is not just a technical event. It’s a crash test for the entire digital ecosystem. As a leader responsible for technology and security, I see in it not only a threat, but also a moment for rethinking.
My personal takeaways:
1. Passwords can no longer be the only barrier
Even the most complex password won’t help if it’s stolen from a compromised device. MFA must become the standard. But even beyond that — we need to move toward factors beyond the password. A password alone is no longer a guarantee of security.
2. Endpoint protection must be priority number one
These billions of records were leaked from endpoint devices. Invest in EDR, employee training, and secure access policies. Without control over what’s happening on the workstation, the rest of your security is just an illusion.
3. Be prepared for the worst-case scenario
If your corporate credentials appear on the dark web tomorrow — does your team know what to do? Response plans, notification procedures, technical actions — all of this must be in place in advance. Otherwise, your reaction will come too late.
Call to Action: Proactivity Instead of the Illusion of Control
Leaks like this are an opportunity to rethink, rebuild, and strengthen. At our company, we are already updating policies, implementing new control tools (including from the CoreWin portfolio), monitoring the dark web, and enhancing our cyber resilience.
My message to all colleagues: no panic, but no delay either. Let’s build a systematic, multi-layered defense.
It is our responsibility to stay one step ahead — even in a world where 16 billion passwords can be exposed.
Security is not a tool — it’s a process. And a process requires discipline, teamwork, and vision.
Then no leak will become a catastrophe. Only — another lesson.
