Infostealer malware is a real and present danger to your passwords.gettyConsidering just how many infostealer malware warnings have been issued recently, from macOS-specific threats, to those targeting a broad sweep of Gmail and Outlook email users, there can be little doubting that cybercrime actors are coming for your passwords. Now the true reach of the infostealer malware threat has been laid bare by a threat intelligence agency which specializes in leveraging dark web data, and the picture it paints is a scary one. Heres what you need to know.Infostealers Behind 3.9 Billion Stolen Passwords Shared By HackersMore than 4.3 million machines were infected by infostealer malware across 2024, responsible for an astonishing 330 million credentials being compromised, according to the latest KELA state of cybercrime report, published Feb. 20. And if you thought that was a shocking number, I hope you are sitting down as it gets even worse. The KELA analysts said they had observed 3.9 billion passwords shared in the form of credentials lists that appear to be sourced from infostealer logs. Just three strains of this insidious malware threat, Lumma, StealC, and Redline, were responsible for 75% of all infected systems. Underground economies, from malware-as-a-service to stolen credential marketplaces, contributed to a powerful infrastructure supporting a range of malicious activities, David Carmiel, CEO at threat intelligence analysts KELA, said.Malicious activity that includes the likes of both ransomware attacks and espionage campaigns. Infostealers appeal, the report suggested, lies in their efficiency and scalability, enabling attackers to compromise large volumes of accounts, both personal and corporate. By doing so, this particular malware menace becomes something of a self-fulfilling password theft prophecy, with lists of compromised credentials being sold on underground criminal marketplaces that are used to aid further attack campaigns and garner more credentials that can be sold and so on. Almost 40% of the infected machines to be found within KELAs data lake included credentials for sensitive corporate systems such as content management systems, email, Active Directory Federation Services, and remote desktop. In all, accounting for nearly 1.7 million bots and 7.5 million compromised credentials. Based on KELAs analysis, the report stated, the dataset primarily (almost 65%) contained personal computers that had corporate credentials saved on them and thus obtained by infostealer malware.To help mitigate the threat from infostealer malware, KELA recommended that multi-factor authentication be implemented across all accounts, critical systems isolated to limit the opportunity for lateral movement by attackers, and advanced email filtering solutions deployed to prevent phishing attempts. If you value your accounts and your data, then you better take action sooner rather than later. The threat actors certainly arent waiting and KELA analysts only expect the infostealer threat to your passwords to increase during 2025.