Aaaah! Act now! Hurry! Change ALL your passwords! Your password was stolen by malware on your device so change it now… on your device… that still has malware… Wait a minute. Shouldn’t this article at least suggest removing the malware first?
I need more information. How is the malware being distributed to these devices? How can we check if our credentials are in this dump? Shouldn’t the respective platforms be doing due diligence to notify those effected and asking them to change their passwords?
I feel it may be fairly likely that this inforstealer Malware is the type distributed by dubious apps the play store and similar have had to take down but aren’t actively notifying users who installed them. Is it predominantly phones that are effected or is this malware PC based? Changing your passwords is important but sounding the alarm with no actual information is just… Ill advised. It’s fear mongering.
If your credentials are in an infostealer dump then you need to make sure that you’ve removed the malware from your device(s) before changing your passwords. Otherwise your new passwords will be sent straight to the same people who got them the first time.
I couldn’t find in the article a list of all platforms affected, only this:
billions of login credentials from social media, VPNs, developer portals and user accounts for all the major vendors.
Since I don’t use the big three, I’d be really interested to see a list, before I go through every online account I ever created with a throwaway email.
This article is about credentials that are stolen directly from users’ devices that are compromised with malware. So they will be that user’s passwords for whatever services they were using while infected with the malware. This is why the dumps contain passwords for just about every online service that exists.
This isn’t an actual database breach of the major providers.
Thanks for clarifying. Still, does this affect every “device” user out there? There must be some sort of explanation here, what’s the attack vector etc. I couldn’t find it even on that Lithuanian guy’s website.
This forbes blog is about this article:
https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/
The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances.
So there isn’t really an explanation other than “somebody collected these somehow and left the data unsecured.”
The attack vector for infostealer malware is usually social engineering, getting unwary users to download infected trojanized software via phishing and malvertising etc.
If you follow security news, you will see articles about infostealer malware campaigns all the time.
https://www.theregister.com/2025/06/18/minecraft_mod_malware/
https://thehackernews.com/2025/06/malicious-pypi-package-masquerades-as.html
https://thehackernews.com/2025/06/rust-based-myth-stealer-malware-spread.html
https://thehackernews.com/2025/05/eddiestealer-malware-uses-clickfix.html
Oh, so I’m probably safe.
I don’t do mainstream social media, and I don’t answer phone calls, texts, or emails from unknown sources.
Mama told me not to talk to strangers, and I took that into the digital age.
Yeah the closest to listing off affected services was this:
The information contained, the researchers stated, open the door to “pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services.”
Which doesn’t say very much :s. If you don’t use any of these big online services and use a locally managed password manager I’d wager you’re fine.
Reads more like an advertorial. Low on detail, high on “passkeys are the future”, and plenty of typos.
Is this real? The article gives no concrete details.
What’s the total human population again, 8 billion?
I have like a dozen Gmail accounts, and I know plenty of others who do too. Before I owned my own domain, I used the different accounts for different things.
Need a breakdown first before everyone starts freaking out. This sounds like a UUID leak.
