Credential Theft Surge in 2025: Infostealer Malware Exposes Over 2 Billion Credentials
What Happened — Recorded Future’s 2025 Identity Threat Landscape Report reveals a dramatic rise in credential theft driven by infostealer‑as‑a‑service. More than 2 billion credential exposures were catalogued from malware combos, database dumps, and log harvests, with a 50 % increase in the second half of the year.
Why It Matters for TPRM —
- Credential theft is now the dominant initial‑access vector, threatening any third‑party relationship that relies on shared accounts.
- Stolen credentials often include active session cookies, allowing attackers to bypass MFA and compromise downstream vendors.
- Rapid indexing (53 % within one week) means that delayed detection can expose partner ecosystems before remediation.
Who Is Affected — Enterprises across all sectors; particularly SaaS providers, cloud platforms, VPN/RMM services, and security‑tool vendors that host authentication endpoints.
Recommended Actions —
- Enforce continuous credential monitoring and integrate threat‑intel feeds into third‑party risk dashboards.
- Require vendors to implement credential‑rotation policies, session‑cookie revocation, and zero‑trust network access.
- Validate that partners can detect and respond to credential exfiltration within 24 hours.
Technical Notes — The surge is driven by infostealer malware‑as‑a‑service, which harvests credentials from compromised endpoints and uploads them to public or private combo‑lists. No specific CVE is cited; the vector is malicious software exploiting weak endpoint hygiene. Source: https://www.recordedfuture.com/blog/identity-trend-report-march-blog