In today's digital world, security threats are becoming increasingly sophisticated, leaving personal data exposed in unexpected ways.

A recent development has brought new concerns about the vulnerability of our most sensitive information, with consequences far beyond the average breach.

As more details emerge, it's clear that the situation is far from what we thought we knew about online safety.

In January 2025, a new report revealed alarming news—malware has stolen over 1 billion passwords.

This revelation came from the Specops Software team, which had analysed over a billion stolen credentials.

The 2025 Breached Password Report highlighted the shocking scale of the theft, which occurred over 12 months.

A new report reveals the shocking scale of stolen credentials. Image source: Pexel/Soumil Kumar

Among these compromised passwords, many were more complex than the standards most organisations or consumers use.

However, even passwords that met complexity requirements were still no match for malware attacks.

Darren James, senior product manager at Specops Software, stated: ‘Even if your organization’s password policy is strong and meets compliance standards, this won’t protect passwords from being stolen by malware.’

The research team found that many of the compromised passwords had exceeded length and complexity regulations.

This points to a critical issue—password reuse, which makes stolen credentials more dangerous.

The malware used in the thefts was primarily Redline, Vidar, and Raccoon Stealer.

According to Specops: ‘Hackers favour malware-stolen credentials as they’re easy to obtain, use, and sell.’

The team analysed 1,089,342,532 stolen passwords, offering a glimpse into how attackers target vulnerable accounts.

More than 230 million of the stolen passwords met common complexity standards.

Over 350 million passwords exceeded 10 characters, with 92 million of those being 12 characters long.

The data showed that a password longer than eight characters wasn’t enough to protect against modern threats.

The researchers noted that ‘long and strong’ was still the best advice when it comes to password security.

Given the vulnerabilities exposed, experts recommended using a unique password for every account.

A password manager such as 1Password or Bitwarden was suggested to keep everything secure and unique.

Consumers were urged to urgently conduct a password audit and replace any reused passwords.

Those still relying on weak or reused credentials could soon find themselves among the 1 billion compromised users.

Key Takeaways

• A recent report revealed that over 1 billion passwords were stolen by malware, exposing vulnerabilities in password security.
• Even passwords that met complexity standards were compromised, highlighting the growing inadequacy of traditional security measures.
• Malware such as Redline, Vidar, and Raccoon Stealer was used to steal these credentials, which are easy for hackers to sell and exploit.
• Experts recommend using unique, strong passwords for every account, employing password managers, and conducting regular audits to prevent future breaches.

With so much at stake, how are you securing your online accounts? We’d love to hear your thoughts—drop a comment below.

 

[deni67]

After having my bank recently hacked I changed all of my passwords to hard ones, they include @#!%&*, including letters, capitals and numbers, I thought they were pretty safe until I read this

 

[GrannyJA!]

O know it's controversial, but surely a fingerprint or eye scan or something unique to the account holder would be the only way to guarantee that what is yours, stays yours?

 

[harrywwc]

After having my bank recently hacked I changed all of my passwords to hard ones, they include @#!%&*, including letters, capitals and numbers, I thought they were pretty safe until I read this

Sadly, it's less about how you create your passwords (and hint: longer is better - think 20+ characters), but how they are stored.

they should be properly hashed ('trap-door' encryption) & salted (an 'extra set of characters' created automatically) with a modern algorithm, but far too often the organisations are either not hashing, or not doing it properly.

'Multi-factor" authentication helps too.

Check out the Australian Cyber Security Centre page on 'passphrases'.

 

[Benny's Light]

As I get older trying to remember passwords is becoming difficult especially when they now require other characters beside words and letters. So many things today are on-line and require passwords. I am constantly having to reset as I am getting the password wrong. Oh for a simpler life!

 

[harrywwc]

As I get older trying to remember passwords is becoming difficult especially when they now require other characters beside words and letters. So many things today are on-line and require passwords. I am constantly having to reset as I am getting the password wrong. Oh for a simpler life!

A "password manager" will help.
"the best password is the one you can't remember" (Troy Hunt, Cyber Security Expert from Brissie).

the one(s) built in to your browser are "ok", but better is something like 1Password (costs $US3 / month) which is pretty easy to use, or something free (both of cost, and being 'open source') like Bitwarden or KeePassXC (I use Bitwarden). both of the latter a little harder to use, but are a bit step up from the browser built in.

 

[Rickcb63]

So how would they know that passwords have been stolen when some are just random letters numbers symbols and no one is meant to be able to see them.
So they are totalily useless unless all account data is lined up with the password, so sorry to say I call BS on this one !
scare mongering to push digital ID
shame shame shame

 

[Rickcb63]

After having my bank recently hacked I changed all of my passwords to hard ones, they include @#!%&*, including letters, capitals and numbers, I thought they were pretty safe until I read this

They probably are safe,,,
without all the aligning factors, passwords are useless info

 

[Jest]

they will get you no matter what.

 

[Vicki P]

In this day and age, we all have digital accounts and have been forced to have them. If we don’t then we are penalised. For example having paper bills sent through the post costs extra on our accounts.
I believe that the companies that store our information should be accountable for any breech of it and we should be reimbursed if our identities are stolen and misused.
If they were penalised for not protecting our information, then they might work harder and employ the best anti hacking software available and work with the best cybersecurity firms.

 

[Bridgit]

After having my bank recently hacked I changed all of my passwords to hard ones, they include @#!%&*, including letters, capitals and numbers, I thought they were pretty safe until I read this

You are way in front than most - well done! I have a password manager but I only use it for storing passwords I create and as well I out them into a book in case of system crash. I have been using this system for over 14 years - I regularly change critical passwords for banks, PayPal, medadvisor, MyGov, Telstra etc - any others about 12 - 18 months. As yet have had no issues and I will not use those QR codes that you don't know what is in them.
Also 2- factor authentication is good to have.

 

[Bridgit]

As I get older trying to remember passwords is becoming difficult especially when they now require other characters beside words and letters. So many things today are on-line and require passwords. I am constantly having to reset as I am getting the password wrong. Oh for a simpler life!

Get a password manager and save your passwords in there - then you will have more control. You do not have to use the passwords it generates - you can use your own - when you log in it will ask do you wish to save - YES.

 

[Still Ebby]

As I get older trying to remember passwords is becoming difficult especially when they now require other characters beside words and letters. So many things today are on-line and require passwords. I am constantly having to reset as I am getting the password wrong. Oh for a simpler life!

lf l didn't have a little book to put them in l would never remember my passwords l have so many

 

[Bridgit]

lf l didn't have a little book to put them in l would never remember my passwords l have so many

Know what you mean

 

[SylviaK]

I gave up trying to organise passwords a long time ago and got a good password manager. It's so darned good that when I had a phone crash and wanted to use my new phone, I was stuck trying to organise it until I had access to my laptop! Apart from that I'm really pleased with the security the manager brings. It creates and stores all passwords with encryption and warns about duplicate passwords. Saves so many headaches. Just have to remember to make sure the phone and laptop are backed up securely and regularly. I never use online storage because that seems a bit risky to me. Although I have no idea where and how the manager stores all the data lol

 

[Cheezil]

In this day and age, we all have digital accounts and have been forced to have them. If we don’t then we are penalised. For example having paper bills sent through the post costs extra on our accounts.
I believe that the companies that store our information should be accountable for any breech of it and we should be reimbursed if our identities are stolen and misused.
If they were penalised for not protecting our information, then they might work harder and employ the best anti hacking software available and work with the best cybersecurity firms.

Agree, crazy world we now live in, let me off it!