A chilling new report by researchers has revealed a 500% surge in infostealer malware attacks, with 1.7 billion passwords dumped on the dark web in 2024 alone.
Despite this, poor password hygiene continues to plague both individuals and organizations, particularly among Gen Z users. Experts now urge a fundamental rethink of cybersecurity strategies, emphasizing zero-trust, AI-driven defense, and user behavior reform.
The Rise of Infostealer Malware and the Password Black Market
A report by researchers has put a sharp spotlight on one of the fastest-growing cyber threats: infostealer malware. According to the report, the volume of password theft from this malicious software skyrocketed by 500% over the past year, resulting in over 1.7 billion unique passwords being made available on underground marketplaces.
Infostealer malware is lightweight and stealthy, often bundled with pirated software or injected through phishing attacks. Once inside a system, it quietly exfiltrates saved credentials, cookies, autofill data, and even crypto wallets.
Cybercrime syndicates then sort and compile these into combo lists massive datasets of usernames and passwords enabling automated credential-stuffing attacks to breach accounts en masse.
Underground forums have reportedly seen over 100 billion compromised credentials listed, representing a 42% year-over-year increase. Groups like BestCombo, BloddyMery, and ValidMail have become key players, acting as initial access brokers, selling compromised identities to the highest bidder. Their work fuels the surge in account takeovers, financial fraud, ransomware delivery, and even corporate espionage.
The Password Crisis: Mismanagement, Reuse, and Fatigue
Despite the stark warnings, user behavior remains alarmingly lax. The 2025 World Password Day Survey reveals a paradox: most users understand the risks, but continue to ignore them.
- 72% of Gen Z respondents admitted to password reuse across services.
- 79% knew that reuse increases risk.
- 59% still reused passwords even after a breach.
- Shockingly, only 10% consistently update passwords after being notified of a compromise.
The survey also found that 38% of Gen Z users change only one character when required to update a password, and 30% frequently forget their passwords anyway despite most services offering recovery options and password managers being widely available.
While 46% of Gen Z users reportedly use password managers, their actual behaviors such as sharing passwords via body text, screenshots, or verbally undermine their own security. Even with access to tools designed for safety, many users don’t follow through on basic hygiene practices.
Organizations Lag Behind as Threats Accelerate
On the organizational front, the report reveals equally disturbing trends. Despite cybersecurity experts issuing warnings for years, 27% of businesses still lack basic password policies, according to a cybersecurity expert. Where policies do exist, user frustration from frequent password changes often results in insecure workarounds, like slightly modified versions of existing passwords.
A data privacy solicitor, underscores that compliance with password policies must be enforced through systems, not just on paper. If your system allows users to bypass complexity rules or reuse old passwords, your policy is meaningless she warned.
Moreover, experts emphasize that even the best password practices can’t stop all breaches. Threats like device compromise, social engineering, and session hijacking require multi-layered defenses. Resta recommends organizations maintain robust incident response plans alongside 2FA, AI-driven anomaly detection, and Zero Trust Architecture (ZTA).