[New research] Learn what 1 billion+ malware-stolen credentials mean for your 2025 security to-do list

The Specops research team have launched the 2025 Breached Password Report, which contains analysis of over 1 billion malware-stolen passwords. The launch of the report also coincides with the latest addition of over 210 million compromised passwords to the Specops Breached Password Protection service. 

Darren James, Senior Product Manager at Specops Software, said this about the findings: “The amount of passwords being stolen by malware should be a concern for organizations. Even if your organization’s password policy is strong and meets compliance standards, this won’t protect passwords from being stolen by malware. In fact, we see many stolen passwords in this dataset exceeding the length and complexity requirements in common cybersecurity regulations. 

“We also know password reuse is extremely common, so it’s possible end users are reusing work passwords on personal devices, applications, and websites with weak security which are more vulnerable to malware. It’s vital you have a way to check your Active Directory for compromised passwords that hackers could use as a relatively simple entry point into your organization.” 

The 2025 Specops Breached Password Report 

Over the past year, our Threat Intelligence team has meticulously gathered and analyzed data on a critical and growing cybersecurity issue: the theft of credentials via malware. This report offers unique analysis into over one billion malware-stolen credentials, helping to equip organizations with a deeper understanding of the passwords end users are choosing (and reusing), how these attacks are carried out, and the measures that can be taken to mitigate the risks.  

By examining real-world password data and analyzing the techniques used by attackers, we hope to provide you with actionable insights and recommendations to enhance your security protocols and protect against the threat of malware-stolen credentials. For example, we found that 230 million stolen passwords meet the complexity requirements that are standard in many organizations (over eight characters, one capital, one number, and special character). This shows simply meeting password security standards isn’t enough. 

Other findings within the report include: 

• The top five most commonly stolen passwords in 2024 
• The most common base terms found in stolen passwords last year 
• Top lengths of last year’s stolen passwords  
• Most popular credential-stealing malware used by hackers in 2024 

For full details on these findings and more, download your copy of the report here. 

Report methodology

Data in this report comes from KrakenLabs, the Threat Intelligence team at Outpost24 (Specops Software’s parent company). In total, 1,089,342,532 stolen passwords captured over a 12-month period were analyzed for this report. The data is accurate as of December 2024, however, we expect the overall trends and patterns to remain consistent through 2025. The report also references other pieces of individual research carried out by the KrakenLabs teams throughout 2024.  

Find compromised passwords in your network today  

This month’s update to the Breached Password Protection service includes this month’s addition of over 5 million compromised passwords to the list used by Specops Password Auditor. You can find how many of your passwords are either compromised or identical with a read-only scan of your Active Directory from Specops Password Auditor. You’ll get a free customizable report on password-related vulnerabilities, including weak policies, breached passwords, and stale/inactive accounts. Download your free auditing tool here. 

Continuous automated defense against compromised passwords 

Specops Password Auditor offers a great starting point for assessing your current password risks, but it’s only a snapshot. With Specops Password Policy and Breached Password Protection, organizations can continuously protect themselves against over 3 billion more known unique compromised passwords (4 billion in total). These include compromised passwords that could be considered ‘strong’ and have been stolen by malware.  

Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now. The Breached Password Protection continuously scans your Active Directory for breached passwords and allows you to alert end users with customizable messaging that helps reduce calls to the service desk. 

Interested in seeing how this might work for your organization? Have questions on how you could adapt this for your needs? Contact us or see how it works with a demo or free trial.