Privacy Please
Welcome to "Privacy Please," a podcast for anyone who wants to know more about data privacy and security. Join your hosts Cam and Gabe as they talk to experts, academics, authors, and activists to break down complex privacy topics in a way that's easy to understand.
In today's connected world, our personal information is constantly being collected, analyzed, and sometimes exploited. We believe everyone has a right to understand how their data is being used and what they can do to protect their privacy.
Please subscribe and help us reach more people!
This podcast is part of The Problem Lounge network — conversations about the problems shaping our world, from digital privacy to everyday life.
Privacy Please
S7, E274 - Your Password Is Already For Sale
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Last year, every major outlet ran the same story: 16 billion passwords exposed. Apple. Google. Facebook. The largest breach in history.
It was overblown. Security experts tore it apart within 48 hours.
But here's the thing: the real story underneath that headline is actually scarier. And nobody covered it.
It's called infostealer malware. It's been quietly running on millions of devices — stealing passwords, bypassing MFA, and feeding an underground credential economy that's behind nearly every major breach of the last two years. Ticketmaster. AT&T. Coinbase. All of it traces back here.
In this episode, I dig back into that story and break down:
- Why the 16 billion number was a "fearset, not a dataset"
- What infostealer malware actually is and how it gets on your device
- Why MFA doesn't fully protect you from this (and what does)
- The underground marketplace where your stolen credentials are sold within 48 hours
- The stat that should genuinely keep you up at night: 67 seconds
- Six things you can do right now to protect yourself
SHOW NOTES
Episode: Your Password Is Already For Sale
Last year, the 16 billion password story dominated headlines. The headline was overblown — but the real threat underneath it, infostealer malware, is what nobody talked about. It's an industrial-scale credential theft economy running quietly in the background, and it's the engine behind almost every major data breach of the last two years. We dug back into it because it's only gotten worse.
Resources mentioned:
- Check if your email has been breached: haveibeenpwned.com
- Free password manager: bitwarden.com
- Premium password manager: 1password.com
Key sources:
- Cybernews — original 16 billion credential report (June 2025)
- CyberScoop — "The 16 billion password breach story is a farce"
- Flashpoint / DeepStrike — 1.8 billion credentials stolen in 2025 report
- Microsoft Security Blog — Lumma Stealer breakdown
- IBM X-Force Threat Intelligence Index 2025
- Verizon Data Breach Investigations Report 2025
- SANS Institute commentary
Connect:
🌐 theproblemlounge.com
📺 YouTube: The Problem Lounge Network
The 16 Billion Passwords Claim
SPEAKER_00Every major news outlet ran the same story. Sixteen billion passwords exposed. Apple, Google, Facebook, GitHub, government platforms. The largest data breach in human history. Every single outlet ran it. CNN, CBS, Tom's Guide, your aunt's Facebook feed probably shared it with a fire emoji. And look, I get it. 16 billion is a big number. That's roughly double the number of people on Earth. Which should immediately tell you something is a little off. Because unless everyone on the planet has two accounts, which honestly checks out for some of you, the math still isn't mathing. And here's the thing though, the headline was definitely overblown. Security experts tore it apart within 48 hours. Turns out it wasn't one massive breach, it was a recycled pile of old stolen data, repackaged, briefly exposed online, and turned into the scariest possible press release. So we're gonna be debunking that today. But also, we're gonna be replacing it with something that is actually a little bit scarier. Because the real story underneath that headline, nobody covered it, of course, and it has been quietly running on millions of devices. Maybe yours for years.
What This Show Is About
SPEAKER_00I am your host, Cameron Ivey. And today, we're gonna dig into the stories that matter here. That's what we always try to do. Investigative journ investigative journalism. Investigative journalism You Yeah, you got it. Welcome. If it's your first time, thanks for joining. If you've been with me this whole time with us, thank you so much for coming back. Thanks for being here. We try to dig into real stories, real news, real tactics. Try to break things down so it's easily understood by everyone. This show covers privacy and security news that affects your life, your data, your digital existence, all those things. We try to make it make sense, right? Real quick before we dig in, the Privacy Please podcast is a part of the Problem Lounge Network. Uh head over to theproblemlounge.com. If you haven't visited our website, check it out. All of our episodes, everything you need is on there. Um, you can find us on YouTube, follow us wherever you listen to podcasts. Uh, we appreciate every single thing that you guys are doing to support the show. So keep sharing it, keep listening. Really appreciate it. But with that being said, let's get into the story. All
How The Headline Got Debunked
SPEAKER_00right, so here's what happened. Earlier this month, a research team at a publication called Cyber News discovered 30 exposed databases sitting alone. Together, those databases contained about 16 billion login credential records, URLs, usernames, passwords. For platforms like Apple, Google, Facebook, GitHub, Telegram, and according to some reports, even government platforms. They published the story. The internet did what it the internet does. Within hours, it was everywhere. Password manager companies were posting on LinkedIn, calling it, and I quote, confirmed, and the largest breach in history, which is a fun thing to say when you sell password managers, but we'll let that one go. Now, here's where a little critical thinking goes a long way. 16 billion records for a planet of 8 billion people. Even if we're being generous and saying everyone has two accounts, which again is totally plausible. That means every single account credential on Earth was in this database. Every single one of them. Not one was left out. Does that sound right to you? I don't think it does. It just doesn't sound right. Um, and security researchers agreed pretty loudly. The SANS Institute, one of the most respected cybersecurity research organizations out there, said none of our sources could verify this is anything new. Analyst at Recorded Future looked at sample data from the leak and confirmed most of it matched previously released password dumps. Some going back years. Rob Lee, head of research at SANS, put it plainly. Nothing for researchers to actually dig into. Just three screenshots and a very scary headline. And the guy who originally discovered the data, the researcher, Cyber News credited with finding it, admitted when pressed that it was cumulative records found throughout the year. Not one breach, not one event, a collection of stuff that had been floating around the internet for a long time, briefly all sitting in one place. One analyst called it, and this is my favorite quote of the week, a recycled inflated data set to generate fear. He called it a fear set. Google came out and said the issue did not stem from a breach of their systems. Apple didn't comment, which is a classic Apple move, honestly. So headline overblown, debunked. Are we good? Not even close. Because here's where it gets interesting.
Infostealers: The Real Threat
SPEAKER_00The reason those 16 billion records exist, recycled, repackaged, or otherwise, is because of something called infostealer malware. And if you're never heard the term before, buckle up. Because by the time this episode is over, you are going to think about every single time you type a password into your computer. An infostealer is exactly what it sounds like. It's malware, malicious software, specifically designed to do one thing. Quietly steal your credentials and send them to criminals. Not lock your files, not crash your computer, not do anything dramatic that would make you realize something is wrong. It just silently grabs everything and leaves. Sneaky. Your save passwords in Chrome, your session cookies, your credit card autofill data, your crypto wallet files, your VPN credentials, screenshots of your screen, whatever's in your clipboard. All of it. Packaged into a file called a stealer log. Sent to a criminal server, done, gone. You have no idea it happened. IBM's security team described it perfectly. They said info stealers are breaking in without breaking anything. There's no ransomware note, no system crash, no angry skull on your screen, just a quiet little program that visited your computer, took what it needed, and disappeared into your network traffic like it was never there. Now, how does it get on your device in the first place?
How Devices Get Infected
SPEAKER_00Glad you asked. Because that part is going to make you rethink some of your habits. Phishing emails, yes, still forever phishing emails are never going away. They're getting so much better at impersonating real companies that the old just look for typos advice doesn't cut it anymore. Fake software downloads, you want a cracked version of Photoshop. You search for it, you find a site, you download it. Congratulations. You also downloaded Luma Stealer. Luma, which we'll get to, was one of the most prolific info stealers of 2025. And it spread heavily through game cheats and pirated software. So if anyone in your house is downloading cracked games, hi parents, that's a vector. Malicious ads in search results, you search something for Notepad download. That's a free text editor, totally normal, normal thing to search. A sponsored result at the top of the page looks completely legitimate. It's not, though. The installer you downloaded contains malware. This is called malvertising, and it is disturbingly common. And my personal favorite, the fake captcha trick. You land on a page, it tells you to prove you're human by completing a captcha, except the captcha instructs you to open the Windows run dialogue. More like, gotcha. That's when plus R on your Windows keyboard and paste a command into it. The command is the malware. You ran it yourself, you verified your own infection. I want to sit with that for just a second. The attack is convincing you to run it yourself. While you're trying to prove you're a human, that is a level of irony that I genuinely respect. Diabolical, but you have to respect the commandment. It's crazy. Okay,
Session Cookies Beat MFA
SPEAKER_00so you're a responsible person. Let's just assume. You turned on two-factor authentication, you get the little code on your phone, you feel protected. I don't want to ruin your day, but I kind of have to ruin your day. Info stealers don't steal your password and then try to log in and trigger MFA. They steal something called a session cookie, and that's a very different problem. Here's how it works: you log into your bank, you enter your password, you approve the MFA prompt on your phone, the bank server goes, Great, it's you, and sends your browser a session cookie. Little token that essentially says, this browser is already authenticated. You don't need to check again. Your browser stores that cookie locally. The attacker uses the cookie to continue your session from their device, from anywhere in the world. And from that server's perspective, it still looks like you. No password needed, no MFA prompt triggered, no second chance to catch it. You authenticated, they inherited the session. It's over from there. This is why the Snowflake campaign, if you listen to our Shiny Hunters episode, you know this one, was able to hit 160 companies through accounts that did have MFA enabled in some cases. The credentials and session tokens were bought from InfoSteeler marketplaces. The front door was already unlocked before the attack even started.
The Numbers That Actually Matter
SPEAKER_00Alright, let's talk about real numbers for a second. Not the 16 billion recycled fear set, but the actual numbers. In 2025 alone, InfoSteeler malware stole 1.8 billion credentials from roughly 5.8 million infected devices. That's not a typo. 1.8 billion in one year. That represents an 800% increase over recent years. 54% of ransomware victims, more than half, had had their domain credentials show up in an infostealer marketplace before the ransom attack even hit. Meaning the info stealer infection came first, the credentials got sold, and then a ransomware crew bought them and deployed the attack. The time between when credentials are stolen and when they're used, sometimes under 48 hours. So this one is a little scary. When stolen AWS cloud credentials were tested against live Amazon Web Services APIs, they were being used within 67 seconds of being harvested. Not 67 minutes, 67 seconds. Faster than the security alert arrived to tell anyone something was wrong. The machine is moving faster than any human can respond.
The Credential Marketplace Supply Chain
SPEAKER_00Now, how does this economy actually work? Because it is an economy, a full functioning, surprisingly professional underground market, when an info stealer infects your device, it packages your credentials into a stealer log, a structured file with URL, username, and password neatly organized, and it sends it to the attacker's server within minutes of infection. That log then gets listed for sale on dark web marketplaces. They operate like Amazon. Pricing tiers, customer reviews, customer support. It's unreal. I kid you not. Budget info stealers rent for about $99 a month, mid-tier, around $300, premium options for the discerning criminal on a higher budget. Your stolen credentials are on sale within 24 to 48 hours of being stolen. Corporate VPN credentials command the highest prices. Personal accounts are cheaper. Everything else has a market rate. And who's buying? Ransomware crews looking for initial access to corporate networks, fraud rings doing account takeovers, identity thieves, initial access brokers who buy credentials wholesale and resell them to other criminals at markup. This is a supply chain, people. Your password is raw material moving through it, and you are not a participant in any of this.
How Major Breaches Start
SPEAKER_00You're just the source. Here's what I want you to take away from this episode. The layer that the 16 billion headline completely missed. Every major breach of the last two years that you've heard about started here. The Snowflake campaign, Shiny Hunters, Ticketmaster, ATT, 160 companies. It started with credentials bought from InfoStealer marketplaces. The versal breach earlier this year, an OAuth supply chain compromise traced back to a Luma Steeler infection on one employee's device, one person, one infected laptop. That was the entry point.