June 30, 2025
What happened?
Several news sources recently reported that a data breach resulted in 16 billion login credentials being exposed. While this was not a single breach, and rather a compilation of leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks, it does reinforce the risk associated with compromised credentials.
Infostealer is a malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. As it has become more widespread, some bad actors release massive compilations of logins and passwords for free on platforms such as Telegram, Pastebin, and Discord, in an effort to gain a reputation among the cybercrime community.
Infostealer is just one example of malware that attempts to steal and expose login credentials.
For more coverage, click here.
What does this mean for me?
It is critical—especially for firms with access to confidential and sensitive data—to adopt and maintain solid cybersecurity practices, including complex password requirements and the use of MFA. Additionally, firms should focus on employee training to promote best practices and help employees learn how to identify potential red flags. Under Amended Regulation S-P, covered institutions are now required to conduct due diligence on service providers to ensure best practices are in place to safeguard sensitive customer information. Firms should review their current vendor due diligence processes to ensure the proper security practices are in place.
If you have any questions or need assistance with your current vendor due diligence process, please let us know, and one of our regulatory experts will contact you soon.
