KELA tracks 2.9B compromised credentials

Credential theft is now the center of gravity in cybercrime. That is the real story here — not just a giant scary number, but a shift in how attacks start. KELA said on April 29 that it tracked 2.86 billion compromised credentials across the cybercrime ecosystem during 2025, and it framed stolen identities as the main fuel for everything from account takeover to ransomware. The big change is that attackers do not need to smash through the perimeter if they can just sign in. (kelacyber.com) ### What counts as a “compromised credential”? Basically, this is not one neat pile of username-password pairs from one breach. KELA’s total rolls up credentials seen across infostealer logs, leaked databases, combo lists, criminal marketplaces, and other attacker infrastructure. That matters because the 2.86 billion figure is about the broader underground supply of stolen access — not only direct malware theft on a single device. (kelacyber.com) ### Why are infostealers the key piece? Infostealers are lightweight malware built to vacuum up logins, cookies, autofill data, and sometimes crypto wallets from infected machines. KELA said it observed about 3.9 million unique machines infected in 2025, producing 347.5 million compromised credentials from those infections alone. So the direct malware haul is huge by its(kelacyber.com)buted. (forbes.com) ### Why is the total so much bigger than 347.5 million? Because the underground economy multiplies everything. One infected laptop can spill credentials into logs, then into curated lists, then into marketplace listings, then into private broker channels. The same access can circulate for weeks or months. KELA’s earlier infoste(forbes.com)le URL-login-password lists that make reuse easy. (info.ke-la.com) ### Why do defenders care so much about identity now? Because valid logins bypass a lot of the old tripwires. KELA said business cloud and authentication services accounted for more than 30% of all exposed data in 2025. That is the nightmare scenario for security teams — if the stolen data opens Microsoft 365, Okta-style identity layers, VPNs, admin panels, or remote access tools, the attacker can look like a normal user at first. (manilatimes.net) ### How does this connect to ransomware? Turns out ransomware crews increasingly buy or reuse access instead of doing the noisy initial intrusion work themselves. KELA paired the credential story with a 45% rise in ransomware victims in 2025, ar(manilatimes.net)post. (manilatimes.net) ### Is this just a Windows problem? No — and that is one of the nastier details in the report cycle around this release. Coverage of KELA’s findings highlighted a 7,000% jump in macOS infostealer infections, which undercuts the old idea that Apple devices sit outside the main credential-theft economy. The platform matters less when the target is the browser session, the password vault, or the authentication cookie. (forbes.com) ### What should companies take from this? The practical takeaway is boring but urgent. Harden identity first. Push phishing-resistant MFA, shorten session lifetimes, watch for impossible travel and fresh-device logins, lock down privileged accounts, and treat unmanaged personal machines as a real corporate risk. KELA’s earlier (forbes.com)ough side doors. (info.ke-la.com) ### Bottom line? The 2.86 billion number is eye-catching, but the deeper point is simpler: cybercrime is organizing around stolen access. If attackers can buy a login, the perimeter stops being the front door. (kelacyber.com)