Reports Show 26M Passwords Stolen Between 2018 and 2020

Data was stolen using an unknown type of malware

New research has discovered a massive database of 26 million stolen login credentials, as well as 1.1 million unique email addresses and 6.6 million files.

NordLocker reported the stolen data on Wednesday, noting that it also contained over 2 billion browser cookies. According to Ars Technica, all of the data from the 1.2-terabyte database appears to have been extracted from over 3 million PCs between 2018 and 2020. 

Malware warning on a computer screen

Olemedia / Getty

NordLocker has been unable to determine exactly which malware was used to gather the data. "Just like with hurricanes, experts love naming dangerous malware. But computer viruses don’t have to have names to be capable of stealing lots of data. The truth is, anyone can get their hands on custom malware. It’s cheap, customizable, and can be found all over the web," the researchers wrote.

The data that malware steals can vary depending on the type of virus that has been built, NordLocker says. Included in the breach were over 1 million images, 650,000 Word and PDF files, and data from games, messaging apps, and file-sharing systems.

NordLocker also says that the malware took a screenshot of the desktop when it infected a computer, as well as a photo using the computer’s webcam—if one was installed.

With Cybercrime expected to cost the world $10.5 trillion each year by 2025, protecting yourself from malware is important. NordLocker recommends clearing out your browser cookies often and using a password manager that can stop your credentials more reliably and safely.

"Anyone can get their hands on custom malware. It’s cheap, customizable, and can be found all over the web."

The company also suggests encrypting files, so malware can’t access them. In addition, users should avoid peer-to-peer networks when possible, and only download software and apps directly from the developer's website or well-known storefronts.

People worried their data might be included in the breach can check the website Have I Been Pwned, which allows you to enter an email or phone number. It will then tell you if your data has appeared in any breaches, including this most recent find.

Was this page helpful?