Credential leaks and infostealer exposure

11 briefings

The credential leak threat operates differently from most cyber-security risks: the compromised credential is often old, the exposed person is often unaware, and the window between acquisition and exploitation can span years. Infostealer malware harvests credentials, session cookies, and stored authentication tokens from compromised endpoints, then routes the logs to a tiered resale market where corporate access credentials trade for thousands of dollars a session.

The scale is documented. By the close of 2025, researchers tracking the infostealer market found over 8 billion active cookies in circulation, with the majority of corporate credentials appearing in plaintext. Ransomware operators and account-takeover groups routinely confirm that victim credentials had already circulated in prior breach corpora — the attack was possible because the entry point existed undetected in a log that pre-dated the network intrusion.

These briefings cover how infostealer families work, how the market for compromised credentials functions, how a stolen credential translates into account compromise and lateral movement, and what investigation and detection approaches actually reduce the risk. The coverage is practitioner-level: it addresses the mechanics of the attack, not the compliance language that describes it after the fact.

All briefings in this hub

ANALYSIS

From Gamble to Calculation: How Your Exposure Decides Who Gets Attacked

An intrusion told backwards from a single email address, and why a findable digital footprint turns a target from a gamble an attacker takes into a calculation they can run.

11 min·25 May 2026
ANALYSIS

Ransomware Negotiation: Four Response Modes Law Firms Have Actually Used

What the HWLE court record and four leaked transcripts reveal about how ransomware operators negotiate with law firms, and the four ways firms have actually responded when a ransom demand lands.

16 min·20 May 2026
ANALYSIS

How Modern Infostealers Work: Execution, Telemetry, and the 2026 Log Economy

How RedLine, Lumma, and Vidar execute on the host, what they harvest, what is visible on the wire, and how stolen credentials flow through 2026 log markets.

17 min·10 May 2026
METHOD

How a Lockdown Investigation Runs

The Lockdown is the credential-and-account-takeover tier of our investigation work. Five business days, fixed €995, the full Mirror foundation plus seven Lockdown-specific deliverables. This article walks the methodology stage by stage: discovery, cross-reference, verification, report.

14 min·6 May 2026
ANALYSIS

How Crypto Anonymity Breaks at the Endpoint

Crypto privacy was designed against chain analysis, not against the endpoint. The Fowler 2026 database showed why that gap is now the dominant threat.

13 min·3 May 2026
GUIDE

Dark Web Monitoring: What It Actually Does and When It’s Worth Paying For

What dark web monitoring actually catches, what it misses on stealer logs and live session cookies, and when bundled, standalone, or human-led options each make sense.

18 min·27 Apr 2026
INTEL

Stealer Logs: Inside The Credential Market HIBP Doesn't See

Stealer logs are the credential exposure vector most organisations cannot see — per-device snapshots containing passwords and live session cookies, sold in underground markets within hours of infection.

11 min·20 Apr 2026
INTEL

Odido: One Month After Disclosure, the Breach Is Still Expanding

One month after Odido disclosed the breach, every dimension has escalated. The full dataset is public. Ministers and protected persons are in it. Former customers who left a decade ago are in it. And the fraud is doubling.

8 min·13 Mar 2026
INTEL

The Odido Breach: 30 Days of Criminal Activity, Documented

The Odido breach was confirmed February 12. Within 19 days, the full dataset was published on criminal infrastructure. Within 20 days, active phishing campaigns were running. This is not a prediction — it is a documented sequence.

7 min·10 Mar 2026
ANALYSIS

Bypassed: How Voice Cloning, Virtual Cameras, and Real-Time Interception Defeated the Controls Everyone Trusted

MFA was supposed to solve password theft. KYC was supposed to solve identity fraud. Both assumptions are now broken — defeated not by nation-states but by criminal groups using free software, breach data as raw material, and OSINT to source every component.

10 min·6 Mar 2026
INTEL

Odido Breach: How ShinyHunters Stole 6.2M Records

ShinyHunters is publishing stolen Odido customer data daily — names, IBANs, ID numbers, sensitive account notes. The attack used a phone call, not a zero-day. Here is exactly how it unfolded.

7 min·27 Feb 2026
Data Brokers 18 briefings → Executive Privacy 29 briefings → Corporate Footprint 41 briefings →

If your credentials might already be circulating, a Lockdown investigation maps the exposure.

See The Lockdown