Secrets of Privacy

Secrets of Privacy

Strong Passwords Won't Save You From This

A type of malware called an infostealer can silently copy every password and login session saved in your browser. Here's what it is, how to check if you've been hit, and what to do about it.

Secrets of Privacy's avatar
Secrets of Privacy
Jul 01, 2026
∙ Paid

You’re watching a YouTube tutorial on how to do something on your computer. The video description has a link to download the tool being demonstrated. You click it, the file installs, everything looks normal.

Except a small program is now running quietly in the background, copying every password your browser has saved, every autofill entry with your name, address, and phone number, every active login session for your email, your bank, your social media accounts. Within minutes it packages all of that up and sends it somewhere else.

This is called an infostealer, and it’s become one of the more common tools in the cybercrime economy.

What’s Actually Happening

To be honest, this isn’t a new category of malware. Keyloggers and spyware have existed for decades. What’s changed is what the current generation is built to grab and how easy it’s become to deploy.

Think about everything sitting in your browser right now.

  • Saved passwords for dozens of sites.

  • Credit card numbers you told Chrome to remember.

  • The “stay logged in” cookies for your Gmail, your bank, your Amazon account.

  • Autofill data with your home address and phone number.

An infostealer copies all of that and sends it to whoever deployed the malware. The targets include session cookies, which let an attacker into your accounts without needing your password or your two-factor code, because the session is already authenticated. That’s the part old-school keyloggers mostly couldn’t touch.

The browser is the main target, but not the only one. Infostealers also go after standalone applications like VPN clients and email clients, and cryptocurrency wallets get particular attention, with the malware scanning for wallet files and browser extensions to extract private keys. Some variants pull session data from Telegram, Signal, and Discord, and take screenshots while they’re at it.

Distribution has changed too. The most common infostealers are now rented out as subscription services, so whoever runs the campaign doesn’t need to write any code. They rent access, point it at a phishing email or a fake download page, and start collecting. What comes back gets sold as a “log,” often for just a few dollars, on dark web marketplaces and Telegram channels.

Share

What sets this apart from most malware you’ve heard about is that it doesn’t announce itself. Ransomware locks your files and demands payment, so you know immediately something is wrong. An infostealer just sits there collecting data in the background. Devices can stay infected for a long time before anyone notices, because nothing about how the computer behaves actually changes.

One more thing worth knowing if you use Chrome. Google is in the process of fully disabling older ad blocker extensions like uBlock Origin, with less capable replacements taking their place. Ad blockers are one of the recommended defenses against malicious ads that deliver malware through drive-by downloads, so if yours stopped working recently and you haven’t replaced it, that’s one more opening that wasn’t there before.

This Isn’t Fringe

Verizon’s 2025 Data Breach Investigations Report examined infostealer logs being actively traded by criminals. They found that 30% of the compromised devices in those logs were enterprise machines, but 46% of the devices with corporate logins on them were personal, unmanaged devices.

So nearly half the devices containing work credentials were people’s personal laptops. Not because anyone hacked a company network. Because someone’s home computer got infected, and that computer happened to have both a Netflix password and a work email saved in the same browser.

The connection to bigger attacks is clear when you look at the data.

54% of ransomware victims in 2024 had their credentials show up in infostealer logs before the ransomware attack happened. The infostealer isn’t really a separate problem from ransomware. It’s often the step that happens first, quietly, weeks or months before anything visible goes wrong.

Earlier this year, a security researcher found an unsecured database containing 149 million stolen passwords, along with tens of millions of Gmail and Instagram account credentials sitting openly accessible online. Researchers pointed to infostealers as one likely source for data like this getting compiled and exposed at that scale.

My Take

The standard recommendation is “use a password manager and enable two-factor authentication”. That’s good advice, but it assumes the threat is someone guessing or cracking your password. Infostealers don’t guess anything. They read what’s already sitting on your machine, including the session cookies that let attackers into your accounts without needing a password or a 2FA code at all.

While a password manager helps, it doesn’t fully solve this. And if you’re using the password-saving feature built into Chrome or Safari rather than a dedicated manager, you may be more exposed than you realize, since browser-stored passwords are one of the specific things this malware looks for. More on that below.

“Is my password strong” is the wrong question when it comes to this type of threat. The better one is “what is my browser storing right now, and would I notice if a stranger had a live copy of it.”

I think this threat gets more attention over the next year or two, mostly because it keeps showing up as the silent first step behind bigger breaches that eventually do make headlines. A lot of people will hear about infostealers for the first time when their bank flags a login from a country they’ve never visited.

The Good News

There’s a free tool that tells you whether your email has shown up in a stealer log. Go to haveibeenpwned.com, the same breach-checking site you may already know, and enter your email. The basic search has always been free and stays that way.

Stealer logs show up in your results as a named breach, something like “Stealer Logs, Jan 2025” or “Data Troll Stealer Logs.” If you see one of those in your list, that’s your answer. Click into it and HIBP’s description explains what a stealer log is and roughly when it was collected.

What the free check won’t tell you is which specific sites your credentials were captured against. Seeing the exact domains, your bank, your email provider, whatever it was, requires a paid HIBP subscription and its API. The free version confirms you were caught up in one. It doesn’t hand you the full breakdown.

That’s still useful on its own, and it takes about thirty seconds to check.

The harder part is what to do next, because changing your passwords alone doesn’t fix this. If the malware is still active on your device, it will simply capture your new passwords too. And if you’re using a browser-based password manager, the exposure runs deeper than most people expect.

The Check, Step by Step

User's avatar

Continue reading this post for free, courtesy of Secrets of Privacy.

Or purchase a paid subscription.
© 2026 Secrets of Privacy · Privacy ∙ Terms ∙ Collection notice
Start your SubstackGet the app
Substack is the home for great culture