Daorde
cabacas pra todos e lerxes pra ninguén
Language
GL ES EN
Theme

The Credential Economy

How stolen credentials became a tradeable commodity, and why the cost falls hardest on people with the least protection.

Authorship
Daorde Collective
Date
Read time
6 min
Identity cards, keys, and access tokens move along a market conveyor above an exposed person.

Sixteen billion rows in a rubbish heap

In June 2025, a headline travelled faster than the facts beneath it: 16 billion credentials had been exposed. The number was real in a narrow sense and misleading in most others. Nobody had cracked open a vault containing 16 billion unique, current accounts. The collections had been assembled from many sources and almost certainly contained old records and duplicates. Associated Press made that caveat explicit.

A rubbish heap does not become harmless because some of the rubbish is duplicated. Mixed into those collections were passwords, email addresses, cookies and sessions that could still open something valuable. The record was never the interesting part. The interesting part was an industry able to gather the digital remains of millions of people over years, sort them, and put them back to work.

A large corporate breach has a date, a company name and somebody paid to speak to the press. Theft by infostealer is untidier. It happens one laptop at a time: on the family computer also used to send invoices, on the personal machine somebody uses to reach the office VPN, on hardware that has missed updates because replacing it costs money. The harm is scattered. The business built from it is not.

Turning a computer into a lot for sale

RedLine, Raccoon, Vidar, Lumma and Stealc are brands in a catalogue that changes without altering the product very much. The program arrives inside cracked software, a fake update, a malicious advert or an attachment. It inventories the machine and takes whatever it can reach: browser passwords, autofill records, wallets, application tokens and cookies.

The cookie matters because it exposes the limits of standard security advice. After a successful login, a service gives the browser temporary proof that authentication has already happened. That is how it avoids asking for a password and second factor on every click. If a thief copies that proof and the server accepts it, the thief can inherit an authenticated session. The victim had MFA. The attacker arrived after MFA.

Browser vendors make this theft harder; malware developers adapt. Vidar 2.0, for example, added techniques aimed at Chrome’s App-Bound Encryption. The sequence tells us what we need to know. A defence exists, stolen sessions retain value, and somebody funds the work required to bypass it. This is not a collection of pranks or a morality play about careless users. It has investment, maintenance and customers.

Once collection finishes, the operator packages the infected computer as a lot. Its log contains location, installed software, visited domains and available access. Another criminal can search thousands of lots for somebody who has logged into a bank, a crypto exchange, Microsoft 365 or a corporate network. A digital life has become a filterable inventory.

SaaS for stealing sessions

Parts of this market have the dreary administrative normality of ordinary business software: monthly licences, dashboards, releases, documentation and support. One group develops the stealer. Customers distribute it. Other specialists buy the logs or the initial access and continue with fraud, espionage or ransomware. That division of labour lowers the knowledge required to enter the trade and lets each participant attempt more attacks at a lower cost.

The price of a record tells us what the buyer wants. An old password for an abandoned forum is nearly worthless. A fresh administrator cookie, an inbox that receives invoices or working VPN access lets the buyer attack an organisation from behind an identity it already trusts. The market is not buying characters in a text file. It is buying the power to act as somebody else inside an existing relationship.

Verizon’s 2025 Data Breach Investigations Report found corporate credentials in compromised devices, including unmanaged ones. That is hardly exotic. Many employers tolerate or require staff to use personal phones, computers and connections for work. The company saves money on hardware and support, while its security boundary ends up on a machine it does not maintain. When that boundary fails, a private saving returns as a shared risk.

Personal advice has a hard limit

People should use password managers, enable MFA and prefer passkeys where they are implemented properly. They should be wary of dubious executables and keep systems current. None of that is useless. What is useless is pretending those steps exhaust the explanation.

Somebody can behave reasonably and still lose a session. They may use the only computer available because their employer has not provided another. After a ten-hour shift, a convincing fake update can look like a routine task. Security that depends on indefinite, perfect attention is broken before the user arrives.

Platforms decide how long sessions live, which signals trigger authentication again and how quickly a compromised account can be recovered. Employers decide whether to issue managed equipment, separate privileged access and investigate unusual activity. Manufacturers decide how long a device receives patches. Reducing all of this to “do not reuse passwords” removes the people who designed the environment and continue to profit from it.

Protection has a class structure

A large company can deploy endpoint detection, revoke tokens centrally, restrict privileges, record access, manage devices and retain an incident-response team. It will still be breached. It does, however, employ people to find the breach and has money to recover.

A small accountancy practice holds payroll records, tax returns and client data in many of the same services, on a completely different budget. It may depend on one person who repairs printers, renews certificates and answers when “email is acting strange”. At home, the entire defence may be the bundled antivirus, automatic updates and whatever attention remains after paid work and care work. The digital exposure is similar; the capacity to contain it is not.

That is the division of labour hidden by the word cybersecurity. Some organisations buy prevention, monitoring and response. Others buy an insurance policy. Most individuals are assigned responsibility without control over the systems on which they depend. If those systems fail, they are assigned a lecture as well.

The commodity is a relationship

A credential matters because it represents something social: permission to pay an invoice, read a mailbox, approve a change, inspect a medical record or enter a network. The thief monetises trust that an institution placed in another person. That is why the most valuable product can be a boring session nobody thinks to revoke for several days.

A serious response has to follow that chain. Sessions can be shorter and bound more tightly to devices; revocation can be faster; work access can be separated; maintained equipment can be funded; activity incompatible with a user’s normal behaviour can trigger checks. Providers and employers should also carry the cost of decisions they control. Training helps. Making the last user carry all the blame mostly helps the legal department.

Sixteen billion records drew attention because the number was enormous. The machinery that produced them matters more: personal computers turned into mines, access bundled into lots and trust converted into a tradeable asset. As long as digitalisation means mandatory dependence with privately rationed protection, this market will find stock. We keep supplying it.