A recent wave of large-scale data theft campaigns has exposed a pattern that keeps recurring in breach after breach: organizations that let employees log in to business systems with just a username and password. Infostealer malware is quietly harvesting credentials from millions of devices, and those stolen passwords are being sold on the dark web and used months or even years later. MFA is the single most effective control for making stolen credentials useless. This post explains how the threat works and what enforcing MFA actually looks like in a small business.
What would happen if someone tried to log into your business systems using a password that one of your employees set two years ago and hasn’t thought about since?
Not a password they’re actively using. Not one they’d even remember changing. Just an old credential that was saved in a browser, never rotated, and sitting quietly in the background.
That exact scenario plays out in real attacks every day. And in most cases, it works.
Cybersecurity researchers have been tracking a pattern of large-scale credential theft campaigns in which sensitive business data from organizations across dozens of industries and countries is quietly collected and later sold on the dark web. The common thread across nearly all of them: employees logging into cloud systems with a single username and password and no second factor required.
Understanding why this keeps happening, and how to stop it, starts with a piece of malware most small business owners haven’t heard of.
What Infostealer Malware Actually Does
Most people picture a cyberattack as something dramatic, a hacker trying to force their way through a firewall, triggering alerts, getting blocked. Infostealer malware works nothing like that.
Once it lands on a device, it sits quietly in the background and does one thing: it collects. Saved browser passwords. Stored login credentials. Session cookies. Autocomplete data. Everything a browser has ever been asked to remember. Then it sends that data back to the attacker without making a sound.
The device’s user typically has no idea anything happened. The malware doesn’t lock files, doesn’t display a message, doesn’t disrupt anything. It just harvests and exits.
According to research tracking infostealer activity, these programs stole 1.8 billion credentials from 5.8 million devices in 2025 alone, representing an 800% increase over recent years. The stolen data is packaged into searchable logs and sold on dark web marketplaces, often for very little money. Buyers, frequently ransomware operators and other criminal groups, then use those credentials to access business systems weeks or months after the original theft.
This is the part that catches people off guard. The infection may have happened on a personal laptop a year ago. The employee who got infected may not even work for the company anymore. But if those credentials were still valid, the door is still open.
Verizon’s 2025 Data Breach Investigations Report found that 54% of victims listed on ransomware extortion sites had their domain credentials appear in infostealer logs before the attack. In most of those cases, the attacker didn’t break in. They logged in.
Why a Stolen Password on Its Own Isn’t Enough for an Attacker With MFA in Place
Multi-factor authentication means requiring more than just a password to get into an account. The second factor is typically something the attacker can’t get from a stolen credential log: a code from an authenticator app, a push notification approved on a trusted device, a hardware key, or a biometric confirmation.
Even if an attacker has a valid username and password, they can’t complete the login without that second factor. The credential is useless on its own.
Microsoft has reported that more than 99.9% of compromised accounts did not have MFA enabled. That number tells a clear story. Accounts with MFA get attacked far less often, because attackers know the stolen credential alone won’t get them in. They move on to easier targets.
For small businesses, this matters enormously. You don’t need to be a high-profile target to end up in an infostealer log. These tools don’t discriminate by company size or industry. They run on devices that connect to business systems, which means a single employee working from a personal laptop that got infected months ago can become the entry point for a breach today.
Our cybersecurity consulting services regularly include a review of authentication controls as one of the first things we look at, because it’s consistently where the most preventable risk lives.
The “Just a Password” Problem Is Bigger Than It Looks
When business owners think about the risk of password-only logins, they usually picture a current employee with a weak password. The infostealer threat is more complicated than that.
Credentials get stolen from personal devices as often as work devices. The Verizon DBIR found that 46% of compromised systems identified in infostealer logs were non-managed devices, typically personal laptops or home computers where employees had logged into work systems at some point. Those devices may have no security software. They’re not managed by IT. And the credentials stored on them don’t expire just because the employee stops using that device.
Consider what that means in practice. An employee uses their personal laptop to log into a company cloud app from home. At some point, that laptop picks up infostealer malware through a malicious browser extension or a compromised download. The malware quietly collects the saved credentials and sends them out. The employee never notices. The company never knows.
Six months later, someone buys that credential log on the dark web and tries the login. If MFA isn’t enforced, they’re in.
This is what security researchers mean when they describe a “latency” problem with stolen credentials. The infection and the attack can be completely separated in time. Old passwords don’t expire on their own. They stay valid until someone explicitly invalidates them or until MFA makes them irrelevant.
What Enforcing MFA Actually Looks Like
Saying “we have MFA” and actually enforcing it are two different things. Many businesses have MFA available for their accounts but haven’t made it mandatory. Some employees have it turned on. Others don’t. Some use it for their primary work account but not for secondary tools. The gaps are where the risk lives.
Enforcing MFA means no exceptions. Every account that touches business systems requires a second factor to log in, and there is no fallback option that bypasses it.
Where to start:
Admin accounts come first. These are the highest-value targets because compromising an admin account gives an attacker access to everything else. Every admin account in your environment should have MFA enforced immediately, with no bypass options.
Remote access is next. VPN logins, remote desktop connections, and cloud app logins from outside the office are prime targets for credential-based attacks. These need MFA enforced before anything else.
All business accounts follow. Email, file storage, finance tools, CRM, HR systems: every account that holds business data or connects to business systems should require MFA.
Beyond just requiring MFA, it’s also worth reviewing which type of MFA your team is using. Standard SMS codes and push notifications are better than nothing, but they can be bypassed by sophisticated attackers. Authenticator apps and phishing-resistant methods that tie authentication to a specific device are meaningfully stronger. Our managed IT services include guidance on choosing and deploying the right MFA approach for your team’s size and tools.
The “It’s Annoying” Objection
The most common pushback to MFA enforcement is that it adds a step to the login process and some employees find it frustrating. That’s fair. It does add a moment of friction.
Here’s the comparison worth making: a few seconds of friction at login versus the discovery that business data, client records, or financial information has been quietly copied and sold, and that it happened through credentials nobody even remembered were still valid.
The friction from MFA is predictable, brief, and manageable. The friction from a breach is not.
It’s also worth noting that modern MFA options have gotten significantly less disruptive than they used to be. Authenticator apps generate codes quickly. Push notifications are a single tap. Devices that are regularly used can often be trusted for longer periods so employees aren’t prompted on every login. The experience has improved considerably, and the right setup for your team can minimize the day-to-day impact while maintaining strong protection.
Our cybersecurity awareness training helps teams understand why these controls matter, which goes a long way toward reducing resistance. When people understand what the protection is actually for, they’re far less likely to see it as an obstacle.
MFA Is One Layer in a Broader Defense
MFA is one of the most effective individual controls a small business can implement, but it works best as part of a layered approach. Alongside MFA, the businesses most resilient to credential-based attacks also maintain regular credential rotation policies, monitor for compromised credentials appearing on dark web sources, use conditional access rules that flag unusual login patterns, and ensure that former employees have their access fully revoked when they leave.
None of these are complicated. But they require consistent attention, and that’s where a lot of small businesses fall short. Policies exist on paper but aren’t regularly reviewed. Access gets provisioned but not revoked. MFA gets enabled for some accounts but not all.
If you’d like a clear picture of where your authentication controls stand and what the gaps are, reach out to the Z-JAK team. We’ll take an honest look at your current setup and give you a practical path to closing the most significant exposures first.
Frequently Asked Questions
What is infostealer malware and how does it end up on business devices?
Infostealer malware is a type of malicious software designed to quietly collect saved passwords, login credentials, and session data from an infected device and send that information to an attacker. It typically arrives through phishing emails, malicious browser extensions, compromised software downloads, or infected websites. It doesn’t disrupt the device or display any warning signs, which is why most people don’t realize they’ve been infected until the stolen credentials are used somewhere else.
If an employee’s personal device gets infected, is that really a business problem?
Yes. If an employee has ever logged into a business system, cloud app, or work email from a personal device, and those credentials were saved in the browser, an infostealer infection on that device can capture those credentials. The business has no visibility into it, no ability to detect it, and no control over whether the device has security software. This is one of the main reasons why MFA enforcement matters so much, because it makes those stolen credentials useless even if the business can’t prevent the personal device from getting infected.
How do attackers get hold of stolen credentials if they didn’t do the hacking themselves?
Stolen credentials are sold on dark web marketplaces, often for very little money. After an infostealer collects credentials from a device, those credentials get packaged into logs and listed for sale. Other attackers, including ransomware operators and initial access brokers, buy those logs and then use the credentials to attempt logins against business systems. The original infection and the eventual attack on the business can happen months apart, carried out by completely different people.
Is SMS-based MFA good enough, or do we need something stronger?
SMS-based MFA is better than no MFA. But it does have weaknesses. Sophisticated attackers can intercept SMS codes through SIM-swapping or adversary-in-the-middle phishing pages that capture codes in real time before they expire. For most small businesses, an authenticator app represents a meaningful step up in security with very little added complexity. For admin accounts and high-value access, phishing-resistant methods that bind authentication to a specific device are the strongest option.
What should we do about accounts that already exist but don’t have MFA enabled?
Start by identifying every account that has access to business systems and data, including accounts for remote access, cloud applications, email, and admin tools. Then enforce MFA on all of them, beginning with admin accounts and remote access as the highest priority. Require that existing users register their MFA method within a defined timeframe. Remove any authentication methods that allow users to bypass MFA for convenience. And review your offboarding process to confirm that accounts are fully disabled when employees leave, not just deactivated from their primary login.
Let’s Make Sure Your Accounts Are Actually Protected
MFA is one of the fastest, most effective steps a small business can take to reduce credential-based breach risk. But it only works when it’s consistently enforced across every account, not just the ones IT knows about. If you’d like help auditing your current authentication controls and putting a proper enforcement plan in place, get in touch with the Z-JAK team today. We work with businesses across Louisville to close these gaps before they turn into incidents.