The uncomfortable truth about credentials and why you need a continuous monitoring program against infostealers

By 2026, stolen credentials are no longer a secondary concern: they are a strategic priority for any security team. However, there is a disturbing paradox: many organizations recognize the risk, but they continue to rely on solutions to "meet the basics" - controls that mark boxes - rather than deploying dedicated and specific programs to confront infostealers, those malware families designed to exfilter credentials, cookies and session tokens.

The numbers help to understand the magnitude of the problem. A recent survey commissioned by Lunar, Webz.io-driven web dark monitoring platform, indicates that most organizations consider committed credentials a high or very high risk, and for many it is among the three main security priorities. At the same time, the data collected by the industry show enormous amounts of credentials in circulation: in 2025 alone, billions of committed records were identified, a figure that turns any cost estimates into something dizzy. To put it in an economic perspective, the annual report on the cost of IBM leaks places the average cost of a gap involving committed credentials at several million dollars per incident ( IBM Cost of a Data Break Report).

And despite that awareness, many defenses remain naive in the face of the technical reality of the attacks. Expressions like "we have MFA everywhere" or "our EDR and Zero Trust architecture already protect us" sound reassuring, but not enough. When an employee log into a critical application from an unmanaged domestic device, traditional solutions such as EDR or network policies do not detect that access comes from a stolen token or cookie. In other words, the controls that protect the perimeter and endpoints do not necessarily cover the telemetry and context that allow to detect and respond to usurped sessions.

The behavior of the infostealers explains why. These malware families do not just collect usernames and passwords; they extract session cookies, tokens and other artifacts that allow an attacker to "enter without touching the door": without going through an authentication form again, without causing an MFA challenge and often without leaving any obvious prints on the authentication logs. The result is that the malicious actor can move, explore and exfilter data very quickly before the traditional controls show relevant alerts. To understand the nature of the risk, it is necessary to review technical material on how infostealers work and what information they usually capture ( Kaspersky - InfoStealers).

The cycle of a typical attack is usually relentlessly efficient. First, the victim is infected by varied vectors: from phishing campaigns and malicious browser extensions to pirated software or compromised repositories. The infostealer scrapes credentials and cookies from the browser or system, sends that information to a server controlled by the attacker, and these data end up grouped in "logs" or combolists that are bought and sold in forums, private chats and clandestine markets. A buyer can immediately use these legitimate devices to access corporate services with a surprisingly short time window. If exposure checks are carried out once a month or with obsolete data sources, the organization can discover the incident when it is too late.

Generic solutions fail where specialization is needed. Many companies apply punctual gap monitoring or base their detection on public lists of filtered passwords, with no forensic capacity or context to rebuild which accounts were affected, which devices were compromised or if cookies and tokens were stolen. The lack of triangulated and standardized data converts any warning into noise: it is not known who to notify, what to restore or how to prioritize the response. In addition, latency in the acquisition of data from criminal sources and the absence of integration with automated workflows (IMS, SOAR, IDP) prevent a rapid and coordinated reaction.

Moving from a reactive approach to a mature gap monitoring program involves, among other things, continuity in the collection of signals and the ability to enrich them with useful context. This means incorporating data from various sources - infostealers, combolists, markets and messaging channels where credentials are traded - and normalizing that information so that it is not repeated or lost in irrelevant noise. The aim is to have a unique and refined view of the exhibitions that really affect the organization.

Automation is key to transforming alerts into actions. It is not enough to know that a business domain appears on a filtered list; it is necessary to translate that evidence into playbooks that automate concrete steps: to invalidate sessions, to force the restoration of credentials, to block access to the IDP and to orchestrate tasks in the IMS or SOAR so that analysts do not waste time on repetitive routines. When these pieces are connected, the window that the attacker takes advantage of is dramatically shortened.

Another frequent handicap is the false feeling of safety per platform. Many teams believe that macOS offers immunity from these attacks, and yet Apple-specific families have emerged that steal cookies and credentials. Reports from different actors in the sector realize how infostealers have been sophisticated and diversified to affect multiple operating systems and application ecosystems.

Implementing an effective monitoring strategy requires mind change. The monitoring of credentials should no longer be a "punctual product" and be seen as a continuous program with clear, metric responsibilities and defined procedures. This involves assigning a head of the infostealers domain, establishing the real risk-based verification cadence and designing playbooks that run automatically when confirmed evidence appears. It also requires investment in solutions that provide forensic telemetry that is often lacking in "meet the standards" approaches.

The good news is that there are tools and operating models that allow that jump. Platforms that add and enrich underground data and that integrate with the corporate security stack allow to transform exposures into automatic and measurable responses. Interoperability with identities, orchestration systems and incident management platforms is what closes the circle between detection and mediation.

It is not an exaggeration to say that the cost of not adapting can be enormous. From direct economic losses to reputational and regulatory damage, a session taken by a malicious actor may involve unauthorized access to critical information. It is therefore recommended that security teams review their current practices, prioritize the detection of stolen tokens and cookies, and do not comply with controls that only partially mitigate risk. To deepen good session management and security practices, OWASP guides are a good technical resource ( OWASP Session Management).

If you want to review which credentials related to your organization already circulate in criminal ecosystems, there are initiatives that provide accessible monitoring for organizations of all sizes, combining coverage and integration capacity. With continuous visibility and automatic response mechanisms it is possible to close many of the exhibition windows that today allow attackers to act with impunity. As a reference on industry initiatives, the work of Webz.io, which brings together open signal and underground intelligence for different business uses ( Webz.io).

In short, the solution is not to add more unrelated tools or to rely solely on MFA or EDR. It is about building a program of monitoring credentials and sessions that is continuous, contextual and automated to integrate specialized sources and empower teams to make quick and accurate decisions. The cost of complacency is too high today to continue to function with approaches of a few years ago.

For those who want to deepen the issue and how to adapt their processes, I recommend that you start by reviewing the cost-of-gaps reports, studying the technical nature of infostealers and evaluating solutions that offer integration with their existing security flows. The resources of industry and good practice guides are abundant and can serve as a starting point for designing a programme that actually reduces risk.