Skip to content
All guides

// Guides

Infostealers: How company credentials end up on the dark web

A single infected device can be enough: an infostealer reads saved passwords, cookies and session tokens from the browser in seconds and sends them to attackers. These stealer logs are traded in bulk — and later resurface as your company's credentials. It takes no attack on your servers; often a private employee laptop is enough.

Updated: 2026-07-07

Immediate steps

  1. 1Change affected passwords immediately from a clean device — not from the possibly infected one.
  2. 2Sign out of all active sessions (session revoke) so stolen cookies become worthless.
  3. 3Review two-factor authentication and move to phishing-resistant passkeys or security keys.
  4. 4Prioritise business accounts: email, Microsoft 365 / Google Workspace, VPN, admin and payment access.
  5. 5Have the suspicious device checked by IT and rebuilt if in doubt.
  6. 6Identify reused passwords and replace them everywhere; introduce a password manager.
  7. 7Check whether company domains or email addresses appear externally in leak or stealer-log contexts (e.g. with the Hasso Plattner Institute's leak checker).
  8. 8Document the incident; where personal data is affected, involve data-protection and notification duties (GDPR, 72 hours).

What not to do

  • Do not change passwords from the infected device.
  • Do not change just one password and overlook reused ones.
  • Do not rely on a new password alone without revoking active sessions.
  • Do not ignore private devices with company access.
  • Do not wait — stealer logs are often exploited only weeks later.

When professional help makes sense

SKOPION passively checks externally accessible sources for signs of credential exposure, stealer-log or dark-web context relating to your organisation — and prioritises concrete protective steps. We do not scan or clean devices and do not replace antivirus or EDR; the focus is on externally visible risk and exposure signals.

Get in touch

Common questions

Are we affected even though our servers are secure?
Yes, that is possible. Infostealers hit individual devices — including private laptops with company logins. The state of your servers does not change that.
Is a new password enough?
Not always. If session cookies are stolen, access persists despite a new password until all sessions are signed out. Passkeys and MFA significantly increase protection.
How is exposure detected without touching our devices?
Through externally visible, legally accessible sources — whether company domains or email addresses appear in known leak or stealer-log contexts and dark-web sources, without access to your systems.
What are the most important immediate steps?
Change passwords from a clean device, sign out sessions, enable passkeys/MFA, prioritise business accounts and have the suspicious device checked.

Sources