// Guides
Infostealers: How company credentials end up on the dark web
A single infected device can be enough: an infostealer reads saved passwords, cookies and session tokens from the browser in seconds and sends them to attackers. These stealer logs are traded in bulk — and later resurface as your company's credentials. It takes no attack on your servers; often a private employee laptop is enough.
Updated: 2026-07-07
Immediate steps
- 1Change affected passwords immediately from a clean device — not from the possibly infected one.
- 2Sign out of all active sessions (session revoke) so stolen cookies become worthless.
- 3Review two-factor authentication and move to phishing-resistant passkeys or security keys.
- 4Prioritise business accounts: email, Microsoft 365 / Google Workspace, VPN, admin and payment access.
- 5Have the suspicious device checked by IT and rebuilt if in doubt.
- 6Identify reused passwords and replace them everywhere; introduce a password manager.
- 7Check whether company domains or email addresses appear externally in leak or stealer-log contexts (e.g. with the Hasso Plattner Institute's leak checker).
- 8Document the incident; where personal data is affected, involve data-protection and notification duties (GDPR, 72 hours).
What not to do
- Do not change passwords from the infected device.
- Do not change just one password and overlook reused ones.
- Do not rely on a new password alone without revoking active sessions.
- Do not ignore private devices with company access.
- Do not wait — stealer logs are often exploited only weeks later.
When professional help makes sense
SKOPION passively checks externally accessible sources for signs of credential exposure, stealer-log or dark-web context relating to your organisation — and prioritises concrete protective steps. We do not scan or clean devices and do not replace antivirus or EDR; the focus is on externally visible risk and exposure signals.
Get in touchCommon questions
- Are we affected even though our servers are secure?
- Yes, that is possible. Infostealers hit individual devices — including private laptops with company logins. The state of your servers does not change that.
- Is a new password enough?
- Not always. If session cookies are stolen, access persists despite a new password until all sessions are signed out. Passkeys and MFA significantly increase protection.
- How is exposure detected without touching our devices?
- Through externally visible, legally accessible sources — whether company domains or email addresses appear in known leak or stealer-log contexts and dark-web sources, without access to your systems.
- What are the most important immediate steps?
- Change passwords from a clean device, sign out sessions, enable passkeys/MFA, prioritise business accounts and have the suspicious device checked.