Browser Passwords Remain Hacker Favorite

Editor's note: This post was originally published December 8, 2025, and has been updated to reflect new threat intelligence data.

You implemented a password manager last year. Your team went through the deployment. IT sent the emails. The training videos got watched. Problem solved, right?

Not even close. While dedicated password managers sat installed on company devices, employees kept right on saving passwords in Chrome, Edge, and Firefox. They did it because browsers made it easy. They did it because nobody told them to stop. They did it because the browser popup appeared every single time they logged into anything, asking if they wanted to save their password. Most people clicked yes.

That decision just cost you everything.

Numbers Tell Uncomfortable Story

At DEF CON 33 in August 2025, security researcher Marek Tóth demonstrated how attackers can steal credentials from password manager browser extensions using a technique called DOM-based extension clickjacking. The vulnerability affected 11 major password managers with a combined 40 million active installations, including 1Password, Bitwarden, LastPass, Keeper, and NordPass. A single click anywhere on a malicious website could expose credit card details, stored personal data, usernames, passwords, and two-factor authentication codes.

But the browser extension vulnerability is just the beginning.

The real damage comes from what employees continue storing directly in browsers themselves. According to KELA's State of Cybercrime 2024 report, infostealer malware infected 4.3 million devices in 2024, directly compromising 330 million credentials. Beyond direct infection, researchers found 3.9 billion credentials circulating in credential lists sourced from infostealer logs, trading on criminal forums for as little as $10 to $15 per account. The top three infostealer families, Lumma, StealC, and RedLine, accounted for more than 75% of those infections.

The pace accelerated sharply in 2025. According to Flashpoint's Global Threat Intelligence Index, credential theft via infostealer malware surged 800% in the first half of 2025 compared to the prior six months, with 1.8 billion credentials stolen from 5.8 million devices. These specialized malware programs target one thing: extracting credentials stored in browsers. They harvest passwords, session cookies, autofill data, and authentication tokens, then disappear before most security tools detect them.

The downstream consequences are severe. Verizon's 2025 Data Breach Investigations Report found that 54% of ransomware victims had their company's domains appear in infostealer logs before the attack, and that stolen credentials were involved in 88% of basic web application breaches, making them the dominant tactic in that category. Separately, the DBIR found that 46% of infostealer-compromised systems were non-managed or personal devices that also hosted corporate credentials, a direct result of employees mixing work and personal logins on devices outside IT's visibility.

Your browser was designed to render web pages efficiently, not to protect credentials against determined adversaries. The encryption protecting browser-stored passwords can be bypassed with simple command-line scripts requiring no advanced technical skills. Security researchers demonstrated this in under an hour, showing how an attacker with device access can extract every saved password from Chrome, Edge, or Firefox and display them in plain text.

How the Attack Works

Infostealer malware spreads through the same vectors that have worked for decades. Phishing emails deliver malicious attachments. Fake software updates prompt users to download infected files. Compromised browser extensions install backdoor access. Trojanized applications hide malware inside seemingly legitimate programs. Supply chain compromises infect third-party tools and libraries that spread to everyone who downloads them.

Once installed, infostealers need only seconds to execute. They scan the infected device for browser databases storing passwords, cookies, and autofill information. Modern variants target 19 different browsers, from mainstream options like Chrome and Edge to specialized browsers like Tor, Brave, Vivaldi, and Waterfox. The malware executes SQL queries directly against browser databases, extracting website URLs, usernames, and encrypted passwords. It captures clipboard contents, takes screenshots, and harvests session tokens. Everything gets packaged and transmitted to remote servers controlled by criminals.

The sophistication level continues rising. Microsoft identified more than 394,000 Windows computers globally infected with Lumma Stealer during just a two-month window between March and May 2025. RedLine Stealer infected 9.9 million devices worldwide before law enforcement disrupted it in October 2024. Lumma has since taken its place as the dominant tool in the criminal marketplace. These tools operate within a Malware-as-a-Service ecosystem that looks nearly identical to legitimate software businesses. Vendors offer support, automated subscription payments, user dashboards, and affiliate programs allowing other criminals to act as resellers.

The barrier to entry is essentially zero. Anyone with cryptocurrency can buy access to enterprise-grade credential theft tools for as little as $200 per month.

The clickjacking vulnerability that Tóth demonstrated at DEF CON adds another attack vector. Malicious websites overlay invisible UI elements on top of seemingly legitimate buttons. When users think they are clicking to close a cookie consent banner or accept a website popup, they are actually triggering password manager autofill functions. The credentials get filled into invisible forms and exfiltrated to attacker-controlled servers. The technique works even when users exercise caution, because they are not clicking on anything suspicious. They are clicking on what appears to be normal website functionality.

Real-World Consequences

In September 2023, attackers used infostealer malware to compromise a multinational corporate computer. The malware harvested passwords stored in web browsers and applications, including credentials for the Regional Internet Registry for Europe, Middle East and Central Asia. Those credentials were exfiltrated and published. The compromised firm did not change the password or implement multi-factor authentication for months, allowing attackers continued access to critical network infrastructure.

The 2023 Okta breach shows how browser password storage creates cascading failures. An attacker stole valid access credentials that had been saved in a personal Google account, which was then accessed on a device connected to Okta's environment. That single credential theft compromised information for every user of Okta's primary customer support system. The attack succeeded not because of a technical vulnerability in Okta's systems, but because credentials were stored in a browser-based manager synced to an account outside IT's control.

In October 2025, cybersecurity firm Synthient uncovered a collection of 183 million email passwords exposed through infostealer malware campaigns. The data appeared on the Have I Been Pwned database, marking one of the largest credential leaks of the year. Google confirmed the credentials originated from malware infections on individual user devices, not from any Gmail server vulnerability. The distinction matters. The breach occurred because users stored passwords in browsers, and infostealers harvested them at scale.

According to Verizon's 2025 Data Breach Investigations Report, credentials were involved in 88% of basic web application attack breaches, making them the most common initial attack vector. When attackers can simply steal valid credentials instead of exploiting technical vulnerabilities, they choose the easier path every time.

The Defense Contractor Problem

For firms handling controlled unclassified information and working in the defense industrial base, browser password storage creates unacceptable risk. Nation-state actors routinely deploy infostealer malware as part of initial access operations. North Korea's Lazarus group uses RedLine Stealer in its ongoing cryptocurrency theft campaigns. Iranian state-sponsored threat actors have intensified their use of credential theft tools targeting critical infrastructure across healthcare, government, engineering, and energy sectors.

CMMC compliance requires multi-factor authentication and proper credential protection. Storing work credentials in browsers violates the fundamental security principle of protecting authentication data. An estimated 8,350 medium and large defense contractors must implement Level 2 third-party assessments. Those assessments evaluate whether security controls actually protect sensitive information, not just whether the controls exist on paper.

No compliance framework will protect you if your employees store passwords in browsers that malware can harvest in seconds. The regulation requires MFA and credential protection. It does not prevent infostealer malware from extracting browser-stored passwords before MFA even becomes relevant. You can pass the assessment and suffer a breach the same day using attack vectors your security architecture completely ignores.

Why Traditional Approaches Fail

Most firms approached browser password storage as a training problem. Send the emails. Create the awareness campaigns. Tell employees not to save passwords in browsers. Hope they listen. That approach failed because it depended on perfect human behavior under imperfect conditions. Browsers prompt users to save passwords automatically. The popup appears every single time someone logs into anything. Declining the prompt requires active effort. Accepting it requires one click. Over months and years, that friction wears people down.

Implementing a dedicated password manager does not solve the problem unless you also remove existing credentials from browsers. Employees who transitioned to proper password managers often left their old browser-stored passwords in place. They used the password manager for new accounts while continuing to autofill old credentials from the browser. Security teams assumed deployment meant adoption, but deployment only means the tool exists. Adoption requires removing the alternative.

The clickjacking vulnerability affecting password manager extensions reveals another uncomfortable truth. Even firms that mandated dedicated password managers remained vulnerable if those managers operated as browser extensions. The fundamental issue is that browsers were not designed as security platforms. They prioritize user experience and convenience. Extensions inherit those same priorities and constraints. Security requires architecture designed specifically for protecting authentication data, not features bolted onto systems built for other purposes.

What Actually Works

Active Directory group policies combined with application allowlisting tools can block browser password storage at the system level. Configure Windows Defender Application Control or similar tools to prevent browsers from accessing or creating password database files. This removes the ability to store credentials regardless of user behavior. The technical control eliminates the vulnerability instead of asking employees to avoid it.

Deploy an enterprise password manager with mandatory usage policies. Keeper, 1Password, Bitwarden, and Dashlane all provide centralized management, policy enforcement, and audit trails showing who accessed what credentials and when. These tools use encryption keys derived from master passwords that never leave user devices. They require explicit authentication before revealing any saved credentials. An attacker who compromises a device still cannot access the password vault without additional authentication factors.

Schedule mandatory password migration sessions where IT staff actively remove every saved password from every browser on every device. Do not send instructions for employees to do this themselves. Do it for them. Export existing credentials from browsers into the password manager, verify the migration succeeded, then delete every browser-stored credential. This cannot be optional. This cannot be self-service. This must be enforced systematically across the entire firm. For step-by-step instructions, see our guide on how to remove saved passwords from browsers.

For browser extension-based password managers, reconfigure site access settings to require manual interaction. On Chromium-based browsers like Chrome and Edge, navigate to extension settings, select site access, and choose the on-click option. This prevents the extension from autofilling credentials unless the user explicitly clicks the toolbar icon. The additional step blocks clickjacking attacks that rely on invisible autofill triggers.

Implement continuous monitoring for stolen credentials appearing on dark web marketplaces. Services from firms like Flare, SpyCloud, and KELA scan criminal forums, paste sites, and infostealer logs for your company's email domains and credentials. When employee credentials surface for sale, you receive alerts within hours. Force immediate password resets for compromised accounts, terminate active sessions, and scan the affected device for malware. Speed matters because attackers typically exploit stolen credentials within hours of purchase.

Deploy endpoint detection and response tools specifically configured to detect infostealer behavior patterns. Modern EDR solutions can identify the SQL queries infostealers execute against browser databases, unusual network traffic exfiltrating large credential files, and the specific API calls malware uses to access password storage locations. Configure these tools to alert on suspicious activity and automatically isolate compromised endpoints before data leaves your network.

Industrialized Credential Theft

Browser password storage represents a critical vulnerability that most firms continue ignoring despite straightforward remediation options. You spent money deploying password managers. You spent time training employees. You checked the compliance boxes. None of that matters if browser-stored credentials remain accessible to malware that harvests them in seconds.

Attackers have industrialized credential theft. Infostealers operate as Malware-as-a-Service businesses with subscription pricing, vendor support, and affiliate programs. The criminal marketplace makes enterprise-grade attack tools available to anyone with cryptocurrency. Your adversaries are not checking whether you are compliant. They are checking whether credentials exist in browsers where malware can harvest them.

The solution requires two actions: implement a proper password manager and remove all credentials from browsers. Neither action requires advanced technical expertise. Neither action costs significant money. Both actions deliver immediate, measurable risk reduction. What stops most firms is not technical capability or budget constraints. What stops them is treating this as an optional improvement instead of a critical vulnerability requiring immediate remediation.

Your people will continue saving passwords in browsers until you remove the capability. Training does not overcome convenience. Policies do not overcome automatic prompts appearing hundreds of times per month. Technical controls overcome vulnerabilities by eliminating the attack surface. Deploy the password manager. Migrate the credentials. Delete everything stored in browsers. Configure the policies to prevent future storage. Monitor for compromised credentials. Act when they appear.

The attackers have the tools. They have the infrastructure. They have the patience. What happens next depends on whether you fix this vulnerability before they exploit it. Take a hard look at your authentication architecture this week. Schedule the browser password migration sessions. Implement the technical controls that make credential theft exponentially harder. Do something today that makes your firm more secure than it was yesterday.

Stop asking employees to remember not to save passwords. Stop hoping they will decline the browser prompts. Stop treating convenience features as security solutions. Build systems that do not depend on perfect human judgment under constant friction. The question is whether you will fix the vulnerability before the next breach or after.

Frequently Asked Questions

What is infostealer malware?

Infostealer malware is a category of malicious software designed specifically to harvest credentials and sensitive data from infected devices. Unlike ransomware, which announces itself by locking files, infostealers operate silently. Once installed, they scan browser databases, clipboard contents, session cookies, and autofill data, package everything, and transmit it to attacker-controlled servers, often before any security tool detects them. The stolen data is then sold on criminal marketplaces or used directly to access corporate systems.

Is saving passwords in a browser really that dangerous?

Yes. Browser-stored passwords are protected by encryption that can be bypassed with simple command-line scripts requiring no advanced technical skills. Security researchers have demonstrated full extraction of every saved password from Chrome, Edge, or Firefox in under an hour on a compromised device. The convenience that makes browser password saving appealing is exactly what makes it a target: credentials are stored in a predictable location, in a predictable format, accessible without additional authentication.

If I already have a password manager, am I protected?

Only partially, and only if you have also removed all credentials previously saved in browsers. Most employees who adopt a password manager leave their old browser-stored passwords in place and continue autofilling them from the browser. That means the vulnerability persists alongside the new tool. Additionally, password managers that operate as browser extensions carry their own risks, as demonstrated by the DOM-based clickjacking vulnerability disclosed at DEF CON 33 in 2025. Full protection requires migrating credentials out of browsers and configuring extensions to require manual interaction before autofilling.

How do I know if my company's credentials have already been compromised?

Dark web monitoring services from firms like SpyCloud, Flare, and KELA continuously scan criminal forums, paste sites, and infostealer logs for your company's email domains and credentials. If employee accounts have appeared in breach data, these services alert you, often within hours of the credentials surfacing for sale. You can also check individual email addresses through Have I Been Pwned at haveibeenpwned.com. If you are unsure whether your firm has any monitoring in place, that is itself a gap worth addressing immediately.

Does this affect CMMC compliance?

Yes. CMMC requires multi-factor authentication and proper protection of authentication data for firms handling controlled unclassified information. Storing work credentials in browsers violates the underlying security principle those controls are designed to enforce. Passing a CMMC assessment does not guarantee you are protected if browser-stored credentials remain accessible to infostealer malware, which can harvest them before MFA ever becomes relevant in an attack chain.

What is the first step a business should take right now?

Audit what is currently saved in browsers on every company device. Most businesses are surprised by the volume. From there, the path is straightforward: deploy an enterprise password manager if you have not already, schedule mandatory IT-led migration sessions to move credentials out of browsers, and use group policy or application controls to block browsers from saving passwords going forward. Our guide on how to remove saved passwords from browsers walks through the process browser by browser. If you need hands-on help, STACK can walk you through it.