Your Business Password Is on the Dark Web. It Got There in 48 Hours.

Research published on 24 March 2026 by Whiteintel's Intelligence Division mapped the complete journey of a stolen business password — from the moment it was taken to the moment it appeared for sale on a dark web marketplace. The answer was 48 hours. In some cases, less.

That is not 48 hours from when you discovered a breach. It is 48 hours from when the malware first ran on a device — long before any alert fires, long before any IT team notices anything unusual, and long before the business has any idea it has been compromised.

This is the infostealer problem, and it is currently the fastest-growing threat facing Irish SMEs.

What Is an Infostealer?

An infostealer is a type of malware that silently harvests usernames, passwords, session cookies, and authentication tokens from an infected device, then packages them and sends them to criminals — typically within minutes of infection.

Unlike ransomware, which makes itself known immediately by locking your files, an infostealer is designed to be invisible. It runs, takes what it needs, deletes itself, and leaves. By the time anyone checks, the damage is already done and the data is already in transit.

What the Research Found This Week

• Whiteintel's Intelligence Division published findings on 24 March 2026 mapping the full infostealer lifecycle across active criminal marketplaces [^1]
• Stolen corporate credentials are being listed for sale within 48 hours of the initial infection on dark web markets such as Russian Market and 2easy
• The most active infostealer families currently in circulation include Lumma Stealer, StealC (which grew infections by 376% between Q1 and Q3 of 2024), and Vidar
• Infostealer-as-a-Service subscriptions are available to criminals for as little as $200 per month — no technical skill required
• 54% of ransomware victims in 2025 had their credentials appear in infostealer logs before the ransomware attack hit, according to Verizon's Data Breach Investigations Report
• Small and medium businesses saw infostealer detections jump 104% year-on-year — a higher growth rate than large enterprises

The most significant finding for any Irish business that allows staff to use personal devices for work: 46% of infostealer-infected devices were personal or BYOD devices used to access corporate systems. Your endpoint security does not protect devices it does not manage.

Wondering whether your business credentials have already appeared in a dark web credential dump? That is exactly the kind of question a digital trust assessment answers. Book a free 20-minute strategy call — no sales pitch, no jargon.

How the Attack Works in Practice

The infection vectors are not exotic. They are ordinary mistakes that happen in any busy Letterkenny or Sligo office every week.

A staff member downloads what appears to be a free version of Microsoft Office or Adobe software from a search result. They click a link in a convincingly formatted email. They follow a YouTube tutorial and run the command it tells them to. They open an attachment that arrived through WhatsApp. In every case, the infostealer executes in the background while they carry on working.

Within two hours, the malware has accessed every browser credential database stored on the device. Every saved password for every site the user has ever visited — including your Microsoft 365 portal, your accounting software, your bank, your email — is now in a structured file called a log. Within 24 hours, that log is uploaded to a criminal server. Within 48 hours, it is listed for sale.

The buyer does not need to be sophisticated. They need €150 and a Telegram account. They search the log for your company domain, find your Microsoft 365 login, and test it. If there is no multi-factor authentication on the account, they are in. If there is SMS-based MFA, they may be able to bypass it through SIM-swapping or session cookie hijacking. The research confirms that infostealers specifically target the session cookies that keep you logged into cloud services — cookies that, once stolen, can bypass MFA entirely.

The BYOD Blind Spot

This is the specific risk that most small businesses have not addressed. When a member of your team uses their personal laptop or phone to access your Microsoft 365, your Google Workspace, your accountancy platform, or your CRM, that device is outside the reach of any security controls your business has put in place.

Your IT provider cannot see it. Your endpoint detection software is not installed on it. Your policies do not apply to it.

If that device is infected with an infostealer — and the research shows that personal devices are the single most common infection point — your corporate credentials are exposed regardless of how well-protected your office systems are.

For a Donegal SME with ten or twenty staff, it takes only one person's personal laptop to expose the entire Microsoft 365 tenant. The attacker does not need to compromise your network. They need to compromise one person's home device, and the front door to your business is open.

Why It Matters to Your Business Right Now

The consequences of infostealer compromise are not limited to the account that was stolen. One set of corporate credentials gives an attacker enough to move laterally through your business — accessing email, invoices, client data, financial systems, and cloud storage. The progression from stolen password to ransomware deployment can happen in under 48 hours, matching the same timeline as credential exposure itself.

Under GDPR and NIS2, a breach of customer or staff data triggers mandatory reporting obligations to the Data Protection Commission and, for businesses in regulated sectors, the National Cyber Security Centre Ireland. A single infostealer infection on a personal device could put your business in scope for both. The risk is not theoretical. It is priced on a Telegram channel right now.

What Next — Three Steps This Week

1. Audit who accesses your corporate systems from personal devices. Make a list of every staff member who checks work email, accesses cloud storage, or logs into any business platform from a device your business does not own. That list is your exposure.

2. Enforce MFA on every corporate account — but go beyond SMS. Session cookie theft can bypass SMS-based MFA. Where possible, move to authenticator apps or hardware keys for any account with access to financial systems, client data, or email. This is the single highest-impact control against infostealer-derived credential abuse.

3. Consider a dark web credential monitoring service. Several reputable services monitor criminal marketplaces and alert you when your business domain appears in a stolen credential log. Knowing within hours of exposure — rather than after exploitation — is the difference between a near-miss and a reportable incident.

In next week's post, we will look at how attackers are using those stolen credentials in a new way — not just to log in, but to make phone calls that sound exactly like your colleagues.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• MFA Everywhere: Why Multi-Factor Authentication Is Non-Negotiable in 2026
• The 10-Minute Security Review Every Donegal Business Should Do Every Quarter
• Privileged Access Management for Irish SMEs: Why Not Everyone Needs Admin Rights

[^1]: Whiteintel Intelligence Division — Infostealer Lifecycle Research, March 24, 2026 [^2]: Verizon Data Breach Investigations Report 2025 [^3]: National Cyber Security Centre Ireland — Advice for Organisations [^4]: Data Protection Commission Ireland — Data Breach Guidance

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.