There’s now a market where a criminal can type in your company’s name and buy a list of your employees’ stolen passwords. Not a giant data dump they have to sift through — a targeted search, filtered down to your domain, your staff, your logins. That’s the business model researchers just pulled apart, and it changes how you should think about every password your team uses.
This week in brief
-
A WordPress plugin maker got backdoored at the source. Attackers broke into ShapedPlugin’s build and update system and slipped malicious code into its paid “Pro” plugins, which then went out through the official licensed update channel, per The Hacker News. If you run a WordPress site and use ShapedPlugin Pro products, an update you trusted may have installed the backdoor for you. Check your plugins.
-
A 29-year-old bug in the Squid proxy can leak other people’s web traffic. Nicknamed “Squidbleed,” it can spill another user’s cleartext HTTP requests — including credentials and session tokens — to anyone allowed through the same proxy. It’s live in the default configuration. Most small businesses don’t run Squid directly, but some appliances and hosting setups do under the hood.
-
Windows 11 26H2 is on the way. Microsoft confirmed the next feature update will install as a tiny “enablement package” for machines already on 24H2 or 25H2 — basically a quick restart. Older versions need the full 6.5 GB update. Nothing urgent, but plan for it this fall.
The one that matters: stolen passwords are now a search engine
Here’s how credential theft used to work. Malware called an infostealer would infect a computer, scrape every saved password, cookie, and autofill entry out of the browser, and ship it off to the criminal who deployed it. Those stolen logs got dumped into massive databases — billions of lines — and sold in bulk. A buyer got a giant pile and had to dig through it.
That friction is gone. Flare researchers analyzed 470 underground forum posts from January 2025 through June 2026 and found a whole service layer built around what they call “search your target.” Instead of buying a haystack, a criminal pays a seller to search their existing database for a specific company, domain, platform, or geography — and gets back only the matches. The output comes formatted and ready to use: email and password pairs, login and password pairs, even phone numbers tied to accounts.
Sit with that for a second. A criminal who wants into your accounting firm doesn’t need to find you. They describe you, and a broker delivers the credentials of any of your employees whose home or work machine got hit by an infostealer at some point. The employee’s laptop might have been cleaned up months ago. The stolen password is still in the database, still searchable, still for sale.
This sits right in the middle of the account-takeover chain. Infostealer infects a device. Logs get aggregated into private databases. A search broker extracts the rows that match a buyer’s request. The buyer validates them and uses them for fraud, phishing, crypto theft, or breaking into your business directly.
Now the good news, and it’s real. The buyer feedback in this research showed a big gap between the sales pitch and reality. Volumes are lower than advertised. A lot of the credentials are invalid, duplicated, or expired. People get into disputes over quality. Stolen passwords go stale — every time someone changes a password, the old one in that database becomes a dead end.
That tells you exactly what to do. Two things break this market for your business.
First, every login your team uses needs multi-factor authentication. A stolen password is worthless if the criminal can’t get past the second step. This is the single highest-value thing you can do, and most of the accounts that matter — Microsoft 365, your bank, your payroll system — support it for free. Turning it on across your environment is the core of what endpoint and identity protection is supposed to deliver.
Second, you need to know when a company device gets infected in the first place. Infostealers are the supply chain for this entire market. No infection, no stolen log, nothing to search. Real endpoint detection catches that malware before it ships your passwords off to a broker’s database. That’s the difference between a one-time scare and your credentials sitting in a searchable catalog for the next two years.
What to do right now
- Turn on MFA everywhere it’s offered — starting with Microsoft 365, email, banking, and payroll. If a password gets stolen, this is what stops it from becoming a break-in. Microsoft 365 supports this for free.
- Force a password reset for any employee who’s had a personal or work device compromised, or one you’re unsure about. A reset turns a live stolen credential into a dead one.
- Put real endpoint detection on every company machine. Infostealers are the source of this whole problem. Catch them on the device and there’s nothing to sell.
- If you run WordPress with ShapedPlugin Pro plugins, audit them now and update only from a clean, verified source. Assume a recent “update” could have carried the backdoor.
- Stop reusing passwords across accounts. One stolen login shouldn’t unlock five others. A password manager handles this without anyone memorizing anything.
If your team is logging into a dozen business apps and you’re not sure MFA is actually turned on across all of them, that’s worth a look — it’s exactly the kind of thing we sort out for small businesses every week. Book a free 15-minute consult and we’ll tell you where you stand.