Stolen credentials are a direct threat to law firms and CPA firms. In its June 17, 2026 report, “24 Billion Stolen Records Exposed Online: Here’s What to Do,” Malwarebytes reported that researchers found a public database holding about 24 billion credential records.
According to Malwarebytes, the database held more than 8.3 terabytes of data from 36 sources. These sources included prior data breaches, Telegram channels and logs taken by infostealer malware. Some records included usernames, email addresses, passwords and the websites tied to those logins.
However, the database does not represent 24 billion newly hacked people. It likely includes old records and many copies of the same data. Even so, large sets of stolen credentials give criminals an easy way to search, sort and test passwords against many online services.
Therefore, law firms and CPA firms should not treat this as another distant data breach. Instead, they should check for exposed accounts, stop password reuse, secure user devices and review cloud accounts for signs of misuse.
Why Stolen Credentials Put Professional Firms at Risk
Stolen credentials often lead to account takeover. For example, a criminal may try an exposed email address and password against Microsoft 365, Google Workspace, banking sites, payroll tools and other business systems.
This method works because many people reuse passwords. As a result, a password stolen from an old shopping website may still unlock a current business account.
Law firms and CPA firms face added risk because they hold both private data and financial details. In addition, clients trust these firms to handle urgent requests, tax files, legal records and payment instructions.
A stolen email account may expose:
- Client messages
- Tax returns
- Social Security numbers
- Payroll files
- Bank details
- Legal plans
- Settlement data
- Wire instructions
- Personal identity records
- Confidential attachments
Criminals can also use a real mailbox to study how a firm works. Then, they can send a fake payment request at the right time and in the right tone.
For more detail, review why CPA firms and law firms need dark web monitoring.
What Infostealers Add to the Stolen Credentials Risk
Many records in the database came from infostealer malware. Unlike a normal website breach, an infostealer runs on a user’s computer and collects data from that device.
For example, an infostealer may collect:
- Saved browser passwords
- Email addresses
- Login URLs
- Browser cookies
- Active login tokens
- Autofill data
- Device details
- Crypto wallet data
- Messaging account details
Most importantly, stolen cookies and login tokens may let a criminal use an active session. Therefore, the criminal may not need to enter the password again.
Because of this, changing a password may not be enough. The firm may also need to clean the device, end open sessions and remove unknown apps or login methods.
Seven Steps to Reduce the Risk From Stolen Credentials
1. Find Stolen Credentials and Reused Passwords
First, check company email addresses against trusted breach and dark web tools. The review should cover current staff, former staff, partners, owners, admins and outside vendors.
Next, identify passwords that were reused across more than one system. A password should never be used for both a personal account and a work account.
However, a breach check is only the starting point. The firm must also learn whether the password is still active and whether someone has already used it.
The firm’s IT or security team should review:
- Failed login attempts
- Logins from unusual places
- New MFA methods
- Unknown devices
- New admin accounts
- Changes to recovery details
- New mailbox rules
- Unknown apps with account access
2. Clean the Device Before Resetting Stolen Credentials
If an infostealer may be involved, secure the computer before changing the password. Otherwise, the malware may simply steal the new password.
First, disconnect the device from the network if there are signs of active malware. Then, have the security team scan, clean or replace the device.
After the device is known to be safe:
- Reset the affected password.
- End all active sessions.
- Revoke login tokens.
- Remove unknown apps.
- Review MFA settings.
- Check recent account activity.
This order matters. Changing the locks does little good when the burglar is still sitting in the conference room.
3. Stop Password Reuse
Every business account should have its own password. Therefore, employees should use a managed business password manager rather than trying to remember dozens of logins.
A password manager can create long, unique passwords and store them in a protected vault. In addition, access can be removed when an employee leaves.
Shared passwords should also be limited. Instead, each employee should use an individual account whenever the system allows it.
Current NIST password guidance supports the use of password managers. It also calls for checks against passwords found in known breach lists.
4. Use Strong MFA Against Stolen Credentials
Multifactor authentication, or MFA, adds another check after the password. As a result, a stolen password alone may not be enough to enter the account.
MFA should protect:
- Microsoft 365
- Google Workspace
- Remote access
- VPN accounts
- Tax software
- Legal software
- Payroll tools
- Banking sites
- Cloud storage
- Password managers
- Admin portals
However, not every form of MFA offers the same level of safety. Text messages are better than passwords alone, but app-based codes, passkeys and security keys are stronger.
Therefore, firms should use passkeys or FIDO2 security keys for partners, admins, finance staff and anyone who can approve payments.
5. Review Email and Cloud Accounts
Next, review Microsoft 365, Google Workspace and other cloud platforms for signs of misuse.
Look for:
- Logins from unexpected countries
- “Impossible travel” alerts
- Unknown mobile devices
- New email forwarding rules
- Deleted security alerts
- New inbox rules
- New app approvals
- Changes to MFA
- New guest users
- New admin rights
Attackers often create mailbox rules that hide replies or send copies of email to another address. Therefore, an account may still look normal while the attacker quietly watches it.
In addition, review shared mailboxes and old user accounts. These accounts are often missed during routine checks.
6. Protect Payments From Stolen Credential Fraud
A stolen email account can make a fake request look real. Therefore, firms should never approve a financial change based on email alone.
Always confirm:
- New wire instructions
- Bank account changes
- Payroll updates
- Direct deposit changes
- Vendor payment changes
- Requests for tax records
- Gift card requests
- Urgent money transfers
Use a known phone number or another trusted method. Do not use the phone number listed in the email asking for the change.
Also, require a second person to approve large or unusual payments. This simple step can stop a costly mistake.
7. Test the Stolen Credentials Response Plan
Finally, test the firm’s response plan before an account is hacked.
The plan should explain how to:
- Isolate an infected device.
- Save logs and other proof.
- Reset accounts from a safe device.
- End open sessions.
- Review email and cloud activity.
- Contact the cyber insurance company.
- Decide whether clients must be told.
- Record what happened.
- Fix the cause.
A written plan is useful. However, a tested plan is far better. A plan that has never been tested is mostly hope with page numbers.
Stolen Credentials and Law Firm Duties
Law firms have a duty to take reasonable steps to protect client data. Therefore, firm leaders cannot treat password safety as only an IT issue.
Reasonable safeguards may include:
- MFA on all key accounts
- Strong access controls
- Safe data backups
- Security training
- Device monitoring
- Email protection
- A written response plan
- Regular risk reviews
In addition, outside IT support does not remove the firm’s duty to understand its risks. Leadership must still ask what controls are in place and whether they work.
Learn more about reasonable cybersecurity safeguards for law firms.
Stolen Credentials and CPA Firm Compliance
CPA firms and tax firms hold large amounts of private financial data. Therefore, stolen credentials can create both a security event and a compliance problem.
The FTC Safeguards Rule requires covered firms to maintain a written security program that fits their size, work and level of risk.
For example, a CPA firm may need:
- A written risk review
- A current Written Information Security Plan
- MFA
- Access controls
- Data encryption
- Staff training
- Vendor oversight
- System monitoring
- A response plan
In addition, CPA firms should secure the systems that hold tax and client data. Review our guide on how to secure tax software for CPA firms.
Firms can also review the compliance standards supported by IT Fusion.
Frequently Asked Questions About Stolen Credentials
What are stolen credentials?
Stolen credentials are login details taken through malware, phishing, data breaches or infected devices. They may include usernames, passwords, cookies and login tokens.
What is credential stuffing?
Credential stuffing happens when criminals test stolen usernames and passwords against many websites. It works best when a person has reused the same password.
Should every employee change every password?
Not always. However, any password that was exposed, reused or tied to odd account activity should be changed at once.
Before the reset, make sure the device is clean. Then, end open sessions and check for unknown login methods.
Can MFA stop the use of stolen credentials?
MFA greatly lowers the risk. However, it is not a complete fix. Criminals may still use fake login pages, stolen tokens or repeated approval prompts.
Therefore, firms also need secure devices, user training, account checks and a response plan.
How can a firm find stolen credentials?
A firm can use breach checks, dark web monitoring and cloud login reports. However, these tools should be reviewed by someone who can judge whether the account is still at risk.
About the Malwarebytes Report
This article was prepared in response to the Malwarebytes report, “24 Billion Stolen Records Exposed Online: Here’s What to Do.”
Malwarebytes reported that the database included data from older breaches, Telegram channels and infostealer logs. Although the total likely includes repeat records, the report shows how easily stolen credentials can be gathered and used.
The Bottom Line on Stolen Credentials
Stolen credentials should not cause panic. However, they should end the belief that a strong password alone is enough.
Law firms and CPA firms should assume that some staff passwords have appeared in a breach at some point. Therefore, firms need unique passwords, strong MFA, safe devices, account monitoring and a tested response plan.
IT Fusion helps law firms and CPA firms protect Microsoft 365, secure computers, monitor for exposed accounts and meet key security rules.
Schedule a cybersecurity review with IT Fusion to learn where your firm may be at risk.
At IT Fusion, we are Always on Guard.

