Update, March 27, 2025: This story, originally published March 25, has been updated with new research into the effectiveness of passkeys as a more secure replacement for passwords.
Don’t say you weren’t warned. The threat from infostealer malware has been made pretty clear as billions of passwords are reported compromised, 85 million of the newest being used in ongoing attacks, and even two-factor authentication in isolation might not be enough to save you as hackers use session cookies to bypass 2FA code protections. That threat has just been amplified by a report revealing how an automatic hacking machine called Atlantis AIO is using millions of stolen passwords to gain access to email, VPN, streaming services and even food delivery accounts. The takeaway, if you’ll pardon the pun, is to stop using your passwords now.
Atlantis AIO: An Automatic Hacking Machine Using Stolen Passwords By The Million
Credential stuffing is not new; let’s make that clear right from the start. However, it is a very dangerous attack methodology and is becoming increasingly so. Attackers are always looking to develop new tools that can help them carry out their attacks, as I reported March 15 after leaked Black Basta ransomware group internal chat logs revealed how it was using an automated brute-force attack framework. As both brute-force and credential stuffing terms suggest, these attacks essentially hammer an account with as many usernames and password combinations as possible in the hope that one will be correct and gain entry. OK, so that’s the simplified explanation, but by using lists of stolen or compromised credentials readily available from dark web marketplaces and in various criminal forums, it’s possible for hackers to access other accounts that share the same passwords.
A March 25 threat intelligence report from Abnormal Security has sounded the alarm about an automatic hacking machine, known as Atlantis AIO, that can take these millions of stolen passwords and use them in just such credential stuffing attacks.
“Atlantis AIO has emerged as a powerful weapon in the cybercriminal arsenal,” Abnormal Security analysts said, “enabling attackers to test millions of stolen credentials in rapid succession.” Where Atlantis excels, however, is in providing pre-configured modules to automate the targeting of specific services, from email providers such as ing Hotmail, Yahoo, AOL, GMX, and Web.de, to streaming services, VPNs, financial institutions, and even food delivery services. In fact, the report revealed the Atlantis AIO hacking machine can be aimed at more than 140 different platforms.
Atlantis AIO Quickly Tests Stolen Passwords At Scale
“By offering pre-configured modules for targeting a range of platforms and cloud-based services,” the threat intel report warned, “it allows cybercriminals to launch credential stuffing attacks at scale with minimal effort.” The secret to the success of this automatic hacking machine is its modular approach. This can be demonstrated across three areas.
- Specialized modules for email attacks that enable hackers to rapidly probe accounts for popular platforms. But as well as just probing with those stolen passwords, Atlantis AIO has an inbox takeover feature that allows a hacker to control the account for further malicious purposes.
- Brute-force attack modules allow for the rapid cycling of commonly used or weak username and password combinations to quickly gain access to accounts with poor protection, even if the password hasn’t been compromised per se.
- Recovery modules targeting various services to enable CAPTCHA and similar security protections to be bypassed. An auto-doxer recovery feature even automates the account recovery process to streamline the account takeover and make it much easier to execute large-scale attacks.
The use of a password manager to ensure unique and strong passwords for every account, along with two-factor authentication for all your accounts, can help mitigate this kind of attack. Don’t share your passwords between accounts is the most pertinent advice, follow it.
Stop Using Passwords Now
A new report into the state of passwordless identity assurance, has provided a fascinating deep dive into the latest trends driving the adoption of passkeys. The analysis by identity assurance specialists HYPR includes insights from chief information security officers and security architects to reveal the growing need for an alternative to passwords. Although I know we have heard this before, the report predicted that passkeys are set to replace vulnerable password-based systems within the next two years. I can only hope that is true, but it has been relatively slow-going so far when it comes to convincing both organizations and consumers to make the change.
Not least, as the report revealed the shocking state of the password-driven security landscape, albeit skewed toward the HR industry, but the general trends seem to be industry agnostic in my experience.
- 95% of organizations reported deepfake incidents during 2024.
- 49% of companies experienced breaches over the past year, with 87% linked to identity vulnerabilities.
- 47% of the breaches mentioned above were driven by credential misuse, 41% by privileged access abuse, 36% by social engineering attacks and 35% by 2FA bypass attacks.
There is some good news in all of this: for the first time in the report’s history, passwordless and FIDO-based authentication methods are gaining significant traction, with 46% of respondents now utilizing them. Passkeys are starting to become accepted as the secure alternative to passwords. “We are in the midst of The Identity Renaissance, a period of profound transformation,” Bojan Simic, CEO of HYPR, said. “Phishing-resistant authentication, led by FIDO passkeys, is poised to redefine how we secure digital identities, not just by replacing passwords, but by fundamentally shifting our approach to managing and verifying identities.”
Yet, despite all this, far too many organizations are still embracing not only outdated authorization practices but what have been proven to be dangerous ones, as the automatic password hacking machine news is a testament to. When it comes to passwords, HYPR found that 40% of organizations were sticking with them, and 52% for less secure 2FA methods than passkeys provide.
“This report highlights a key moment in identity security,” Garrett Bekker, principal research analyst at S&P Global Market Intelligence 451 Research, said. “Organizations must now prioritize the deployment of phishing-resistant authentication such as FIDO passkeys and other modern identity verification tools,” Bekker continued, “not as a future aspiration, but as a core component of their immediate risk mitigation strategy. “ Any failure to do so leaves them exposed to escalating threats, and it’s becoming ever-increasingly clear that everyone, including consumers, needs to stop using passwords now. At least it’s not just me continually and loudly singing from that hymn sheet anymore.
