Apr 23, 2025

Gaming Tops Credential Breaches, Gmail Dominates Compromised Emails

• Credential compromises are most prevalent on gaming platforms, which account for 19% of all infections.
• The data highlights Gmail's overwhelming presence in the email space, claiming a dominant share of 72.25% among the top 100 most affected domains.
• 58% of compromised email providers were regional ones.

Since the inception of Zynap and as one of our business pillars, our analysts have been collecting leaked credentials from numerous sources. With the launch of our blog today – where we will share many more insights from our exploration of the underground ecosystem - we will present an overview and analysis of the most interesting findings from our malware-compromised credentials collection during the latter half of January 2025. For this purpose, we selected a sample of 1.2 billion credentials to guide our analysis. 

In this blogpost, we are sharing the following statistics with our readers: 

1. Average password byte strength 
2. Most affected domains
3. Common username domains
4. Analysis of infected devices: IPs and device type

As we continue to explore the evolving trends in credential theft and leakage, this blog will serve as a platform to discuss key insights from our ongoing research. These findings shed light on crucial aspects of the ongoing challenges in cybersecurity, offering a closer look at the specificities of compromised credentials, their potential implications, and a brief profiling of the victims.  

Since the inception of Zynap and as one of our business pillars, our analysts have been collecting leaked credentials from numerous sources. With the launch of our blog today – where we will share many more insights from our exploration of the underground ecosystem - we will present an overview and analysis of the most interesting findings from our malware-compromised credentials collection during the latter half of January 2025. For this purpose, we selected a sample of 1.2 billion credentials to guide our analysis. 

In this blogpost, we are sharing the following statistics with our readers: 

1. Average password byte strength 
2. Most affected domains
3. Common username domains
4. Analysis of infected devices: IPs and device type

As we continue to explore the evolving trends in credential theft and leakage, this blog will serve as a platform to discuss key insights from our ongoing research. These findings shed light on crucial aspects of the ongoing challenges in cybersecurity, offering a closer look at the specificities of compromised credentials, their potential implications, and a brief profiling of the victims. 

Statistics

Exploring the most affected domains

Gaming platforms are the most affected when it comes to the compromise of credentials, accounting for 19% of all infections. Among these, Roblox ranked in the top 3 most affected platforms – representing, alone, 6.5% of all compromised credentials in the period. These findings led us to formulate a few hypotheses. Unlike other gaming platforms, Roblox is primarily used by children. According to the latest demographic statistics, 58% of Roblox daily users are younger than 16 years old1. Therefore, one hypothesis is that the high number of compromised credentials resulting from infostealer infections is linked to children's online behavior. While infection vectors require further analysis, it is likely that these users search for hacks on Discord and YouTube, inadvertently infecting their devices. Recent studies234 from industry peers support this theory. Furthermore, considering that many children play on their parents' or family devices—where other sensitive credentials, such as banking and corporate logins, are stored—the potential exposure and risk become even more concerning. Roblox infections might serve as an entry point for broader security threats affecting entire households. 

Unsurprisingly, another platform that was immensely affected by credential theft was Facebook, accounting for 11.7% of total infections. With over 3 billion global users5, it is expected that a portion of Facebook users would be vulnerable to credential theft, making it a significant contributor to global credential compromises. 

Although no government platforms appear in the top 10 most affected individually, catches the eye that the government sector ranks as the second most affected when it comes to the number of incidents in our analysis. This is due to the fact that the analysis considered all affected categories, creating a top 10 ranking without factoring in the percentage of compromised credentials each incident contributed to the total. As a result, even though the number of affected credentials was relatively low, the government sector still appeared with multiple affected platforms, underscoring a critical risk for citizens with potentially severe implications for the CIA triad (confidentiality, integrity, and availability) of information security. We identified multiple affected domains from the Indian and Brazilian governments, with governmental portals from 9 countries in total being impacted. Notably, 6 of these countries are in Latin America, revealing both a significant security gap in government information security management and a regional trend.

Analysis of domain patterns in usernames

Digging deeper into our research, we’ve decided to extract the most common domains from the compromised accounts. As expected, major email providers rank first in the top 10 of most affected domains, as shown in the graph below: 

Conclusion

The findings emphasize significant patterns in credential compromise, including the prevalence of Gmail account compromises, an increase in infections on gaming platforms such as Roblox, and the vulnerability of governmental websites, particularly in Latin America. High infostealer infection rates in Latin America further highlight regional vulnerabilities, underscoring the need to strengthen cybersecurity measures.  

But this is not the end of the story. We have decided to investigate the credential theft ecosystem in detail, and our next endeavor is to explore the business model, studying the potential costs and earnings of launching a credential theft campaign. Stay tuned!