Cybercriminals have intensified their efforts to steal and sell online passwords, experts warn. The alarm comes after the discovery of online datasets containing billions of exposed account credentials. 

The 30 datasets comprised a whopping 16 billion login credentials across multiple platforms, including Apple, Google and Facebook, and were first reported by Cybernews researchers last week. 

The exposures were identified over the course of this year by Volodymyr Diachenko, co-founder of the cybersecurity consultancy Security Discovery, and are suspected to be the work of multiple parties.

“This is a collection of various data sets that appeared on my radar since the beginning of the year, but they all share a common structure of URLs, login details and passwords,” Diachenko told CNBC. 

According to Daichenko, all signs point to the leaked login information being the work of “infostealers” — malware that extracts sensitive data from devices, including usernames and passwords, credit card information and online browser data. 

While the lists of logins are likely to contain many duplicates as well as outdated and incorrect information, the overwhelming volume of findings puts into perspective how much sensitive data is circulating on the web. 

It should also raise alarms on how infostealers have become the “cyber plague” of today, Daichenko said. “Someone, somewhere, is having data exfiltrated from their machines as we speak.”

Daichenko was able to detect the exposed data because their owners had temporarily indexed them on the web without a password lock. Inadvertently shared data leaks are often caught by Security Discovery, but not at scales seen so far this year.

Consequently, there’s been an uptick in high-profile infostealer attacks. For example, in March, Microsoft Threat Intelligence disclosed a malicious campaign using infostealers that had affected nearly 1 million devices globally. 

Infostealers typically gain access to victims’ devices by tricking them into downloading the malware, which can be hidden in everything from phishing emails to phony websites to search engine ads.

The motive behind infostealer attacks is usually financial, with attackers often looking to directly take over bank accounts, credit cards, and cryptocurrency wallets or commit identity fraud. 

Cybercriminals can use stolen credentials and other personal data for purposes such as crafting highly convincing, personalized phishing attacks and blackmailing individuals or organizations. 

According to Palo Alto’s Green, the scale and dangers of those types of infostealers have intensified, thanks to the growing prevalence of underground markets that offer “cybercrime-as-a-Service,” in which vendors charge customers for malicious tools, sensitive data and other illicit online services.

“Cyber crime-as-a-Service is the critical enabler here. It has fundamentally democratized cybercrime,” Green said.

Those underground markets — often hosted on the dark web — create demand for cybercriminals to steal personal information and then sell that to scammers. 

In that way, data breaches become about more than just the individual accounts — they represent a “vast, interconnected web of compromised identities” that can fuel subsequent attacks, Green said. 

According to Diachenko, it’s likely that at least some of the compromised login datasets he identified had or will be traded to online scammers. 

On top of that, malware kits and other resources that can help to facilitate infostealer attacks can be found on those markets. 

CNBC has reported on how the availability of those tools and services has significantly lowered technical barriers for aspiring criminals, allowing sophisticated attacks to be executed at a massive, global scale. 

The report found that infostealer attacks grew by 58% in 2024.

In addition to frequent password updates, individuals will need to be more alert about the increasing amount of malware hiding in illegitimate software, applications and other downloadable files, Valenzuela said. He added that the use of multi-factor authentication on accounts has become more important than ever.

From a corporate perspective, it’s important to adopt a “zero trust architecture” that not only constantly authenticates the user, but also authenticates the device and user’s behavior, he added.  

Governments have also been doing more to crack down on infostealing activities in recent months.

In May, Europol’s European Cybercrime Centre said it had collaborated with Microsoft and global authorities to disrupt the “Lumma” infostealer, which it called “the world’s most significant infostealer threat.”

The U.S. and China are usually top of mind when it comes to artificial intelligence and generative AI. But Southeast Asia’s small businesses have huge potential that shouldn’t be ignored, experts say.

In fact, it’s a matter of survival, according to Jochen Wirtz, a professor of marketing at the National University of Singapore Business School, who said those that fall behind will be “moved into a franchise business or will be pushed out of the market by bigger players who do it.”

“Either you grow and adopt, or you die,” he added.

AI and genAI will contribute about $120 billion to the region’s gross domestic product by 2027, Boston Consulting Group projected in an April report titled “Unlocking Southeast Asia’s AI Potential,” which cited the technology’s potential to “redefine business processes and unlock new revenue streams.” And Google’s e-Conomy SEA 2024 report found that Singapore, the Philippines and Malaysia are ranked among the top 10 globally for AI-related searches and demand, indicating “curiosity” and an “active interest” within the region.

Youth is an advantage. Among surveyed countries in the Asia-Pacific, Vietnam, Malaysia and the Philippines have the highest percentage of business owners or leaders under 40 years of age, according to CPA Australia’s Small Business Survey 2024-25.  

For countries such as Vietnam, “the future is bright because … it’s a very young population, is a very internet-savvy population,” said Soumik Parida, associate program manager of the professional communication program at RMIT University Vietnam’s School of Communication and Design. “They are starting to have a global voice and they’re very easy to adapt any new technology,” he added.

Here’s how some of the region’s businesses are using it to stay on top of the competition — as well as the opportunities and roadblocks they face.

Customer service is the leading use case in Southeast Asian e-commerce, followed by marketing and advertising, according to a joint report by Lazada and Kantar about AI adoption trends in the six largest economies in Southeast Asia. Also known as the ASEAN-6, they comprise Singapore, Malaysia, Vietnam, Indonesia, the Philippines and Thailand.

A McKinsey survey released in March revealed a similar trend: Companies have adopted genAI for marketing and sales, with tech companies leading the charge. It also showed that most adopters are using the technology to generate text, with 63% of surveyed companies reporting that they do so.

GenAI presents a unique boon for a region as linguistically diverse as Southeast Asia: Aside from writing personalized marketing messages, it can also translate promotional texts into different languages.

For example, Lita Global, an Indonesia-based social media platform for gamers, is benefiting a lot from that. Since integrating OpenAI’s models in the second half of last year, it said, it has been able to host almost twice as many online gaming events monthly, thanks to greater efficiency.

That’s a big boost for its business, since every event can raise weekly revenues by an average of 20%, the company said. 

With genAI, employees can quickly translate announcements about events from English to Southeast Asian languages, such as Vietnamese and Thai, to reach more users in the region. And that frees them up — time originally used for writing, translating and formatting promotional text can now be used for organizing more revenue-generating events, according to Lita Global.

The company also uses genAI in its chat function to recommend responses to users. Lita Global is a social platform where users can hire other gamers to play with them online.

Gamers for hire typically chat with users before an order is placed for a gaming session. But that can be difficult when demand for gamers is high and gamers for hire are busy with other matches. Gamers for hire who use the AI-recommended responses have seen a 10% to 20% uptick in orders, said Lita Global’s CEO Yihao Zhang.

“So we’re using AI to really help them to improve their efficiency, to help them to be more available to the users,” Zhang said.

Another way Southeast Asian MSMEs (micro, small and medium enterprises) can use genAI in marketing is through AI livestreaming. Google’s SEA e-Conomy report noted that live shopping has become more popular in the region. Live shopping, or livestreaming, usually involves a host showcasing the products for sale. Not only does this include clothing try-ons, but shoppers can also ask questions in the comments section, which are answered in real time.

While livestreams are traditionally hosted by humans in studios, MSMEs may lack the funds or technical know-how to execute regular livestreams to boost sales. AI livestreaming can open doors to new opportunities for sellers, said Jensen Wu, CEO of TopviewAI.

TopviewAI says on its website that its AI livestreaming services can cost around $1 per minute. Instead of spending on studio rental, samples of the merchandise and labor of human hosts, companies can have one person monitor the livestream, Wu said. That helps lower costs while boosting sales, making for a “pretty good” return on investment, he added.

Meta on Wednesday prevailed against a group of 13 authors in a major copyright case involving the company’s Llama artificial intelligence model, but the judge made clear his ruling was limited to this case.

U.S. District Judge Vince Chhabria sided with Meta’s argument that the company’s use of books to train its large language models, or LLMs, is protected under the fair use doctrine of U.S. copyright law.

Lawyers representing the plaintiffs, including Sarah Silverman and Ta-Nehisi Coates, alleged that Meta violated the nation’s copyright law because the company did not seek permission from the authors to use their books for the company’s AI model, among other claims.

Notably, Chhabria said that it “is generally illegal to copy protected works without permission,” but in this case, the plaintiffs failed to present a compelling argument that Meta’s use of books to train Llama caused “market harm.” Chhabria wrote that the plaintiffs had put forward two flawed arguments for their case.

“On this record Meta has defeated the plaintiffs’ half-hearted argument that its copying causes or threatens significant market harm,” Chhabria said. “That conclusion may be in significant tension with reality.”

Meta’s practice of “copying the work for a transformative purpose” is protected by the fair use doctrine, the judge wrote.

“We appreciate today’s decision from the Court,” a Meta spokesperson said in a statement. “Open-source AI models are powering transformative innovations, productivity and creativity for individuals and companies, and fair use of copyright material is a vital legal framework for building this transformative technology.”

Though there could be valid arguments that Meta’s data training practice negatively impacts the book market, the plaintiffs did not adequately make their case, the judge wrote.

Attorneys representing the plaintiffs did not respond to a request for comment.

Still, Chhabria noted several flaws in Meta’s defense, including the notion that the “public interest” would be “badly disserved” if the company and other businesses were prohibited “from using copyrighted text as training data without paying to do so.”

“Meta seems to imply that such a ruling would stop the development of LLMs and other generative AI technologies in its tracks,” Chhabria wrote. “This is nonsense.”

The judge left the door open for other authors to bring similar AI-related copyright lawsuits against Meta, saying that “in the grand scheme of things, the consequences of this ruling are limited.”

“This is not a class action, so the ruling only affects the rights of these thirteen authors — not the countless others whose works Meta used to train its models,” he wrote. “And, as should now be clear, this ruling does not stand for the proposition that Meta’s use of copyrighted materials to train its language models is lawful.”

Additionally, Chhabria noted that there is still a pending, separate claim made by the plaintiffs alleging that Meta “may have illegally distributed their works (via torrenting).”

Earlier this week, a federal judge ruled that Anthropic‘s use of books to train its AI model Claude was also “transformative,” thus satisfying the fair use doctrine. Still, that judge said that Anthropic must face a trial over allegations that it downloaded millions of pirated books to train its AI systems.”

“That Anthropic later bought a copy of a book it earlier stole off the internet will not absolve it of liability for the theft, but it may affect the extent of statutory damages,” the judge wrote.

WATCH: Meta pushes back on ban of WhatsApp on devices used by House of Representatives.