78% of recently breached organizations had corporate credentials sitting in infostealer logs before the breach was ever detected. The 48-hour window is not a countdown to disaster. It is the window where the attack can still be stopped.
When a breach investigation begins, forensic teams reconstruct what happened: which system was accessed, which account was used, how the attacker moved through the environment. What they rarely reconstruct is what happened before the breach, in the weeks or months where the warning signs were present and no one was looking in the right place.
Constella’s 2026 Identity Breach Report documents a pattern that plays out across organization after organization: 78% of recently breached companies had corporate credentials appearing in infostealer logs within six months of their breach. The infostealer infection was not a side effect of the breach. It was the precursor. The credentials were harvested, packaged, and circulating in the adversary ecosystem long before the first lateral movement, long before the first encrypted file, long before the first ransom note.
The 48-hour window that security teams need to understand is not how long an attacker needs to compromise a network. It is how long the intelligence that could have prevented the breach was available before anyone acted on it. The question every security leader should be asking is not how fast attackers move. It is how visible the warning was, and whether the team had any way to see it.
What Gets Stolen and Why It Matters
Modern infostealers are not simple password scrapers. In 2025, Constella processed 51.7 million infostealer packages, a 72% year-over-year increase, identifying 24.8 million unique infected devices. The data inside those packages tells the full story of what attackers are collecting and why.
- 6% of packages contained active passwords
- 54% included the specific URLs where those credentials were used, giving attackers a direct, automated map to every account
- 56% contained email addresses
- 80% contained usernames
- 51% contained hardware identifiers that allow device fingerprinting and impersonation
The password matters less than people assume. The most operationally dangerous element in an infostealer log is the session cookie. When a user logs into any service and their browser stores a session token, that token represents an already-authenticated state. An attacker who steals that token does not need a password. They do not trigger a login event. They are not challenged for MFA. They simply import the cookie, inherit the active session, and have full authenticated access to every system the user was logged into at the time of infection.
This is why 68.89% of all breached credentials in Constella’s 2025 data appeared in plaintext, a 261% year-over-year increase. It is not because organizations stopped hashing passwords. It is because infostealers harvest credentials directly from memory and active sessions, after authentication has already occurred, making the hash irrelevant entirely.
The Pipeline From Infection to Intrusion
The path from infostealer infection to enterprise breach follows a consistent pattern that Constella’s data and broader industry research both confirm.
- Infection occurs outside the corporate perimeter. Employees download cracked software, click malvertising, install compromised plugins, or receive malicious links from apparently trusted sources. Contractor and personal devices, which have no EDR coverage and sit entirely outside corporate visibility, are common infection points. The malware executes silently, often self-deleting after the harvest to avoid detection.
- The harvest is immediate and comprehensive. Browser databases, session cookies, saved credentials, VPN configurations, cloud tokens, and SSH keys are collected in minutes. The harvested data is compressed into a structured log containing credentials, tokens, URLs, and system metadata.
- Logs enter the underground economy quickly. Packaged logs are uploaded to dark web marketplaces and private Telegram channels. Freshness commands a premium because session tokens expire. Initial access brokers purchase logs containing enterprise credentials, validate the access, and resell curated entry points to ransomware affiliates at significant markup.
- Exploitation follows the purchase. Verizon’s 2025 Data Breach Investigations Report found that 54% of ransomware victims had domain credentials present in stealer log marketplaces before the attack. The credential exposure was detectable. The breach was the consequence of not detecting it.
Why Traditional Controls Cannot See This
Every stage of this pipeline is specifically designed to operate outside the visibility of conventional enterprise security.
- EDR and endpoint security monitor managed corporate devices. Infostealers frequently execute on personal laptops and contractor devices with no corporate agent installed. The infection never touches a monitored asset.
- MFA protects the moment of login. It cannot protect a session cookie that was stolen from a browser where login had already happened. No authentication event occurs when a stolen cookie is replayed.
- Network monitoring detects anomalous traffic from within the perimeter. Infostealers exfiltrate data from devices that are never on the corporate network. There is no perimeter traffic to detect.
- Standard dark web monitoring scans publicly known breach databases and forum keyword mentions. Infostealer logs move through private markets, Telegram channels, and underground infrastructure that basic monitoring tools do not index.
The structural problem is that all of these controls look inward. The infostealer exposure happens outward, in the adversary ecosystem, in the 48-hour window before the breach begins.
The 48-Hour Window Is Where Constella Operates
The gap between when credentials appear in the adversary ecosystem and when they are purchased and exploited is measurable and actionable. It is also the window that most organizations have no visibility into.
Constella’s data lake holds 54.6 billion curated records built across 15 years of intelligence collection spanning 125 countries and 53 languages. In 2025, our agentic AI automation hunted 159% more breaches than the prior year, reaching transient data dumps, private marketplace infrastructure, and underground channels that surface-level monitoring tools never see. The result is earlier, richer, more actionable visibility into the exact credential exposure that precedes enterprise compromise.
When Constella identifies that an employee’s credentials have appeared in an infostealer package, the alert includes full context: which accounts were compromised, which URLs were targeted, whether session tokens were included, and the risk score of the exposure. Security teams receive the intelligence they need to act during the window when action still changes the outcome.
- Invalidate the session and rotate the credential before the log is purchased and exploited
- Investigate the infected device to identify the vector and prevent spread to other accounts
- Scan the associated package for other compromised accounts from the same organization
- Prioritize response by access level, flagging VPN credentials, SSO tokens, and admin accounts first
That is the 48-hour window. Not a deadline. An opportunity.
What Security Teams Should Change Now
- Reframe infostealer exposure as a ransomware precursor, not a credential hygiene problem. The 78% figure from our IBR is not a statistic about bad password practices. It is a statistic about missing detection coverage in the window before the breach.
- Extend monitoring outside the corporate perimeter. The exposure that precedes most enterprise breaches originates on devices your security tools cannot see. Your intelligence program needs to reach the adversary ecosystem where that exposure surfaces.
- Treat session cookie alerts as the highest priority. A stolen session token does not require a login to exploit and does not trigger MFA. Immediate session invalidation is the only effective response, and it only works if you detect the exposure before the token is used.
- Build response protocols that match the timeline. Standard incident triage cycles are measured in days. The window between credential listing and active exploitation is measured in hours. Response procedures for infostealer alerts need to match that speed.
- Correlate exposure alerts against highest-risk accounts first. VPN credentials, SSO tokens, admin accounts, and cloud infrastructure access are what initial access brokers charge a premium for. These are the accounts to prioritize when an infostealer alert arrives.
The Bigger Picture
The industrialization of infostealer malware through Malware-as-a-Service has made credential theft accessible to low-skilled threat actors at a scale that was previously impossible. In 2025, Constella observed a 77% year-over-year increase in unique infected devices alongside the 72% increase in packages processed. The volume is accelerating. The sophistication of what those packages contain is increasing with it.
Organizations that have no visibility into the adversary ecosystem are operating with a structural blind spot that the underground economy has learned to exploit reliably. The breach happens after the exposure. The warning is in the data. The 48 hours between exposure and exploitation is not the problem. It is the solution, if you can see it.
See how Constella Infostealer Sentinel and Corporate Identity Threat Protection deliver real-time visibility into credential exposure before attackers act on it.