200,000 Victims in Indonesia as Password-Stealers Drain Accounts

Cyber attacks using password-stealer malware are increasingly widespread across Southeast Asia, including Indonesia. Cybersecurity firm Kaspersky reports more than 200,000 password-stealer attacks targeting Indonesian companies in 2025. Overall, Kaspersky’s business security solutions detected and blocked more than 1 million password-stealer attacks in the Southeast Asia region this year. Indonesia recorded 234,615 attacks in 2025, up 7% from 219,195 in 2024. The Philippines posted the sharpest increase at 41%, followed by Malaysia 33%, Singapore 25%, and Vietnam 21%. Thailand, by contrast, saw a 21% decline. Password stealer is a type of malware designed specifically to steal passwords and user account information. It works by extracting sensitive data stored in browsers, cache files, cookies, and even by gaining access to cryptocurrency wallets. The data stolen is subsequently used by cybercriminals for a range of harmful activities, from money theft and identity theft to extortion and launching further attacks using compromised accounts. Adrian Hia, Managing Director for Asia Pacific at Kaspersky, said password-stealer remains the most effective weapon for cybercriminals because it targets the ‘front door’ of companies: user credentials. He noted that Kaspersky analysed 193 million leaked passwords and found that 45% could be cracked in under a minute, while only 23% were strong enough to survive more than a year against hacking. ‘Password-stealer remains one of the most effective tools in the cybercriminal’s arsenal because they target the front door of every company, i.e., user credentials,’ Hia said in a statement cited by CNBC Indonesia on 19 May 2026. To reduce risk, Kaspersky recommends companies use password managers to generate and store random, secure passwords. In addition, organisations are urged to implement multi-factor authentication (MFA), conduct routine credential audits, and restrict user access. Not only companies, individuals should also remain vigilant. Using unique passwords for each service is important to prevent one breach from spreading to others. Users are advised to avoid easily guessed passwords such as birth dates, family names, or pet names. As an additional layer, enabling two-factor authentication (2FA) can strengthen account security.