Back in October, security researcher Muhannad Hazaa reached out to us with an important discovery: a data dump of stolen credentials circulating online included login details for a number of Render users.
Render wasn't breached, to be clear. The stolen credentials were harvested by infostealer malware running on users' own devices, typically installed through a malicious email link or attachment. We immediately reset the affected passwords, then got to work on an automated detection system for future credential-theft events.
If you're new to infostealers, you're not alone. And if you've ever wondered how account details end up for sale on the dark web for ten bucks a pop, read on to find out.
The $10 password problem
An infostealer is a form of malware designed to extract valuable, sensitive information stored in your browser. Passwords, session cookies, and credit card details are all packaged up into "stealer logs" and sold on underground marketplaces.
Learning that an entire digital identity sells for the price of an SF boba (with premium toppings) was simultaneously depressing and motivating. That's the going rate for a Netflix or Spotify account, but platform credentials like ours? Those could potentially fetch much higher prices to the right buyers, making us an especially attractive target.
So what is it that makes infostealers especially nefarious?
- They operate silently (no ransomware popup, no encrypted files).
- They spread through everyday activities like software downloads and ads.
- They can bypass 2FA (two-factor authentication) by stealing session cookies.
- The stolen data gets resold repeatedly across multiple criminal markets.
RedLine, RisePro, and Stealc all sound like rejected energy drinks, but these and other infostealer variants infected a combined 23 million devices last year. These aren't targeted attacks. They're automated, widespread, and indiscriminate.
The limits of good hygiene
Modern company security policies defend against common attacks like brute force attempts, phishing emails, and credential stuffing. We advise users to create long passphrases, enable 2FA, and watch for suspicious login pages. The problem is, infostealers bypass most of these defenses. They pull your passwords directly from your browser's storage, along with the session cookies that keep you logged in. As it turns out, the easiest way to steal a password or session is to just…steal it.
This presents a unique challenge: the compromise occurs on the user's device, entirely outside of Render's infrastructure and visibility. Even if our security is airtight, that doesn't help much if your laptop's security isn't.
So we asked ourselves: how do we protect users from a threat that originates on their own machines?
Defending from afar
We recently deployed a new automated monitoring system that scans for Render credentials in public breach datasets. When stealer logs are leaked or resold (which happens all the time), we detect compromised accounts and force password resets to lock out ongoing access.
The process is straightforward and effective:
- Scan compromised-credential monitoring services for Render-related credentials
- Verify that leaked passwords are actually valid
- Force immediate password reset
- Invalidate all sessions to lock out potential attackers
- Notify users with clear instructions
Speed is critical here. By the time credentials appear in public datasets, they've often been sold multiple times already. Because we're often playing catch-up, a rapid response is all the more important.
Our shared responsibility
Render's monitoring system has already reset compromised passwords across a number of accounts, limiting the window for exploits. But that's just one layer of defense. While we keep an eye out for leaked credentials, you can significantly reduce your own risk:
Use a dedicated password manager. Tools like 1Password or Bitwarden aren't immune to infostealers, but they're significantly harder to compromise than browser-stored passwords.
Enable 2FA on your Render account. As mentioned, 2FA doesn't help if an infostealer obtains your active session. However, it does still stop any attacker who only has your password. Admins can enforce 2FA for their workspace, preventing team members from accessing resources until they enable it.
Log in with an identity provider. Render supports signing in with your Google, GitHub, GitLab, or Bitbucket account. Enterprise plans also support SAML SSO. All of these options provide additional security beyond a basic username and password.
Stay safe out there
In 2024, credential theft increased 33% year over year, with infostealers accounting for 75% of all incidents. This trend shows no signs of slowing.
If you receive an unexpected password reset notification from us, don't panic—it's our automated system protecting your account. Just make sure the email really came from us! It will always explain what happened and what you need to do next. Infostealers aren’t going away, but active monitoring shortens attackers’ window and limits the blast radius.