Automatic Password Hacking Machine Confirmed—Stop Using Passwords Now
Atlantis AIO is an automatic hacking machine.
Update, March 28, 2025: This story, originally published March 25, has been updated with new research into the effectiveness of passkeys as a more secure replacement for passwords, the further availability of Google’s hardware passkey and news from Microsoft impacting a billion password users as it makes the change to passwordless authentication to stop insecure password use.
Don’t say you weren’t warned. The threat from infostealer malware has been made pretty clear as billions of passwords are reported compromised, 85 million of the newest being used in ongoing attacks, and even two-factor authentication in isolation might not be enough to save you as hackers use session cookies to bypass 2FA code protections. That threat has just been amplified by a report revealing how an automatic hacking machine called Atlantis AIO is using millions of stolen passwords to gain access to email, VPN, streaming services and even food delivery accounts. The takeaway, if you’ll pardon the pun, is to stop using your passwords now.
Atlantis AIO: An Automatic Hacking Machine Using Stolen Passwords By The Million
Credential stuffing is not new; let’s make that clear right from the start. However, it is a very dangerous attack methodology and is becoming increasingly so. Attackers are always looking to develop new tools that can help them carry out their attacks, as I reported March 15 after leaked Black Basta ransomware group internal chat logs revealed how it was using an automated brute-force attack framework. As both brute-force and credential stuffing terms suggest, these attacks essentially hammer an account with as many usernames and password combinations as possible in the hope that one will be correct and gain entry. OK, so that’s the simplified explanation, but by using lists of stolen or compromised credentials readily available from dark web marketplaces and in various criminal forums, it’s possible for hackers to access other accounts that share the same passwords.
A March 25 threat intelligence report from Abnormal Security has sounded the alarm about an automatic hacking machine, known as Atlantis AIO, that can take these millions of stolen passwords and use them in just such credential stuffing attacks.
“Atlantis AIO has emerged as a powerful weapon in the cybercriminal arsenal,” Abnormal Security analysts said, “enabling attackers to test millions of stolen credentials in rapid succession.” Where Atlantis excels, however, is in providing pre-configured modules to automate the targeting of specific services, from email providers such as ing Hotmail, Yahoo, AOL, GMX, and Web.de, to streaming services, VPNs, financial institutions, and even food delivery services. In fact, the report revealed the Atlantis AIO hacking machine can be aimed at more than 140 different platforms.
Atlantis AIO Quickly Tests Stolen Passwords At Scale
“By offering pre-configured modules for targeting a range of platforms and cloud-based services,” the threat intel report warned, “it allows cybercriminals to launch credential stuffing attacks at scale with minimal effort.” The secret to the success of this automatic hacking machine is its modular approach. This can be demonstrated across three areas.
- Specialized modules for email attacks that enable hackers to rapidly probe accounts for popular platforms. But as well as just probing with those stolen passwords, Atlantis AIO has an inbox takeover feature that allows a hacker to control the account for further malicious purposes.
- Brute-force attack modules allow for the rapid cycling of commonly used or weak username and password combinations to quickly gain access to accounts with poor protection, even if the password hasn’t been compromised per se.
- Recovery modules targeting various services to enable CAPTCHA and similar security protections to be bypassed. An auto-doxer recovery feature even automates the account recovery process to streamline the account takeover and make it much easier to execute large-scale attacks.
The use of a password manager to ensure unique and strong passwords for every account, along with two-factor authentication for all your accounts, can help mitigate this kind of attack. Don’t share your passwords between accounts is the most pertinent advice, follow it.
Stop Using Passwords Now
A new report into the state of passwordless identity assurance, has provided a fascinating deep dive into the latest trends driving the adoption of passkeys. The analysis by identity assurance specialists HYPR includes insights from chief information security officers and security architects to reveal the growing need for an alternative to passwords. Although I know we have heard this before, the report predicted that passkeys are set to replace vulnerable password-based systems within the next two years. I can only hope that is true, but it has been relatively slow-going so far when it comes to convincing both organizations and consumers to make the change.
Not least, as the report revealed the shocking state of the password-driven security landscape, albeit skewed toward the HR industry, but the general trends seem to be industry agnostic in my experience.
- 95% of organizations reported deepfake incidents during 2024.
- 49% of companies experienced breaches over the past year, with 87% linked to identity vulnerabilities.
- 47% of the breaches mentioned above were driven by credential misuse, 41% by privileged access abuse, 36% by social engineering attacks and 35% by 2FA bypass attacks.
There is some good news in all of this: for the first time in the report’s history, passwordless and FIDO-based authentication methods are gaining significant traction, with 46% of respondents now utilizing them. Passkeys are starting to become accepted as the secure alternative to passwords. “We are in the midst of The Identity Renaissance, a period of profound transformation,” Bojan Simic, CEO of HYPR, said. “Phishing-resistant authentication, led by FIDO passkeys, is poised to redefine how we secure digital identities, not just by replacing passwords, but by fundamentally shifting our approach to managing and verifying identities.”
Microsoft’s New Stop Using Passwords Announcement
“Microsoft is rolling out a new sign-in experience for over 1 billion end users,” Robin Goldstein, partner director of product management in Microsoft’s identity division, said in a March 26 announcement. This new experience prioritizes a passwordless and passkey-first approach to authentication.
Aimed squarely at the billion people who use their Microsoft accounts to access the likes of Microsoft 36, Windows and Xbox, Goldstein has confirmed that the updated sign-in will reach most web and mobile users by the end of April. By taking advantage of Microsoft’s Fluent 2 design language, the aim is to provide a seamless transition between less secure authentication methods and the far superior, in security terms, use of passkeys. Although I wouldn’t usually comment on design paradigms, I will make an exception this time as it is essential from the security perspective. As I have said before and, no doubt, will say many times again, security that erects barriers to usage will fail. It really is as simple as that. If it is cumbersome or adds too much time to the login process, users will find a way to work around it. “Simplifying the design and flow of authentication was our first step,” Goldstein said. Microsoft has done this by reducing the number of “concepts per screen” to lower what it refers to as the cognitive load, as well as speeding up the authentication process. This streamlining process goes further than just design, as it also gave Microsoft the opportunity to rethink the default authentication experience altogether. “Over the last few years, we’ve introduced several enhancements,” Goldstein explained,“ including the ability to completely remove the password from your account and support for passkey sign-in instead of using a password.”
This new flow has been described using the example of creating a new Microsoft account, which asks for the user to enter their email address. “By bringing your own email address to a new Microsoft account,” Goldstein said, “you start in a recoverable state, and you don’t have to create a new Microsoft password that could be easily forgotten or guessed by an attacker.” By verifying the email address with a one-time code, the user has a default credential that already removes the need for a password. The next step towards passwordless authentication, Microsoft said, is by offering that user the opportunity to use a passkey. Goldstein noted that Microsoft is updating the account sign-in logic so that a passkey is the default choice wherever possible because “passkeys are more secure and three times faster than passwords.”
The good news is that the new passkey-first approach to authentication is already here for Xbox users when they sign into their accounts. Microsoft silently launched this in February with an A/B experiment, and the results were such that it has now been rolled out for everyone. “This targeted experiment let us gather data on our redesign, especially testing the new Dark Theme support,” Goldstein concluded, “where we saw a positive impact of the new UX with this wide set of Microsoft account users.”
Another Key Moment In The History Of Passwords
Yet, despite all this, far too many organizations are still embracing not only outdated authorization practices but what have been proven to be dangerous ones, as the automatic password hacking machine news is a testament to. When it comes to passwords, HYPR found that 40% of organizations were sticking with them, and 52% for less secure 2FA methods than passkeys provide.
“This report highlights a key moment in identity security,” Garrett Bekker, principal research analyst at S&P Global Market Intelligence 451 Research, said. “Organizations must now prioritize the deployment of phishing-resistant authentication such as FIDO passkeys and other modern identity verification tools,” Bekker continued, “not as a future aspiration, but as a core component of their immediate risk mitigation strategy. “ Any failure to do so leaves them exposed to escalating threats, and it’s becoming ever-increasingly clear that everyone, including consumers, needs to stop using passwords now. At least it’s not just me continually and loudly singing from that hymn sheet anymore.
And, right on cue, a March 26 announcement by Google, confirmed that the Titan hardware security keys are now available in more geographic regions than ever. Although not as convenient as passkeys, which only require a device you already own to be effective, physical keys in hardware do provide a massive security upgrade over the use of passwords alone. Google has now confirmed that these keys are available in a total of 22 markets, with the following countries now having been added to the list:
- Australia
- Denmark
- Finland
- Ireland
- New Zealand
- Norway
- Portugal
- Puerto Rico
- Singapore
- Sweden
- The Netherlands