SME Cybersecurity response to the 24 billion stolen records data dump
A breach of this scale changes the risk picture for every UK SME, even if your business was not directly hacked. Malwarebytes has highlighted a massive data exposure involving 24 billion stolen records, and the immediate threat is not just old passwords resurfacing, it is what criminals do next with them, account takeover, phishing, business email compromise, and fraud against smaller firms that often lack full-time security teams.
SME Cybersecurity: what the 24 billion stolen records exposure means for UK businesses
A stolen records dump usually contains combinations of email addresses, usernames, passwords, browser data, or session details harvested by infostealer malware. In plain English, infostealers are malicious programs that quietly pull login data from infected devices and pass it to criminals. For SMEs, that matters because one compromised laptop used by a director, finance lead, or outsourced IT administrator can expose access to email, cloud storage, payroll platforms, and supplier portals.
This is not theoretical. The UK Government Cyber Security Breaches Survey 2025 found that 43% of UK businesses identified a Cybersecurity breach or attack in the previous 12 months, with phishing remaining the most common threat. Large credential dumps make that problem worse because attackers can automate login attempts across Microsoft 365, VPNs, accounting tools, and e-commerce systems used by SMEs every day.
Why should SMEs care if the stolen data came from somewhere else?
Because attackers do not respect organisational boundaries. If a staff member reused a password across services, or saved credentials in a browser on an infected home or work device, your business could still be exposed.
In practice, the risks for SMEs include:
* Business email compromise, where attackers access inboxes to redirect payments or impersonate senior staff
* Operational disruption, if Microsoft 365, bookkeeping, or CRM access is locked or abused
* Supply chain cyber risk, if compromised accounts are used to target customers or suppliers
* Compliance exposure, if poor access controls contribute to a personal data breach under the ICO’s security guidance for UK GDPR
That said, this is exactly where practical SME Cybersecurity basics make a measurable difference.
What should a UK SME do now?
Start with the actions that reduce credential abuse fastest.
1. Reset passwords for high-risk accounts first
Prioritise Microsoft 365, email admin, finance systems, password managers, remote access, and shared service accounts.
2. Turn on multi-factor authentication everywhere critical
The NCSC guidance on multi-factor authentication is clear, MFA sharply reduces the value of stolen passwords.
3. Check for password reuse across the business
Focus on directors, finance staff, IT admins, and anyone with supplier payment authority.
4. Review endpoint security on staff devices
Infostealers usually start on endpoints, meaning laptops and desktops. Strong endpoint security for small business, patching, and browser hygiene matter here.
5. Audit privileged access and shared accounts
If multiple people use the same admin login, change that. Individual named accounts improve accountability and speed up cyber incident response.
6. Use a recognised baseline such as Cyber Essentials
Its controls, including secure configuration, access control, patching, and malware protection, are practical for budget-conscious SMEs.
7. Document your response using the NIST Cybersecurity Framework
Even a lightweight approach helps, identify key systems, protect critical accounts, detect unusual sign-ins, respond quickly, and recover access cleanly.
