[jobu]

And they had every login for the network it was found on:

"The library was masquerading as a Windows password filter, which is something administrators typically use to ensure passwords match specific requirements for length and complexity. The module started every time a network or local user logged in or changed a password, and it was able to view passcodes in plaintext."

[amelius]

Perhaps time to move to 2FA.

[peterwwillis]

This was a network authentication module on a domain controller. It's intercepting every low level token used to authenticate a network transaction, including encryption keys.

[mjevans]

If security has been penetrated that far you are already owned.

What really scares me are things that can live in firmware; not just on mass storage drives but also in host system firmware. We've let too many dragons breed in dark places in the name of Digital Restrictions Management.