Breaking Down The Pervasive Threat of Compromised Credentials

Credential compromise is not just a persistent threat—it’s the engine powering the majority of cyberattacks in 2025. As organizations continue with cloud adoption and hybrid work, attackers exploit credentials with an alarming level of scale and sophistication.

Credentials: the attackers’ golden ticket 

Credentials remain the attacker’s tool of choice for one simple reason: they work. According to the 2025 Verizon DBIR, 88% of basic web application attacks involve the use of stolen credentials. While zero-days might grab headlines, attackers overwhelmingly prefer credential abuse because it is more reliable and easier to scale. In 2024, 3.1 billion passwords were recaptured from online marketplaces and Telegram groups selling stolen data (SpyCloud 2025 Annual Report). 

However, the identity compromise infrastructure thriving on the dark web contains more than just usernames and passwords. Many dumps include correlated PII, enabling automated account takeover at scale.

Automation has only amplified the threat. Attackers no longer manually test usernames and passwords one by one. Now they deploy sophisticated botnets, permutation engines, and credential stuffing tools that can test billions of combinations across countless web applications in minutes. This means attackers quickly defeat even minor password variations or reused credentials across different services.

MFA isn’t a cure all

The industry responded to the need for increased security with widespread adoption of multi-factor authentication (MFA). Attackers have adapted their methods and incorporated session hijacking to bypass MFA. In fact, in 2024 “75% of business email compromise (BEC) incidents involved session hijacking,” (CyberCX 2025 Threat Report).  The use of session hijacking rose  between 2023 and 2024, proving that MFA alone is not a complete defense against today’s evolving threats. Attackers are now skillfully bypassing MFA by focusing on session hijacking, highlighting the critical need for organizations to secure not just authentication, but the entire user session.

The takeaway: phishing-resistant authentication (such as FIDO2 or hardware tokens) is now the baseline security requirement. Anything less is too vulnerable.

The lateral movement problem 

Once inside corporate infrastructure, threat actors do not stop at initial access. In fact, IBM found that 30% of lateral movement observed in breaches leveraged valid credentials. Cybercriminals are more likely to achieve privilege escalation is often achieved through credential abuse than technical vulnerabilities.

The underground credential economy

The size of the underground credential market is staggering. There are over 24 billion credential pairs currently circulating on dark web marketplaces, fueling everything from ransomware to corporate espionage (SpyCloud, 2025). In the Telegram chat below, the moderator sells subscriptions for receiving stolen credentials regularly, showing the constant influx of useful, sensitive, information on offer by threat actors.  

Across dark web marketplaces, illicit Telegram chats, and other clandestine online channels, these stolen credentials are being traded like commodities and being priced extremely low. Readily available credentials give threat actors easy, cheap access, fueling a wide range of illicit activities, from ransomware attacks to corporate espionage. 

Defending against the tide

Organizations that build layered and identity-centric defenses, including phishing-resistant multi-factor authentication, are better equipped to counter cyber threats in 2025. The goal is to raise the level of difficulty for adversaries attempting to exploit credentials and move away from less secure methods like SMS or app-based MFA that present larger attack surfaces.

Additionally, these organizations continuously monitor for leaked credentials across the dark web and alternative social media. Real-time vigilance enables cybersecurity analysts to identify and address any compromised authentication factors. Proactive monitoring is the key to shrinking the window of time an attacker has to leverage exposed credentials and potentially initiate a breach.

Finally, organizations are automating their incident response processes, especially those tied to credential compromise. Implementing automated workflows for credential reset and session revocation restricts an attacker’s ability to remain within a compromised system. This automation critically reduces the amount of time an attacker can remain undetected, thereby mitigating the potential damage from a successful credential compromise.

Credential compromise is not going away and so the future of identity security must be layered, adaptive, and relentlessly proactive.

Prepare yourself and your team  for mitigating the business risk of compromised credentials with our automated playbooks.