By NHI Mgmt Group Editorial TeamPublished 2026-01-13Domain: Governance & RiskSource: Enzoic

TL;DR: 2025 data breaches were shaped by healthcare losses, Salesforce-related customer exposures, and massive credential dumps built from infostealer logs and ULP lists, while AI mostly amplified phishing and credential stuffing rather than replacing old attack patterns, according to Enzoic. The operational lesson is blunt: identity hygiene, credential monitoring, and MFA still determine whether broad exposure becomes account takeover or stays contained.


At a glance

What this is: This retrospective argues that 2025’s breach pattern was driven less by novel AI attacks than by credential reuse, infostealer output, and third-party exposure across cloud and SaaS environments.

Why it matters: It matters because IAM, PAM, and NHI programmes still fail first at the credential layer, where weak rotation, poor monitoring, and overreliance on static secrets turn routine theft into broad compromise.

By the numbers:

👉 Read Enzoic's retrospective on 2025 data breaches, credential dumps, and AI-driven attack scale


Context

Credential breaches in 2025 were not a new problem wearing new language. The same access patterns kept repeating across SaaS, healthcare, and consumer identity, with stolen credentials, browser-harvested logins, and third-party exposures doing the heavy lifting.

For IAM teams, the important point is that identity failure still starts with exposed or reused access material. AI may have increased the speed and scale of phishing and credential stuffing, but it did not change the core governance problem: if credentials are available, attackers will use them.

The patterns described in this retrospective are typical of a mature threat economy, not an edge case. That is why credential hygiene, monitoring, and lifecycle control remain central to both human identity and non-human identity programmes.


Key questions

Q: What breaks when compromised credentials are reused across multiple services?

A: When credentials are reused, one exposure becomes many access paths. Attackers can replay the same login against SaaS, VPN, admin portals, and cloud services until they find a valid entry point. That is why unique credentials, compromise monitoring, and rapid rotation are essential controls, not optional hardening.

Q: Why do infostealer logs make credential theft more dangerous than a single breach?

A: Infostealer logs package credentials with the login URL, which removes attacker guesswork and speeds up abuse. That changes the problem from isolated theft to industrialised reuse. Organisations need to assume exposed browser-stored credentials are immediately actionable and treat them as an active incident.

Q: What do security teams get wrong about AI and credential attacks?

A: Many teams assume AI creates a new category of attack when, in practice, it often accelerates existing ones like phishing and credential stuffing. The defensive answer is not speculation, but stronger identity hygiene, better detection of exposed secrets, and faster containment when credentials are found in the wild.

Q: Who is accountable when third-party access exposes customer data?

A: Accountability sits with the organisation that granted, governed, and failed to retire the access path, not only with the external provider. If a vendor relationship, SaaS integration, or customer-managed deployment can access sensitive data, it needs the same ownership, review, and offboarding discipline as internal identity.


Technical breakdown

How infostealer logs become usable access material

Infostealer malware targets endpoints, browser stores, and password managers to extract URL, login, and password tuples. Those records are then aggregated into ULP lists, which give attackers not just credentials but the exact login endpoint where each credential is likely to work. That removes guesswork and makes credential stuffing more efficient. The result is a commoditised access market where stolen identity data is packaged for reuse across many services, not just one breach event.

Practical implication: defenders need monitoring that detects exposed credentials by endpoint and service, not just by user account.

Why SaaS and third-party exposures amplify identity risk

The Salesforce-related incidents described here illustrate a common governance failure: the platform is not always the breach point, but customer data stored in or through the platform still becomes vulnerable when access paths are weak. That means shared responsibility does not end at the vendor boundary. When customers operate SaaS in their own clouds or environments, mis-scoped credentials, overbroad API access, and weak third-party oversight become the real control plane.

Practical implication: map SaaS access paths, tokens, and delegated permissions to the same review discipline used for internal identities.

Why AI increased attack throughput rather than changing the model

The article’s AI discussion lands on a familiar conclusion: AI has mainly increased the rate and reach of phishing and credential stuffing. That matters because automation can multiply old attack chains without introducing new ones. The threat actor still needs a credential, an authentication path, and a place to reuse it. AI is therefore an accelerant, not a replacement for the underlying access economy.

Practical implication: treat AI-enabled phishing as a scale problem that strengthens existing controls, especially MFA, detection, and credential compromise monitoring.


Threat narrative

Attacker objective: The objective is to convert stolen credentials into repeatable access, resale value, and downstream data theft or account takeover.

  1. Entry begins when infostealer malware or phishing captures browser-stored credentials, often packaged as ULP lists with target login URLs.
  2. Escalation follows when attackers reuse those credentials for credential stuffing, account takeover, or access-broker resale into wider criminal operations.
  3. Impact appears as SaaS data exposure, downstream fraud, and broader compromise when third-party or customer-managed access paths are weak.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Credential reuse remains the highest-probability failure mode in 2025. The retrospective shows that attackers still win by using credentials that were harvested elsewhere, not by inventing new access paths. That is why authentication hygiene, compromise monitoring, and account-level containment continue to matter more than speculative threat narratives. The practitioner conclusion is simple: if a credential can be replayed, it can be abused.

ULP lists are a governance problem, not just a threat-intel artifact. URL, login, password bundles collapse the discovery problem for attackers and expose a structural weakness in how organisations think about identity secrets. Once credentials are traded as operational inventory, lifecycle and rotation controls become the difference between isolated theft and repeat compromise. Practitioners should treat credential dumps as evidence of governance failure, not just noise.

AI has intensified legacy attack patterns, which means mature IAM fundamentals are now table stakes. The article’s central claim is not that AI replaced phishing or credential stuffing, but that it made those attacks faster and more scalable. That strengthens the case for MFA, monitored credential hygiene, and faster response to exposed secrets. The practitioner conclusion is that AI resilience starts with identity basics already under strain.

Third-party access needs the same lifecycle discipline as internal identity. The Salesforce-related exposures show how customer data can be compromised without the platform itself being breached, which shifts attention to delegated access, SaaS configuration, and environment ownership. This is a governance issue across IAM, PAM, and NHI controls. Practitioners should review third-party access as if it were production identity, because that is effectively what it is.

Runtime discovery of compromised credentials is now a control requirement, not a bonus signal. The article makes clear that large-scale compromised-credential markets continue to operate despite disruption efforts. That means organisations need continuous detection and response for exposed identity material, especially where the same credential could unlock multiple services. The practitioner conclusion is to treat compromise visibility as a first-line control, not an after-the-fact investigation aid.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
  • That gap aligns with 52 NHI Breaches Analysis, where exposed credentials and weak lifecycle control repeatedly turn into real-world compromise.

What this signals

Credential exposure is becoming a lifecycle problem, not just a detection problem. When secret remediation takes 27 days on average, attacker dwell time is measured against organisational delay rather than control intent, which is why exposure windows keep producing account takeover and SaaS abuse.

Credential economy drift: the market for stolen logins has normalised identity material as a reusable commodity. That means IAM, PAM, and NHI teams should expect compromise to be discovered outside their perimeter and design response around exposed secret recovery, not just post-breach forensics.

Teams should prepare for more attacks that look old but arrive faster. The combination of browser-harvested credentials, ULP distribution, and AI-assisted phishing pushes defenders toward continuous compromise detection, stronger authentication, and tighter third-party offboarding.


For practitioners

  • Prioritise credential compromise monitoring Track exposed usernames, passwords, and authentication endpoints across employee, contractor, and service accounts. Use detection that identifies where a credential was last seen and whether it is already circulating in infostealer-derived ULP lists.
  • Reduce password and token reuse across services Enforce unique credentials, limit browser-based storage where possible, and remove shared secret patterns that let one capture become many valid logins. This is especially important for SaaS, admin consoles, and externally reachable services.
  • Review third-party and SaaS delegated access Map API keys, OAuth grants, and customer-managed integrations to named owners and offboarding triggers. Treat any access path that can expose customer data as production identity with explicit review intervals.
  • Tighten identity response for infostealer activity When endpoint compromise is suspected, assume credentials are already exposed and revoke or rotate access before the attacker reuses the login. Pair endpoint detection with authentication controls so response does not stop at malware cleanup.
  • Use MFA and segmentation to limit replay damage Require phishing-resistant MFA where feasible and segment environments so stolen credentials do not translate into broad lateral movement. This matters most where SaaS, cloud, and on-prem access intersect.

Key takeaways

  • 2025’s breach pattern was still driven by exposed credentials, reused logins, and third-party access paths rather than by a wholly new AI attack class.
  • The scale is large enough to matter operationally, with healthcare incidents affecting over 50 million people and credential markets continuing to distribute billions of compromised records.
  • The control question is no longer whether identity hygiene matters, but whether monitoring, rotation, MFA, and delegated-access review are fast enough to beat reuse.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centres on exposed secrets and reuse risk across SaaS and service access.
NIST CSF 2.0PR.AC-1Credential reuse and delegated access failures map to identity and access control outcomes.
NIST SP 800-53 Rev 5IA-5Authenticator management directly applies to leaked passwords, tokens, and stored secrets.
NIST Zero Trust (SP 800-207)Replayable credentials undermine trust assumptions in zero trust environments.
CIS Controls v8CIS-5 , Account ManagementAccount lifecycle and access review are central to stopping credential reuse at scale.

Review exposed credential handling against NHI-03 and prioritise rapid rotation for any leaked secret.


Key terms

  • Infostealer Malware: Infostealer malware is endpoint-focused malicious software designed to extract credentials, browser data, and local secrets for resale or direct abuse. In identity terms, it converts a user device into a credential harvesting point and feeds downstream replay, fraud, and account takeover activity.
  • ULP List: A ULP list is a collection of URL, login, password records assembled from stolen credentials, usually harvested by infostealer malware. The URL matters because it tells an attacker exactly where the credential should work, turning a stolen secret into near-ready access material.
  • Credential Stuffing: Credential stuffing is the automated reuse of stolen username and password pairs across multiple services in the hope that password reuse will produce valid logins. It is not about cracking encryption. It is about exploiting human and organisational reuse patterns at machine speed.
  • Third-Party Access Path: A third-party access path is any external integration, delegated credential, or customer-managed environment that can reach sensitive data or systems. In practice, these paths require the same ownership, review, and offboarding discipline as internal accounts because they can expose the same business impact.

What's in the full article

Enzoic's full retrospective covers the operational detail this post intentionally leaves for the source:

  • Year-by-year breakdown of the healthcare, Salesforce, and credential-breach patterns behind the 2025 retrospective
  • Practical guidance on detecting infostealer-derived credential exposure and validating whether a login is already circulating
  • The source article's discussion of ULP lists, attacker access-broker behaviour, and how those records are used in reuse campaigns
  • Enzoic's recommended hygiene measures for users and organisations, including monitoring and endpoint-driven prevention

👉 Enzoic's full post covers healthcare breach impact, ULP list mechanics, and the practical response actions behind the trends.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org