TL;DR: 2025’s biggest breaches were driven by credential reuse, third-party access, weak logging, delayed detection, and exposed personal data, according to Secureframe’s review of major incidents. The lesson is that access governance, monitoring, and vendor oversight remain the controls most likely to prevent small failures from becoming enterprise-scale events.
At a glance
What this is: This roundup of 2025 data breaches shows that attackers kept exploiting familiar weaknesses, especially compromised credentials, third-party access, and slow detection.
Why it matters: It matters to IAM and broader security teams because the incidents map directly to access governance, privileged control, and lifecycle management failures that affect human and non-human identities alike.
By the numbers:
- small businesses are targeted roughly every 11 seconds, while larger enterprises face more than 1,900 attempted attacks each week.
- roughly 16 billion login credentials compiled from infostealer malware logs, phishing kits, and prior data breaches.
- over 74% of breaches involve the human element, including credential misuse and social engineering.
- nearly 60% of all breaches now originate from a third-party vendor.
👉 Read Secureframe's review of the biggest 2025 data breaches and 2026 controls
Context
2025’s breach landscape shows that the dominant failure mode is still access, not novelty. The article’s core message is that attackers continue to win through reused credentials, delegated third-party access, weak logging, and slow containment, which means identity governance remains a live operational control issue rather than a compliance exercise. For programmes managing both human and non-human identity, the same problem appears in different forms: stale accounts, over-privileged access, and unmonitored vendor connections.
The pattern is consistent across sectors. Whether the entry point was a vendor system, a compromised password, or delayed detection, the organisations involved were usually dealing with gaps in visibility and lifecycle control rather than a single exotic exploit. That makes the article highly relevant to IAM, PAM, NHI, and third-party access governance teams because the breach mechanisms are familiar, repeatable, and largely preventable.
Key questions
Q: What breaks when credential reuse is still allowed in high-value accounts?
A: Credential reuse turns one leaked password into many takeover opportunities because attackers can test it across services at scale. The main failure is not just weak user behaviour, but the absence of controls that block compromised credentials, require phishing-resistant MFA, and detect abnormal login patterns quickly. High-value accounts should never rely on password-only trust.
Q: Why do third-party connections increase breach exposure?
A: Third-party connections increase exposure because they extend your trust boundary into another organisation's identity controls. If vendor accounts, OAuth apps, or shared integrations keep standing access, an attacker can pivot through them without breaching the primary environment first. The risk grows when ownership is unclear and offboarding is weak, because access outlives the relationship that justified it.
Q: How do security teams know whether access abuse is being detected early enough?
A: They look for short dwell time, complete authentication and access logs, and fast correlation between login activity and sensitive data access. If analysts cannot connect those signals quickly, the environment is probably detecting too late. The real test is whether suspicious access can be contained before large-scale data movement begins.
Q: Who is accountable when a vendor platform is the breach entry point?
A: Accountability should be shared across the business owner, the identity team, and the vendor risk function, but the enterprise still owns the decision to grant, scope, and revoke access. Frameworks such as NIST CSF 2.0 and NIST SP 800-53 expect clear ownership for access control, monitoring, and incident response, including third-party relationships.
Technical breakdown
Credential reuse turns one leak into many account takeovers
Credential stuffing works because authentication often treats a password as proof of identity even when that password has already been exposed elsewhere. Infostealer logs, phishing kits, and prior breaches feed attackers with reusable credentials at scale, and automation lets them test those credentials quickly across many services. MFA reduces this risk, but only if it is enforced consistently and paired with anomaly detection. Password reuse becomes especially dangerous where privileged accounts, shared accounts, or external contractor access are not tightly governed.
Practical implication: remove password-only trust from high-value access paths and focus on MFA plus reuse detection for privileged and high-risk accounts.
Third-party access expands the attack surface beyond the core environment
Modern breaches often begin in a vendor’s environment, not the enterprise network itself. A third-party CRM, SaaS connector, or support platform can become the entry point when access scopes are too broad, contracts are weak, or vendor credentials are not monitored. The identity issue is not just vendor risk in the abstract. It is delegated access that persists without enough lifecycle control, review, or revocation discipline. Once a partner connection exists, the enterprise inherits the blast radius if that connection is abused.
Practical implication: treat every vendor login, API connection, and delegated token as governed access that needs inventory, review, and offboarding.
Delayed detection converts a contained compromise into a reportable breach
A breach is often most damaging when defenders find it late. If logs are incomplete, alerts are poorly tuned, or lateral movement is not segmented, attackers have more time to enumerate systems, exfiltrate data, and cause secondary harm such as identity theft or SIM-swap enablement. This is where identity and telemetry intersect: access events must be correlated with host, network, and data movement signals to show whether a credential is being abused rather than merely used. Monitoring without usable audit trails is only partial visibility.
Practical implication: preserve authentication, access, and data-access logs long enough to support rapid containment and forensic reconstruction.
Threat narrative
Attacker objective: The objective is to turn ordinary access into scalable theft of customer data, credentials, and identity material that can be monetised or reused.
- Entry began with exposed or reused credentials, often acquired through infostealer malware, phishing, or a third-party system compromise.
- Escalation followed when attackers used valid access, weak logging, or over-permissioned vendor accounts to move into more sensitive systems and data stores.
- Impact came from data exfiltration, identity theft, SIM-swap risk, and prolonged exposure because defenders detected the abuse late.
NHI Mgmt Group analysis
Credential exposure is now a systemic identity governance problem, not an isolated breach cause. The 16 billion-credential event in the article is a reminder that password reuse and exposed secrets continue to defeat organisations faster than they can remediate them. In identity programmes, the control failure is not simply weak authentication, but the assumption that credentials will remain private long enough to be safe. That assumption no longer holds, especially where privileged access and external access are involved. Practitioners should treat exposed credentials as a standing governance crisis, not a one-time incident.
Third-party access without lifecycle offboarding is a governance gap that keeps producing breaches. The Allianz example shows how a vendor environment can become the breach path even when internal systems remain intact. This is not just third-party risk in the abstract. It is delegated identity that was never sufficiently scoped, monitored, or removed. For identity teams, the practical lesson is that vendor access must be governed with the same lifecycle discipline as employee access, including explicit revocation, auditability, and least privilege.
Detection-response latency is the hidden multiplier in every access-driven breach. Weak logging and delayed discovery give attackers time to turn one access event into many compromised records, which is why monitoring quality matters as much as authentication strength. This aligns with NIST Cybersecurity Framework 2.0 and MITRE ATT&CK techniques around credential access, lateral movement, and exfiltration. Practitioners should stop treating telemetry as a separate security domain and instead tie it directly to access governance outcomes.
Secret sprawl and credential reuse create a repeatable breach pattern that organisations still underprice. When exposed credentials, stale accounts, and vendor tokens all exist at once, the organisation is effectively running multiple parallel identity control failures. That is why the most important governance concept here is not zero-day exposure, but control debt. Teams should measure how much of their identity surface is still reliant on long-lived credentials and unmanaged access paths.
Data breach prevention increasingly depends on how well identity controls are integrated with resilience planning. The article shows that outages, remediation, legal exposure, and customer harm are all downstream of the same access failures. For IAM, PAM, and NHI programmes, that means access governance must be designed for containment as well as prevention. Practitioners should align identity controls with response readiness, not just policy compliance.
What this signals
Credential exposure and delegated access should now be treated as one governance problem. The article’s breach patterns show that human identity, vendor identity, and non-human access are converging into the same operational risk surface. For programmes that already struggle with OAuth visibility, privileged access review, or stale service accounts, the practical next step is to unify those inventories and control points rather than manage them as separate queues.
Static credentials are becoming the wrong default for both human and machine access. As exposed passwords, vendor tokens, and reused logins continue to dominate breach paths, teams should shift toward shorter-lived access, better revocation, and stronger telemetry around use. The Ultimate Guide to NHIs has a useful lifecycle framing here, especially where access must be provisioned, monitored, and removed with evidence.
Control debt is now the better metric than policy count. The organisations most likely to suffer breach impact are not those with no policies, but those with unresolved identity exceptions, unreviewed vendor paths, and weak containment testing. Measuring how many access paths are still outside your governed lifecycle is a better predictor of exposure than counting completed reviews.
For practitioners
- Eliminate password reuse in high-risk access paths Require MFA, block known compromised credentials, and enforce passwordless or phishing-resistant authentication for privileged users, admins, and external partners where possible. Use anomalous login detection to flag credential stuffing patterns before they become account takeover.
- Inventory and govern delegated third-party access Maintain a live inventory of vendor accounts, OAuth connections, service integrations, and support credentials. Assign explicit owners, review access scopes regularly, and revoke access immediately when the business relationship changes.
- Correlate identity events with data-access telemetry Tie authentication logs, privileged session records, and file or database access events together so analysts can see whether valid access is being abused. Retain logs long enough to support forensic reconstruction and regulatory response.
- Test containment against vendor-originated compromise Run tabletop exercises that begin with a third-party account compromise and require teams to isolate the vendor path, preserve evidence, and revalidate access across dependent systems. Include identity and legal stakeholders in the exercise.
- Reduce long-lived credentials and stale accounts Prioritise rotation, removal, and re-authentication for accounts that persist across environments. Focus first on shared credentials, contractor access, and any account that has not been reviewed in the last access cycle.
Key takeaways
- The article shows that most large breaches still begin with familiar access failures, especially credential abuse, third-party exposure, and weak monitoring.
- The scale is material, with billions of exposed credentials and vendor-connected access paths creating a broad attack surface across industries.
- The practical response is stronger identity governance, faster detection, and tighter vendor lifecycle control, because those controls reduce both breach likelihood and breach impact.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0010 , Exfiltration | The article centers on credential misuse, lateral movement, and data theft. |
| NIST CSF 2.0 | PR.AC-4 | Access control and least privilege are central to the breach patterns discussed. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege directly addresses over-scoped accounts and delegated access. |
| CIS Controls v8 | CIS-5 , Account Management | Account lifecycle control is a recurring weakness in the breaches described. |
| NIST AI RMF | MANAGE | AI-driven detection and automation are discussed as containment accelerators. |
Map breach paths to ATT&CK tactics and prioritise detections for credential abuse, movement, and exfiltration.
Key terms
- Credential Stuffing: Credential stuffing is an attack that uses stolen username and password pairs from previous breaches to try logging into other services. It works because many people reuse credentials, and because the login attempt uses valid information, it can look ordinary until the surrounding behavior gives it away.
- Third-Party Access: Third-party access is access granted to vendors, contractors, or support partners who are not direct employees of the organisation. It is higher risk than internal access because accountability, device assurance, and access duration are harder to control, so it usually requires tighter time limits and stronger auditability.
- Detection Latency: Detection latency is the time between attacker activity and defender awareness. Long latency gives an intruder more opportunity to move laterally, exfiltrate data, and increase impact, especially when logs are incomplete or access events are not correlated with data-use signals.
- Control Debt: Control debt is the accumulation of weak, custom, or poorly owned security decisions that make future governance harder. In identity programmes, it appears when exceptions, one-off workflows, and legacy process assumptions become embedded in the access model and are expensive to unwind later.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- Breakdowns of the specific breach narratives behind AT&T, SK Telecom, Yale New Haven Health, and Allianz Life.
- The article's remediation checklists for credential hygiene, vendor governance, logging, and incident response.
- Expanded commentary on why data minimisation and segmentation are framed as resilience controls.
- Secureframe's downloadable 2026 cybersecurity checklist for teams that want an implementation aid.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and lifecycle control. It helps security and identity practitioners build the governance discipline needed to manage access risk across modern identity programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org