By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: ProofpointPublished August 4, 2025

TL;DR: A reported cache of 16 billion credentials is more a reuse event than a fresh breach, but it still fuels credential stuffing, password spraying, and account takeover attempts at scale, according to Proofpoint. The real issue is not discovery volume alone, but how exposed credentials keep defeating identity controls built around static trust assumptions.


At a glance

What this is: This is an analysis of how resurfaced credentials drive account takeover risk, with the key finding that old, reused passwords can still power large-scale credential attacks.

Why it matters: It matters because IAM teams must defend not just against fresh compromise, but against reused secrets, weak MFA, and post-login abuse across human, NHI, and cloud identities.

👉 Read Proofpoint's analysis of the 16 billion credential collection and account takeover risk


Context

Credential reuse turns stale data into active attack infrastructure. When old passwords reappear in large collections, attackers can automate credential stuffing, password spraying, and account takeover across email, VPN, cloud, and SSO entry points. The primary identity problem is not the age of the password leak, but the persistence of trust in credentials that have already left the organisation's control.

For identity programmes, this is a human IAM problem that quickly becomes an enterprise access problem. Once an attacker gets a valid login, the next stage is often post-authentication abuse, including mailbox rule changes, session hijack, OAuth grant abuse, and internal phishing from trusted accounts.


Key questions

Q: How should security teams respond when credentials are exposed at massive scale?

A: Start with session invalidation, then rotate or revoke the affected secrets, tokens, and passwords. After that, map the exposed identities to privileged access paths, service accounts, and third-party integrations. The key is to treat exposed credentials as active until proven otherwise, especially when cookies or persistent sessions may still work.

Q: Why do exposed credentials still matter if there was no new breach?

A: Because old credentials remain usable wherever accounts, passwords, and recovery flows still trust them. Attackers do not need a fresh breach if they can automate login attempts against live services. Even stale data becomes dangerous when users reuse passwords and identity systems continue to accept them.

Q: What do teams get wrong about MFA after credential theft?

A: They often assume MFA alone closes the gap. In practice, adversaries can bypass it through phishing proxies, SIM swapping, social engineering, or session theft after login. Security teams need phishing-resistant MFA, tighter session controls, and monitoring for post-authentication abuse, not just more login prompts.

Q: Who is accountable when email impersonation leads to account takeover?

A: Accountability sits with the organisation that owns the sender domain, the security team operating mail authentication, and the business owners responsible for customer communication. If brand trust is weak, those functions have to coordinate the controls and maintain them over time.


Technical breakdown

Why reused credentials still succeed at scale

Credential stuffing works because attackers do not need to break authentication when users have reused passwords across services. Large credential collections are paired with automation that tests logins across common identity providers and cloud applications. Even stale credentials can succeed if they still map to live accounts, weakly protected SSO portals, or services where MFA is absent, misconfigured, or bypassable through recovery flows. The practical challenge is that the value of a credential is determined at login time, not breach time.

Practical implication: prioritise exposed-credential detection and block known-compromised logins before they reach SSO or cloud services.

How adversaries bypass MFA after credential exposure

Credential theft is often only the first step. Adversaries increasingly use SIM swapping, social engineering, MFA fatigue, and adversary-in-the-middle proxy phishing to capture session tokens or authenticate as the user. Once a session cookie is stolen, the attacker may bypass the MFA control entirely because the session already appears trusted. This shifts the control question from password strength alone to the resilience of the full authentication chain, including device trust, session handling, and phishing-resistant methods.

Practical implication: move high-risk users and privileged roles to phishing-resistant MFA and harden session controls, not just password policy.

What happens after account takeover inside email and cloud

Post-login abuse is often the real impact zone. Once inside an email or cloud account, attackers can create mailbox rules, delete messages, access files, harvest contact lists, and send convincing phishing or BEC messages from trusted identities. In cloud environments, they may also inspect connected applications, OAuth grants, and privileged admin paths. This makes detection harder because malicious activity is blended into legitimate user behaviour and often occurs without new malware or obvious exploitation.

Practical implication: monitor post-login actions such as mailbox rule creation, OAuth consent, and unusual delegation changes, not just login success.


Threat narrative

Attacker objective: The attacker wants durable access through trusted identities so they can steal data, spread phishing, and move into connected cloud and email systems with minimal detection.

  1. Entry begins with reuse of exposed or recycled credentials in credential stuffing and password spraying campaigns against email, VPN, cloud, and SSO targets.
  2. Escalation follows when the attacker bypasses or defeats MFA through proxy phishing, SIM swapping, social engineering, or session cookie theft from adversary-in-the-middle attacks.
  3. Impact occurs through account takeover, mailbox rule manipulation, internal phishing, cloud access, and theft or deletion of sensitive data from trusted accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Credential reuse has become an identity supply chain problem, not just a user hygiene problem. The article shows how older credentials, once aggregated, are repackaged into automation against modern identity systems. That means the organisation's exposure is determined by password reuse, account persistence, and how quickly compromised credentials are recognised as active attack material. Practitioners should treat exposed-credential intelligence as a live access-control input, not a retrospective incident metric.

Post-login control is now as important as authentication itself. The article correctly shifts attention from login success to what happens after access is granted. Mailbox rules, OAuth grants, session cookies, and connected apps are where credential compromise becomes operational damage. IAM and PAM teams need to view the post-authentication surface as a governed access layer, not a secondary investigation zone.

Standing trust in dormant credentials is the named governance flaw. Static passwords and long-lived session assumptions were designed for identities that would fail visibly when compromised. That assumption breaks when old credentials are continuously re-used at machine speed across email, cloud, and federation systems. The implication is that identity programmes must stop treating credential exposure as a one-time event and start treating it as a persistent trust debt.

Human account compromise now has non-human blast radius. A single stolen login can expose SaaS integrations, OAuth grants, cloud workspaces, and administrative functions that behave like non-human identities once accessed. This is why NHI governance and human IAM can no longer be managed as separate silos. Practitioners need a single view of credential risk, privilege sprawl, and delegated access across both people and systems.

From our research:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
  • For a broader view of identity compromise patterns, see The 52 NHI breaches Report, which maps repeated failure modes across real incidents.

What this signals

Credential exposure is now a cross-domain governance issue. Human account takeover often becomes a route into SaaS integrations, cloud permissions, and machine-facing connectors that were never designed for consumer-style abuse. Identity programmes should therefore track exposed credentials, delegated access, and privileged sessions in one operational view rather than splitting them across separate teams.

The practical signal is that detection logic must move beyond login anomalies. Mailbox-rule creation, OAuth consent changes, and suspicious post-login activity are often the first reliable signs that a valid identity has already been weaponised, and those events should feed response playbooks directly.

For teams already building lifecycle controls, the next step is linking credential risk to offboarding, privilege review, and access re-certification. Old credentials are only harmless when the surrounding access paths are no longer live; otherwise they remain reusable trust assets.


For practitioners

  • Block known-compromised credentials at authentication time Feed exposed-password intelligence into identity provider controls so reused credentials are rejected before they can reach email, VPN, cloud, or SSO entry points.
  • Prioritise phishing-resistant MFA for high-value users Move administrators, finance, help desk, and executives to phishing-resistant methods and review recovery paths that still allow password-based fallback.
  • Audit post-login abuse paths in cloud and email Look for mailbox rule changes, new OAuth grants, unusual delegation, and session token reuse because these are common next steps after takeover.
  • Remove dormant access that remains reachable through trust chains Revoke old app grants, cached credentials, and unused accounts that can be reactivated by attackers even when the primary password is no longer obvious.
  • Drill account takeover response as an identity containment exercise Predefine how to suspend sessions, reset credentials, revoke OAuth access, and verify disclosure scope before the attacker finishes using the account.

Key takeaways

  • Resurfaced credentials remain operationally dangerous because attackers can automate reuse at scale across live identity systems.
  • The strongest evidence is post-login abuse: once an attacker gets in, mailbox rules, OAuth grants, and session tokens become the real control points.
  • Teams should pair exposed-credential blocking with phishing-resistant MFA and post-authentication monitoring to reduce takeover impact.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Account takeover risk maps directly to access permission management and least privilege.
NIST SP 800-53 Rev 5IA-5Credential management is central to repeated password reuse and stale login risk.
NIST Zero Trust (SP 800-207)Zero trust is relevant because valid credentials alone should not confer broad trust.
OWASP Non-Human Identity Top 10NHI-03Credential rotation and exposure handling are core non-human identity controls.
MITRE ATT&CKTA0006 , Credential Access; TA0001 , Initial Access; TA0009 , CollectionThe article describes credential-based entry and downstream collection behaviour.

Use the listed tactics to align detections with stuffing, token theft, and post-login collection activity.


Key terms

  • Account Takeover: Account takeover is unauthorized use of a legitimate account after an attacker obtains valid access through stolen credentials, tokens, or trusted integrations. The key security problem is that the resulting activity often looks normal to logs and controls, which makes containment and attribution harder than in a forced-entry breach.
  • Adversary-in-the-middle phishing: A phishing method that places an attacker between the user and the real identity provider so the attacker can intercept or relay the authenticated session. It often preserves the user experience, which is why it can evade awareness and some detection paths while still producing usable session tokens.
  • Post-Authentication Abuse: Post-authentication abuse happens when an attacker uses valid credentials to perform actions after login rather than breaking authentication itself. For NHI environments, this often means abusing tokens, service accounts, or delegated access to query data, move laterally, or establish persistence while appearing legitimate to basic login controls.
  • Exposed Credential Intelligence: Exposed credential intelligence is the use of breach, leak, and dark web data to identify credentials that attackers can still test against live systems. For identity teams, it is an operational signal that should influence access blocking, resets, monitoring, and response priorities.

What's in the full article

Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:

  • Concrete examples of how attackers chain credential stuffing into account takeover across email, VPN, and cloud services.
  • Specific guidance on MFA hardening, including phishing-resistant options and recovery-flow review points.
  • Response steps for suspending accounts, removing malicious mailbox rules, and revoking unauthorized OAuth applications.
  • Behavioural and threat-intelligence signals used to detect post-login abuse in real time.

👉 The full Proofpoint post covers mitigation steps, detection guidance, and incident response for account takeover scenarios.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org