Credential compromise and ghost logins keep bypassing IAM controls

At a glance

What this is: This is Push Security’s webinar analysis of why credential-based attacks still work, showing that password reuse, missing MFA, and unmanaged SaaS logins keep defeating human and technical controls.

Why it matters: It matters because IAM, NHI, and PAM teams must treat credential exposure, login behavior, and shadow access as one control problem rather than separate hygiene tasks.

By the numbers:

• Of the last million logins observed by Push, 1 in 4 were password-based rather than SSO, 2 in 5 were not protected by MFA, and 1 in 5 used a weak, breached, or reused password.
• The average employee maintains around 15 SaaS accounts, and only a fraction of those sit behind SSO.
• 17 minutes.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

👉 Watch Push Security's webinar on credential compromise, ghost logins, and MFA gaps

Context

Credential compromise remains one of the least misunderstood and most under-contained identity risks in enterprise security. The problem is not just stolen passwords, but the mix of password-based login, reused credentials, missing MFA, and SaaS accounts that sit outside the identity provider’s line of sight.

The webinar uses Troy Hunt’s breach-data perspective to show why exposure data alone is not enough. For IAM teams, the important question is no longer whether credentials have leaked, but which ones are still active, which apps still accept them, and which access paths remain invisible to the programme.

Key questions

Q: What breaks when credential exposure data is not matched to live authentication behaviour?

A: Breach intelligence becomes too noisy to support action, because it cannot distinguish a live account from a departed employee, a false address, or a credential that is no longer in use. Without telemetry from the authentication layer, teams end up chasing exposure rather than risk. The useful control is correlation, not notification volume.

Q: Why do shadow SaaS apps make identity risk harder to contain?

A: They create login paths that sit outside the IdP, so central policy, MFA assumptions, and access reviews only cover part of the real attack surface. A user can authenticate to an unmanaged app with a corporate email address and a reused password, even when the directory looks clean. That gap turns identity governance into an incomplete map.

Q: How do security teams know whether MFA is actually reducing takeover risk?

A: MFA is working when password replay falls, phishing-resistant methods replace phishable factors, and post-authentication abuse metrics decline. If token replay, consent abuse, or session hijacking still succeed, the organisation has only shifted the attack rather than reduced it. Effectiveness must be measured after login, not just at enrolment.

Q: Who is accountable when a stale password login path is still available after SSO adoption?

A: Accountability sits with the team that owns application access governance, because the control failure is not user behaviour alone. If a SaaS app still accepts a local password, the organisation has accepted a parallel identity model that defeats central policy. Access ownership must include every live authentication method, not just the directory record.

Technical breakdown

Why breach intelligence creates false confidence in credential risk

Breach intelligence tells you that credentials exist in leaked datasets, but it does not prove whether those credentials are still live, tied to an active account, or usable in the current login path. That is why organisations often get overloaded with noise from departed employees, fabricated addresses, and stale SaaS registrations. The technical problem is correlation: leaked identity data only becomes actionable when it is matched to observed authentication behaviour. Without that join, the signal is too broad to drive response and too weak to support enforcement.

Practical implication: correlate breach feeds with live authentication telemetry before deciding which accounts to investigate or lock.

Ghost logins, SaaS sprawl, and the limits of SSO

A ghost login is a local authentication path that keeps working even after an organisation believes a user has moved fully to SSO. These paths persist because SaaS adoption often outgrows central identity governance, especially when employees create accounts with corporate email addresses but outside sanctioned onboarding. Once that happens, the directory view and the real login surface diverge. The result is an identity perimeter defined by actual user behaviour, not by the IdP record.

Practical implication: inventory live login methods, not just assigned applications, and remove any local password path that bypasses central controls.

Why MFA reduces exposure but does not end account takeover

MFA is a strong control against simple password replay, but it is not a complete defence once attackers move to token theft, AiTM phishing, session hijacking, or OAuth abuse. The webinar’s core point is that many teams stop at enrollment metrics and miss post-authentication attack paths entirely. That matters because the control objective changes from blocking login to protecting the authenticated session. When token material can be replayed, the credential problem becomes a session integrity problem.

Practical implication: pair MFA enforcement with session monitoring and phishing-resistant authentication where the application stack supports it.

Threat narrative

Attacker objective: The attacker’s objective is to turn one compromised identity into repeatable access across multiple SaaS services and identity-controlled workflows.

1. Entry begins when attackers obtain reused passwords, phished OTPs, or token material from breach datasets, infostealer logs, or phishing infrastructure.
2. Credential access is sustained through password-based SaaS logins, ghost logins outside SSO, and MFA gaps that still allow replay or enrolment bypass.
3. Impact is account takeover across SaaS and identity services, followed by lateral movement into adjacent apps, data exposure, and repeat compromise through the same identity reuse pattern.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Credential exposure data has limited value until it is joined to live authentication behaviour. Breach notifications by themselves create a false sense of visibility because they do not show whether a credential is still active, whether the account still exists, or whether the login path is even governed by SSO. The field keeps treating compromise data as if it were a response trigger, when in practice it is only a lead. Practitioners should treat exposure data as an enrichment layer, not a control.

Ghost logins are an identity governance failure, not just an authentication nuisance. Once a SaaS app still accepts a local password after SSO has been adopted, the organisation has two parallel trust models with different risk profiles. That creates invisible access paths, inconsistent policy enforcement, and response delays when the only evidence lives outside the IdP. The implication is that IAM scope has to extend to live authentication methods, not just application assignment.

Phishing-resistant MFA is necessary, but it does not neutralise post-authentication identity compromise. The conversation shows how token replay, consent abuse, and browser-session theft move the attack beyond the login event. That means the discipline has to shift from protecting the credential alone to governing the authenticated session, especially where SaaS and browser-based access are the norm. Practitioners should stop treating MFA completion as proof of safety.

Identity surface area now extends well beyond the corporate directory. Employees routinely maintain multiple SaaS accounts, many outside central oversight, which means the real attack surface is the intersection of browser behaviour, shadow applications, and stale credentials. That is why traditional access review cadences lag behind the pace of credential exposure. IAM programmes should reframe access as a living attack surface, not a static assignment list.

Credential compromise is now a repeatable industrial pattern, not an exceptional breach event. When the same replayable login paths keep succeeding, the failure is structural and the control model is overdue for re-scoping. The practical conclusion is that organisations need a governance model that can observe, classify, and suppress live credential use across sanctioned and unsanctioned apps.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
• That pattern makes the case for closer analysis in 52 NHI Breaches Analysis, where repeated identity failure modes show how compromise scales across environments.

What this signals

Credential compromise is becoming a cross-domain governance problem. The same identity surface now spans employees, service accounts, and AI-enabled access paths, so programme owners cannot isolate human login hygiene from broader identity assurance. When unmanaged SaaS and browser sessions sit outside the directory, the control model has already lost part of the battle.

Shadow access is the next operational blind spot. As login behaviour becomes the most reliable source of truth, teams need discovery processes that find what people actually use, not just what has been assigned. That is why the browser layer is increasingly central to visibility, recertification, and incident containment.

Organizations that still measure success by MFA enrolment alone will miss the real failure mode. The risk is no longer just weak authentication, but the combination of live credential replay, parallel logins, and post-authentication abuse. Teams that want durable reduction need identity telemetry, not just policy compliance.

For practitioners

• Correlate breach exposure with live login telemetry Join breach notification feeds to browser-observed authentication events so that stale, departed, or fabricated identities do not consume response effort. Prioritise accounts that show active use in the last 30 days and suppress alerts for identities that no longer authenticate.
• Eliminate local password paths in SaaS apps Find every application that still permits direct password login after SSO is enabled, then disable the fallback or force migration. Ghost logins are especially dangerous when the application is not visible in the IdP but still accepts the corporate email address.
• Treat MFA as a baseline, not a finish line Enforce MFA everywhere, then add session controls for token replay, OAuth consent abuse, and browser-based hijacking. Passwordless or phishing-resistant methods should be paired with detection for post-authentication abuse, not used as a stand-alone success metric.
• Map shadow SaaS from actual user behaviour Use observed login events to discover unsanctioned applications that employees have adopted outside standard onboarding. Remove or govern the accounts that appear in browser telemetry but not in the identity catalog, because those are often the ones attackers exploit first.

Key takeaways

• Credential compromise keeps working because identity controls still leave room for password reuse, shadow SaaS, and stale login paths.
• Push’s observed login data shows that weak authentication remains common enough to make account takeover a structural programme issue, not an edge case.
• IAM teams should move from static credential hygiene to live identity telemetry, because that is where the actionable signal now sits.

Key terms

• Ghost Login: A ghost login is a direct authentication path that remains active after an organisation believes it has moved to central single sign-on. It creates a parallel trust model that can still accept passwords, so the identity team sees one policy posture while attackers exploit another.
• Post-authentication Abuse: Post-authentication abuse is compromise that happens after a user or account has successfully logged in. It includes session hijacking, token replay, OAuth consent abuse, and similar actions that bypass password checks by attacking the authenticated state instead of the login event.
• Shadow SaaS: Shadow SaaS is software that employees use without full identity governance, often created with corporate email addresses but outside sanctioned onboarding. It expands the real attack surface beyond the directory and makes access reviews incomplete unless they include observed usage.
• Credential Correlation: Credential correlation is the practice of matching leaked or breached credential data with live authentication telemetry. It turns noisy exposure intelligence into operationally useful evidence by showing which accounts are active, where they log in, and whether the compromise is still exploitable.

Deepen your knowledge

Credential compromise, shadow SaaS, and MFA limits are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building identity governance across human and machine access paths, it is worth exploring.

This post draws on content published by Push Security: Troy Hunt on why credential attacks keep working. Read the original.