TL;DR: IBM’s 2025 breach research shows phishing at 16% of incidents and third-party or supply-chain compromise at about 15%, while stolen credentials still drive roughly one in ten breaches and remain among the slowest to detect, according to Enzoic’s analysis of the report. Continuous credential monitoring is now a core containment control because valid logins still outperform many preventive defences.
At a glance
What this is: This analysis argues that credential monitoring is essential because attackers increasingly win by logging in with valid credentials rather than forcing entry.
Why it matters: It matters because IAM, PAM, and NHI teams all depend on knowing when passwords, tokens, or vendor logins have already been compromised before those identities are used for lateral movement or exfiltration.
By the numbers:
- In 2025, phishing rose to the number one attack vector at 16% of breaches.
- 15% of breaches and took nearly nine months
- Breaches initiated with stolen credentials have a mean time to identify and contain of about 246 days.
👉 Read Enzoic’s analysis of why credential monitoring is essential in 2025 breach response
Context
Credential monitoring is the practice of checking whether usernames, passwords, cookies, session tokens, or other secrets have already been exposed or are being traded by attackers. In identity terms, the problem is not only weak password choice. It is the time gap between credential compromise and detection, which gives adversaries a legitimate path into systems that may otherwise look normal.
The article uses IBM’s 2025 breach data to show that the entry method may change, but the identity issue does not. Phishing, infostealer malware, and third-party compromise all converge on the same outcome: attackers obtain valid credentials and use them as a foothold. That is a typical enterprise failure pattern, not an edge case.
For IAM and NHI programmes, this means credential exposure has to be treated as an operational signal, not just a hygiene issue. The question is no longer whether a password or vendor login was technically strong at creation. The question is whether it is still trustworthy after exposure in breach dumps, phishing kits, or partner environments.
Key questions
Q: How should security teams respond when stolen credentials are discovered in breach data?
A: They should treat the finding as an active exposure event, not a background risk note. Confirm whether the credential is still valid, force a reset or revocation path, and check for related session tokens, API keys, or linked accounts. The goal is to cut off reuse before the credential becomes an attacker foothold.
Q: Why do stolen credentials still cause breaches even when MFA is deployed?
A: Because attackers often target the part of the identity flow that MFA does not fully eliminate, such as session tokens, infostealer output, vendor logins, or social engineering against the approved path. If the stolen identity can still be authenticated or reused, MFA alone does not remove the attacker’s access path.
Q: What breaks when organisations do not monitor third-party credentials?
A: Visibility breaks first, then accountability. Partner logins can be compromised outside the primary environment, yet still authenticate into it as legitimate access. Without monitoring, the organisation learns about the problem only after abnormal behaviour, which is often too late to prevent lateral movement or data theft.
Q: Who is accountable when a compromised vendor login is used to access an enterprise environment?
A: Accountability sits with both sides of the access relationship. The vendor must manage its own credential hygiene, but the enterprise remains responsible for deciding what third-party access is trusted, monitored, and rapidly revoked when exposure is found. Shared access does not mean shared control.
Technical breakdown
Why valid credentials bypass normal controls
Once an attacker has valid credentials, many perimeter controls stop being decisive because the session looks like legitimate user activity. That is why stolen passwords, cookies, and session tokens remain so valuable. The article correctly points to phishing, infostealer malware, and third-party compromise as different paths to the same end state: authenticated access that blends into normal traffic. From an identity perspective, this is not simply credential theft. It is trust transfer, where the defender’s own authentication stack becomes the attacker’s entry mechanism.
Practical implication: treat exposed credentials as active intrusion indicators, not as abstract hygiene findings.
How credential monitoring disrupts attacker supply chains
Credential monitoring works because attackers often reuse and resell stolen logins. Initial access brokers harvest credentials, then package and sell them for later use in lateral movement, privilege escalation, or data theft. Continuous screening against breach corpora, paste sites, and dark-web logs shortens the useful life of stolen credentials. For NHI and IAM teams, the technical issue is not volume alone. It is whether detection is fast enough to invalidate the credential before it becomes a reusable access path.
Practical implication: build near-real-time alerting into credential screening so exposed accounts can be reset or challenged before reuse.
Why supply-chain access needs identity-level verification
Third-party compromise is especially difficult because partner traffic often appears legitimate. A vendor account, contractor login, or federated access token can provide a quiet path into the primary environment if there is no independent visibility into compromise. The article highlights a core governance gap: organisations often trust partner identities without continuously checking whether those identities are already exposed elsewhere. In practice, this is where identity and vendor risk management meet.
Practical implication: extend monitoring and response workflows to key third parties, not only internal users.
Threat narrative
Attacker objective: The attacker’s objective is to turn a stolen login into durable, low-noise access that can be monetised through theft, resale, or follow-on intrusion.
- Entry begins when attackers obtain credentials through phishing, infostealer malware, or compromised third-party access, rather than through a noisy exploit. Escalation follows when those credentials are reused on real services, allowing the attacker to authenticate as a legitimate user and move into more sensitive systems. Impact occurs when the login is used for lateral movement, privilege escalation, or exfiltration before the exposure is detected.
Breaches seen in the wild
- GitHub Dependabot Breach — GitHub Dependabot tokens stolen and abused to push malicious commits to repositories.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Credential exposure, not password weakness, is the real trust failure: The article reflects a broader identity reality that valid credentials have become the attacker’s preferred transport layer. Once a password, cookie, or token is exposed, the security model is no longer about whether authentication works. It is about whether the organisation can still trust the identity after compromise. Practitioners should treat exposed login data as an identity-state change, not a policy exception.
Standing credential trust debt: Credential programmes still assume a login remains trustworthy until someone proves otherwise. That assumption breaks when breach dumps, phishing kits, and infostealer logs can make credentials unsafe long before any user reports a problem. The implication is that identity trust now has to be continuously re-evaluated across human, vendor, and machine accounts, because static trust windows are too long for modern attacker speed.
Third-party identity exposure is a governance blind spot, not just a vendor problem: The article is right to connect supply-chain breaches to compromised credentials because partner access often inherits trust without inheriting visibility. That creates an accountability gap where an external identity can be abused inside the primary environment with little friction. Practitioners should view third-party credential monitoring as part of their own identity perimeter, not as an optional partner control.
Automation is now mandatory for credential defence at scale: Manual review cannot keep pace with mass credential theft, high-volume breach corpora, or rapid resale on underground markets. The article’s argument is strongest where it ties detection to immediate response, because the window between exposure and abuse is often measured in hours, not weeks. Security teams should align screening, alerting, and reset workflows as a single control chain rather than isolated tools.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to Astrix Security & CSA.
- From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to Astrix Security & CSA.
- That visibility gap is one reason credential compromise in partner access remains hard to contain before it reaches production systems.
What this signals
Credential exposure now behaves like a lifecycle event, not a one-time alert. If an identity can be sold, reused, or replayed within minutes, then programme design has to assume compromise can happen between review cycles. Teams responsible for IAM and NHI governance should align monitoring, revocation, and recertification so exposure triggers a bounded response rather than a long investigation.
The practical shift is to treat valid credentials as dynamic risk artefacts. That means tightening controls around password screening, token lifetime, and third-party access visibility, while using resources such as the 52 NHI Breaches Analysis to understand how identity abuse becomes a breach pattern.
For NHI and IAM leaders, the programme question is no longer whether a control exists, but whether it can operate quickly enough against attacker timelines. Where credential theft can be weaponised faster than manual response, automation becomes a governance requirement, not an optimisation choice.
For practitioners
- Continuous credential screening across all identity types Screen employee, contractor, vendor, and privileged credentials against breach corpora, paste sites, and malware logs so exposure is detected before attackers reuse it. Tie findings to automated password resets or session invalidation where the identity type supports it.
- Shorten the exposure-to-response window Route every confirmed exposure into a defined workflow that can reset passwords, revoke session tokens, and force step-up checks before the identity is used again. The control objective is to reduce the time a stolen credential remains valid in the environment.
- Extend monitoring to third-party access paths Include partner users, federated accounts, and contractor logins in the same compromise-detection process as internal identities. Third-party access should be treated as part of the organisation’s identity perimeter, not as a separate risk bucket.
- Prioritise privileged identities for faster containment Escalate alerts for admin accounts, service accounts, and any identity that can reach sensitive systems or data stores. A compromised privileged login converts exposure into impact much faster than a standard user account.
Key takeaways
- Credential monitoring matters because attackers increasingly use valid logins as their primary breach path, not just exploitation.
- IBM’s 2025 data shows phishing at 16% of breaches, third-party compromise at about 15%, and stolen-credential incidents taking around 246 days to identify and contain.
- Security teams should treat exposed credentials as active identity risk and build automated response for users, vendors, and privileged accounts.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential rotation and exposure handling are central to this article’s identity risk. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The article centers on stolen logins being reused for access and movement. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access management are directly implicated by credential compromise. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management governs password and secret handling in this scenario. |
Map exposed-credential workflows to credential access and lateral movement so response starts before reuse.
Key terms
- Credential Monitoring: Credential monitoring is the continuous checking of usernames, passwords, tokens, cookies, and similar secrets for signs of exposure or reuse by attackers. In practice, it turns credential compromise into an actionable identity event rather than a hidden assumption about trust.
- Stolen Credential Reuse: Stolen credential reuse happens when an attacker logs in with valid credentials rather than exploiting a technical vulnerability. It is especially dangerous because the access often appears legitimate to logging and detection systems, which extends dwell time and increases the chance of lateral movement.
- Third-Party Identity Exposure: Third-party identity exposure is the condition where vendor, contractor, or partner credentials are compromised outside the primary enterprise but still grant access into it. The risk is not only external compromise, but inherited trust without equivalent visibility or rapid revocation.
What's in the full article
Enzoic's full article covers the operational detail this post intentionally leaves for the source:
- How continuous credential monitoring is wired to breach databases, paste sites, and dark-web logs.
- How organisations can automate resets, lockouts, and challenge flows after credential exposure is confirmed.
- How vendor and contractor identities are folded into monitoring programs without relying on perimeter controls alone.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org