Credential theft at scale shows authentication became the attack vector

At a glance

What this is: This is Delinea Labs’ January 2026 threat outlook on how valid credentials, tokens, and service accounts were abused across recent breaches and identity-first intrusions.

Why it matters: It matters because IAM, NHI, and PAM teams have to treat authentication, offboarding, rotation, and privilege scope as continuous controls rather than one-time gates.

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read Delinea's January 2026 outlook on credential theft at scale

Context

Credential theft has become an identity governance problem, not just an intrusion problem. When valid tokens, service accounts, and orphaned accounts can be reused as trusted access, defenders lose the signal that normally separates normal authentication from compromise.

Delinea’s January outlook argues that December 2025 reinforced a pattern security teams already know but still under-implement: attacks increasingly begin with legitimate access. That shifts the control focus to lifecycle management, session validation, and ongoing privilege monitoring across human identities and NHIs.

The breaches described in the source are typical of the current threat landscape, not outliers. They show how delayed detection, weak offboarding, and over-broad access combine into long dwell times and large downstream impact.

Key questions

Q: What breaks when organisations trust successful authentication as proof of legitimacy?

A: Successful authentication stops being a reliable trust signal when stolen credentials, tokens, or orphaned accounts can be reused inside production systems. Teams then miss the distinction between valid login and valid intent, which allows attackers to persist, move laterally, and act through normal workflows. Monitoring must therefore include identity behaviour, ownership, and entitlement context, not login success alone.

Q: Why do service accounts and tokens create more risk than a single login event?

A: Service accounts and tokens often outlive the user, system, or purpose that created them, which makes them durable attack infrastructure. Once compromised, they can be reused quietly across pipelines, cloud services, and SaaS platforms without user-centric controls like MFA. That combination of longevity and low visibility makes them especially dangerous in modern environments.

Q: How do organisations know whether identity controls are actually working?

A: Identity controls are working when access is revoked promptly, scope is narrow, and unusual use of credentials is detected before business impact. Good signals include fast offboarding, low numbers of dormant secrets, ownership for every account, and behaviour-based alerts on token reuse or unexpected publishing. If those signals are weak, the controls are mostly theoretical.

Q: Who is accountable when a former employee account or stolen token is used in a breach?

A: Accountability sits with the organisation that failed to revoke, monitor, or scope the identity before it was abused. In practice that means IAM, platform, application, and security owners all share responsibility for lifecycle closure and privileged access oversight. If no one owns revocation, no one controls persistence.

Technical breakdown

Why valid credentials become durable attack infrastructure

Valid credentials change the attack model because they let an adversary operate inside trusted workflows instead of bypassing them. Tokens, API keys, service accounts, and inherited access often bypass MFA and user-centric detection, which means the access path looks routine even when the actor is hostile. In NHI environments, that routine access can persist across systems, cloud services, and automation pipelines. The core issue is not just credential theft, but the fact that many control stacks still treat valid authentication as evidence of legitimate intent.

Practical implication: correlate authentication events with behaviour, entitlement scope, and offboarding state rather than trusting successful login alone.

How delayed token abuse expands the blast radius

Delayed abuse occurs when credentials stolen earlier are reused much later through legitimate channels, such as package publishing, SaaS access, or internal tooling. The attacker benefits from temporal distance because the initial compromise and the later monetisation step are separated, making attribution and containment harder. This is especially dangerous for developer and automation identities because their access often outlives the moment of compromise. Once a trusted token is repurposed, the platform may enforce the attacker’s actions as if they were authorised operations.

Practical implication: shorten credential lifetime and tie high-risk publishing or administrative actions to step-up verification and just-in-time approval.

Why offboarding failures turn access into persistence

Failed offboarding creates an identity that no longer has a business owner but still has functional access. That is not a policy lapse in the abstract, it is persistence by administration failure. When former employee accounts, dormant service accounts, or unrevoked third-party grants remain active, they become low-noise entry points for attackers and highly durable lateral movement paths. In a mature governance model, the question is not whether the account once belonged to a legitimate user, but whether anyone still has accountable control over it.

Practical implication: make revocation, review, and ownership checks mandatory in every joiner-mover-leaver flow, including vendors and automation accounts.

Threat narrative

Attacker objective: The attacker aims to turn legitimate identity into covert persistence, then monetise that access through theft, distribution, or extortion.

1. Entry occurred through compromised credentials, stolen tokens, or orphaned access that allowed the attacker to authenticate successfully inside trusted systems.
2. Escalation followed when those valid identities were reused across developer, automation, or internal platforms, expanding access without triggering many traditional alarms.
3. Impact came later through data theft, malicious distribution, ransomware staging, or prolonged unauthorised access that remained hidden until business damage was already underway.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authentication has become attack infrastructure, not a trust signal. The source correctly frames December’s incidents as identity misuse rather than exploit-led compromise. That matters because a successful login no longer tells you whether access is legitimate, only that the credential was accepted. For IAM and NHI governance, the real control question is whether the identity should have existed, remained valid, or retained that level of scope in the first place. Practitioners should treat successful authentication as a starting point for inspection, not as proof of safety.

Delayed credential abuse is a governance failure, not just an incident-response problem. When stolen tokens are reused months later, the gap is not only in detection but in lifecycle control, revocation discipline, and publishing trust. This is where NHI governance overlaps with software supply chain security, because developer credentials, package-maintainer access, and cloud tokens all behave as long-lived attack infrastructure when left unmanaged. The practitioner conclusion is simple: lifecycle ownership must match the actual operational lifetime of the credential.

Offboarding gaps create identity persistence that attackers can inherit. The Coupang example shows what happens when a former employee account is never fully revoked. That pattern is the same governance failure seen across orphaned service accounts and abandoned third-party grants, where access survives the business relationship that justified it. The implication is that identity programmes need accountable closure, not just initial provisioning, because forgotten access becomes ready-made persistence.

Identity-first ransomware succeeds because access looks normal until impact appears. The article’s ransomware examples reinforce that adversaries do not need novel malware if they can authenticate early, move laterally with valid privileges, and wait to detonate. This is precisely why NIST-CSF and ZT-NIST-207 controls around continuous verification, privilege minimisation, and anomaly detection matter across human and machine identities. Practitioners should measure whether their controls can distinguish authorised access from authorised-looking abuse.

Runtime trust debt is now the right named concept for this pattern. Credentials, tokens, and service accounts accumulate trust faster than organisations retire, review, or scope them. That debt grows every time a credential is embedded in code, granted to a third party, or allowed to outlive its business purpose. The practical implication is that security teams need to manage identity expiry as aggressively as they manage incident containment.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, showing that credential abuse is already a dominant breach pattern.
• That is why practitioners should also review 52 NHI Breaches Analysis for concrete failure patterns, root causes, and recurring control gaps.

What this signals

Runtime trust debt: identity programmes accumulate risk whenever credentials outlive the business purpose that created them. For IAM and NHI teams, the signal to watch is not just credential volume, but whether ownership, revocation, and access scope keep pace with change across people, systems, and vendors.

Delinea’s outlook reinforces the need for identity telemetry that spans users, tokens, and service accounts in one view. That aligns with Ultimate Guide to NHIs , Static vs Dynamic Secrets, because the strategic question is no longer whether a credential is valid, but whether it should still be valid.

For programme owners, the practical shift is toward continuous access closure, not periodic review alone. If your controls cannot flag orphaned access, stale secrets, and unusual publishing or automation behaviour, then your governance model is still treating identity as a point-in-time event rather than an ongoing control surface.

For practitioners

• Inventory credential-bearing identities continuously Map service accounts, API keys, tokens, developer credentials, and former employee access together so dormant trust does not hide in separate systems. Include third-party grants and automation identities in the same ownership model.
• Shorten the usable life of high-risk credentials Reduce credential lifetime for publishing, cloud administration, and CI/CD access, then require just-in-time elevation for the actions that create real blast radius. Long-lived secrets should be exceptional, not default.
• Tie revocation to offboarding and vendor change Make revocation a mandatory step in employee exit, role change, and supplier termination workflows, and confirm it with evidence of access removal across cloud, SaaS, and automation platforms.
• Correlate identity behaviour with business context Alert on token reuse, unusual publishing, off-hours automation changes, and access from identities that no longer have an active owner. Successful authentication without a current business reason should be treated as suspicious.

Key takeaways

• Credential theft at scale turns authentication into an attack path when tokens, service accounts, and orphaned accounts remain usable after compromise.
• The evidence points to long dwell times and delayed monetisation, which means offboarding, rotation, and behavioural monitoring now matter as much as initial authentication.
• Practitioners should prioritise lifecycle closure and continuous identity telemetry because valid access can be malicious even when every login looks successful.

Key terms

• Non-Human Identity: A non-human identity is any machine- or software-based credentialed actor, including service accounts, API keys, tokens, certificates, workloads, and AI agents. In governance terms, it is an identity that can authenticate and act without a person in the loop, which makes ownership, scope, and lifecycle control essential.
• Orphaned Access: Orphaned access is entitlement that remains active after the business owner, employee, vendor relationship, or system need has ended. It creates hidden persistence because the identity still works even though accountability has disappeared. For security teams, orphaned access is a lifecycle failure with direct breach potential.
• Secrets Management: Secrets management is the discipline of storing, distributing, rotating, and revoking credentials such as keys, tokens, and certificates. Its purpose is to keep authentication material short-lived, traceable, and scoped to need. When secrets are unmanaged, they become durable attack infrastructure rather than control points.
• Identity Telemetry: Identity telemetry is the collection of signals that show how identities are being used, including logins, privilege changes, token reuse, publishing actions, and offboarding status. It helps teams distinguish legitimate access from legitimate-looking abuse and is central to continuous verification across human and machine identities.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: Credential theft at scale: How identities were used maliciously. Read the original.