Credentials still drive most breaches, but verification is the real gap

At a glance

What this is: This is an analysis of Verizon DBIR findings showing that stolen credentials and human-driven access failures remain the dominant breach entry paths.

Why it matters: It matters because IAM, PAM, and identity lifecycle teams still have to reduce credential dependence, strengthen verification, and treat human misuse as a control design problem across human and non-human access.

By the numbers:

• 74% of all breaches include the human element, with people involved via error, privilege misuse, stolen credentials, or social engineering.
• Stolen credentials account for 44.7% of breaches.
• Stolen credentials play a role in 86% of web application breaches.

👉 Read 1Kosmos's analysis of Verizon DBIR breach patterns and credential risk

Context

Credential theft is still one of the cleanest ways into an enterprise because possession often substitutes for proof. When the control model treats a valid login as sufficient evidence of legitimacy, attackers need only obtain or reuse access rather than break the environment itself. That is why credential-centric breaches remain a core identity governance problem, not just an authentication problem.

The article’s central point is that passwords, shared secrets, and weak identity proofing continue to create avoidable exposure across human IAM and adjacent access programmes. The issue is not limited to login friction. It reaches into access reviews, privileged access, and the broader assumption that a credential alone can carry trust.

That starting position is unfortunately typical. Many organisations have improved MFA coverage without fully removing the trust burden from credential possession, which leaves the underlying breach pattern intact.

Key questions

Q: How should security teams reduce breaches caused by stolen credentials?

A: They should make credential possession less decisive by adding stronger identity proofing, phishing-resistant authentication, tighter recovery controls, and narrower privilege scope. The goal is not just to stop bad logins, but to stop a valid login from automatically becoming trusted access across sensitive systems.

Q: Why do stolen credentials remain such an effective attack path?

A: Stolen credentials work because many systems still treat a successful login as enough evidence of legitimacy. Once an attacker has valid access, they inherit the subject’s trust context and can often blend in with normal activity. That makes credential theft far more efficient than direct exploitation in many environments.

Q: What do organisations get wrong about passwordless authentication?

A: They often assume removing passwords removes the identity problem. In reality, passwordless can still rely on device possession rather than strong identity assurance, so the organisation may know what was presented but not who is actually acting. Assurance still has to be designed into the flow.

Q: Who is accountable when social engineering leads to credential compromise?

A: Accountability sits with the identity programme, the help desk, and the business process owners who define recovery and approval paths. Social engineering succeeds when identity controls are too easy to override, so governance has to cover the workflow, not just the authentication toolset.

Technical breakdown

Why stolen credentials remain the most direct entry path

Stolen credentials work because most enterprise systems still treat successful authentication as a sufficient signal for access. In practice, that means the attacker inherits the subject’s trust context, session path, and often their entitlement scope. This is especially dangerous where shared passwords, password reuse, or weak recovery flows let an attacker move from one account to another without triggering a new proofing event. The problem is not that authentication exists. The problem is that authentication evidence is too often treated as identity certainty.

Practical implication: separate proof of identity from mere credential possession and tighten recovery, reset, and step-up controls.

How the human element turns access into breach surface

The human element covers errors, privilege misuse, social engineering, and credential handling mistakes. Those behaviours matter because identity systems frequently rely on users to choose, protect, and present credentials correctly under pressure. Social engineering succeeds when the workflow allows people to override caution without an equally strong second signal. From an IAM perspective, this means the breach surface is not just the login screen. It is the full interaction chain around enrolment, recovery, approval, and privileged action.

Practical implication: harden the full identity journey, especially enrolment, reset, and approval steps that attackers can manipulate.

Why passwordless helps, but does not end identity risk

Passwordless methods reduce exposure to shared secrets, but they do not automatically solve identity assurance. If a device-held authenticator only proves possession, the organisation may still not know whether the right person is behind the request. That is why stronger identity verification, binding the authenticator to a verified subject, changes the trust model more than password removal alone. The distinction matters for human IAM, privileged workflows, and any process where access decisions should depend on who is acting, not just what they can present.

Practical implication: evaluate passwordless as one control in a broader assurance model, not as a standalone fix.

Threat narrative

Attacker objective: The attacker’s objective is to use legitimate-looking access to bypass perimeter controls and reach business data, systems, or privileged workflows.

1. Entry occurs when attackers obtain stolen credentials through phishing, reuse, or other human-driven compromise paths and then log in as a legitimate user.
2. Escalation follows when the attacker leverages the trust attached to that identity, including privilege misuse, poor recovery controls, or weak segmentation between ordinary and sensitive access.
3. Impact occurs when the attacker uses valid access to reach applications, systems, or data without triggering the same alarms expected from malware or direct exploitation.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Credential possession is not identity assurance: The article reinforces a basic governance failure in many IAM programmes, which is that a successful login is still treated as proof of the right actor. That assumption was designed for a world where credentials were hard to copy and easier to contain. It fails when attackers can steal, reuse, or socially engineer those credentials at scale. The implication is that access governance must treat possession and assurance as separate problems.

Human credential misuse is a lifecycle issue, not just an authentication issue: The breach pattern described here starts long before the login event, in enrolment, recovery, password handling, and privileged approval flows. Those stages determine whether an attacker can turn a user mistake into durable access. IAM teams therefore need to see credential compromise as a lifecycle control failure, not a one-time authentication miss. Practitioners should measure the whole identity journey, not just MFA deployment.

Verified identity changes the security model more than password removal does: Passwordless reduces one class of risk, but the deeper shift is binding access to verified identity rather than to a reusable secret. That matters because the real weakness is often the gap between proving possession and proving the claimant. Organisations that stop at password removal may reduce friction without materially changing trust. Practitioners should focus on assurance, not only on authentication method.

Identity programmes still underweight the human element in breach prevention: The fact that 74% of breaches involve the human element shows that identity governance cannot be siloed away from broader security design. Human error, misuse, and social engineering are not edge cases. They are persistent conditions that shape breach probability. The lesson for the field is to treat human identity controls as operational risk controls, not just user experience decisions.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• If you are rethinking credential trust, the next step is to compare human login assumptions with machine identity exposure in 52 NHI Breaches Analysis.

What this signals

Credential trust debt: When organisations keep treating possession as proof, they accumulate a hidden governance liability that shows up only when attackers start logging in rather than breaking in. That debt spans human IAM, privileged workflows, and any place where recovery can outrun assurance. Teams should expect more scrutiny on identity proofing, not just authentication coverage.

With 72% of organisations reporting or suspecting NHI breaches in our 2024 ESG Report: Managing Non-Human Identities, the broader lesson is that identity systems now fail in both human and machine directions. The practical response is to align human access assurance with machine credential governance instead of treating them as separate programmes.

The market signal is clear: passwordless alone will not close the breach pattern if recovery, privilege, and verification remain weak. Identity teams should prepare for a shift toward stronger proofing, tighter lifecycle controls, and more explicit accountability for who can recover, approve, and exercise access.

For practitioners

• Separate assurance from possession in login design Require higher proofing for sensitive access paths, especially where a credential alone can unlock high-value systems. Treat successful password entry or device possession as an input, not the final trust decision.
• Harden recovery and reset workflows Review password reset, account recovery, and help desk override processes for social engineering exposure. These are common entry points when attackers cannot break the primary login path directly.
• Map the full human identity journey Assess enrolment, authentication, step-up checks, privilege approval, and offboarding as one continuous control chain. Weakness in any one stage can turn routine identity activity into breach access.
• Reduce the value of stolen credentials Use phishing-resistant methods, stricter session controls, and narrower privilege boundaries so that stolen access has less utility after compromise. The aim is to make login success insufficient on its own.

Key takeaways

• Stolen credentials remain the dominant breach entry path because too many programmes still equate possession with trust.
• The scale is persistent and broad, with the human element appearing in most breaches and credential theft driving a large share of initial access.
• Teams that want to reduce this risk must strengthen assurance, recovery, and privilege controls together, not treat password removal as the finish line.

Key terms

• Credential possession: Credential possession is the ability to present a password, token, or other secret that a system accepts. It proves control of the factor, but not necessarily the true identity of the person or system using it. In mature programmes, possession is only one input to a broader assurance decision.
• Identity assurance: Identity assurance is the confidence an organisation has that an access request comes from the right subject. It combines proofing, authentication, recovery controls, and policy context. For IAM teams, assurance matters more than login success because it determines whether access should be trusted.
• Passwordless authentication: Passwordless authentication replaces reusable passwords with other authenticators such as device-bound credentials or biometrics. It can reduce phishing and password reuse risk, but it does not automatically prove who is acting unless the method is tied to verified identity and strong lifecycle controls.
• Human element: The human element is the part of a breach that depends on human error, misuse, or social engineering rather than purely technical exploitation. It includes actions such as approving a malicious request, reusing credentials, or being tricked into disclosing access. It remains central to breach prevention because control design must account for normal human behaviour under pressure.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: analysis of Verizon DBIR breach patterns and credential risk. Read the original.