Data breach statistics show identity controls still fail at scale

At a glance

What this is: This is a vendor roundup of 35+ breach statistics showing that stolen credentials, long detection windows, and third-party exposure remain central to modern breach impact.

Why it matters: It matters because IAM teams have to govern humans, NHIs, and autonomous systems against the same breach mechanics: credential abuse, over-privilege, and delayed detection.

By the numbers:

• In 2025, the mean time to identify (MTTI) was 181 days, and the mean time to contain (MTTC) was 60 days, 241 days end-to-end.
• In 2025, 22% of breaches involved stolen credentials overall; in basic web app attacks, 88% used stolen creds.
• Roughly 30% of all data breaches involve third-party vendors.
• In 2024, organizations issued approximately 1.73 billion victim notices.

👉 Read StrongDM's data breach statistics roundup for 2026

Context

Data breach statistics are not just a security scoreboard. They show where identity programmes still break down: credentials are stolen, access persists too long, and connected vendors widen the blast radius. For IAM and NHI teams, the pattern is consistent across human users and machine identities, even if the control surfaces differ.

The useful question is not whether breaches still happen. It is which identity assumptions they keep exploiting, and whether governance, review, and response processes can still keep up with the pace of compromise. That is why access discipline, rotation, and detection latency remain central to breach reduction.

Key questions

Q: How should security teams reduce breach risk from stolen credentials?

A: Security teams should reduce credential lifetime, remove stale secrets from code and tooling, and make access revocation faster than attacker reuse. The key is to assume credentials will leak and to limit what they can do once exposed. Rotation, least privilege, and detection on abnormal use all matter, but only when they are enforced consistently across human, NHI, and delegated access.

Q: Why do third-party connections increase breach exposure?

A: Third-party connections increase exposure because they extend your trust boundary into another organisation's identity controls. If vendor accounts, OAuth apps, or shared integrations keep standing access, an attacker can pivot through them without breaching the primary environment first. The risk grows when ownership is unclear and offboarding is weak, because access outlives the relationship that justified it.

Q: What breaks when breach detection takes months?

A: When detection takes months, attackers have time to enumerate permissions, exfiltrate data quietly, and build persistence. Long dwell time also reduces the value of logs because evidence disappears or becomes incomplete. For identity teams, slow detection means access governance is reactive instead of protective, and the programme cannot answer whether an identity is acting within its intended scope.

Q: Who is accountable when a breach comes through a vendor identity?

A: Accountability remains with the organisation that granted and retained the access, even if the attacker entered through a supplier. External identities need the same lifecycle ownership as internal ones, including business ownership, review cadence, and offboarding. If no one can prove who approved the access and who would remove it, the governance model is already failing.

Technical breakdown

Why stolen credentials still dominate breach entry

Stolen credentials remain the most reliable entry path because they convert authentication into legitimate-looking access. Once attackers have a valid password, token, or API key, they bypass many perimeter controls and blend into normal traffic. In breach data, this shows up as web app compromise, cloud access abuse, and third-party pivoting. The real problem is not only theft, but the trust granted after theft. Identity systems that assume possession equals legitimacy create an easy path from login to lateral movement.

Practical implication: treat credential reuse, exposure, and weak rotation as identity control failures, not just hygiene issues.

Why long detection windows increase breach damage

A breach is not only an entry event, it is a time-on-system problem. When mean detection and containment stretch into months, attackers can enumerate permissions, exfiltrate data quietly, and establish persistence before defenders react. Long dwell time also makes forensics harder because logs age out, systems change, and ownership shifts. For identity programmes, delayed detection means the control gap is not just access approval, but the absence of a reliable signal that a credential or account is behaving outside its intended boundary.

Practical implication: shorten identity detection loops with alerting on anomalous use, not just on failed authentication.

How third-party access expands the breach surface

Third-party access turns one organisation's identity decisions into another organisation's exposure. OAuth apps, vendor accounts, and delegated integrations often inherit broad permissions, limited visibility, and weak offboarding discipline. That makes the vendor relationship itself part of the attack surface. In practice, attackers do not need to breach the primary target first if they can enter through a connected supplier. Identity governance has to track not just who is inside the boundary, but who still has standing access through the supply chain.

Practical implication: require lifecycle review and entitlement inventory for every external identity relationship.

Threat narrative

Attacker objective: The attacker wants persistent, low-friction access that can be turned into data theft, extortion, or downstream compromise with minimal resistance.

1. Entry commonly begins with stolen credentials, exposed secrets, or a compromised third-party account that gives the attacker valid access.
2. Escalation follows when the attacker uses that access to enumerate permissions, move laterally, or create persistence before detection.
3. Impact arrives as data theft, ransomware, extortion, regulatory exposure, or a long dwell period that inflates remediation cost.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Credential trust debt is the hidden cost behind breach statistics: once an organisation allows credentials to stand in for trust, every exposed password, token, or key becomes a reusable breach primitive. The article's numbers reinforce that stolen credentials remain dominant because identity systems still grant access after a secret has already escaped. The implication is that breach reduction now depends on reducing the lifetime and portability of credentials, not only on protecting the perimeter.

Standing access outlives the business relationship that created it: third-party breach data shows that vendor and OAuth relationships are no longer peripheral. They are durable identity channels that often persist after the operational need has changed. This is a lifecycle failure, not just a monitoring failure, and it exposes a governance assumption that external access will be reviewed before it becomes exploitable. Practitioners need to treat external entitlement sprawl as an accountability problem, not a tooling gap.

Identity blast radius is now the better unit of breach analysis: the headline cost is rarely the initial login event. The real damage comes from how much access a compromised identity can reach before detection and how long that access remains viable. That is why controls around privilege scope, credential age, and third-party visibility matter more than broad policy statements. The practitioner conclusion is simple: reduce the amount of damage any single identity can do.

Multi-domain governance is no longer optional: human authentication, NHI secrets management, and delegated vendor access now fail in structurally similar ways. The same breach pattern reappears across people, service accounts, and integrations because all three depend on trust being correctly bounded over time. That means identity teams should stop treating breach data as a set of isolated incidents and start reading it as evidence of one governance problem expressed through multiple actor types.

Data breach statistics are most useful when they force programme re-scoping: the recurring themes are access persistence, poor observability, and delayed action. Those are not niche control issues. They are the baseline conditions that allow breaches to scale from compromise to organisational loss. The practitioner takeaway is to align review cadence, detection, and lifecycle offboarding around the speed at which identities can now be abused.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• From our research: Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, according to The State of Non-Human Identity Security.
• That visibility gap matters because 1 in 4 organisations are already investing in dedicated NHI security capabilities, and another 60% plan to do so within twelve months.

What this signals

Credential trust debt: The same control failure shows up across human logins, NHI secrets, and vendor integrations. When 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, the lesson is that breach resilience starts with shrinking the usable life of any secret that can be replayed. That should push IAM and security leaders to measure credential age, not just policy compliance.

The practical shift is toward identity blast radius management, where the key question is how much damage one compromised principal can do before detection. That makes third-party visibility, entitlement inventory, and offboarding discipline operational priorities rather than audit extras. If those controls are weak, breach response will always be too late to prevent material loss.

For practitioners

• Reduce credential lifetime aggressively Shorten the usable life of passwords, tokens, API keys, and certificates so stolen secrets have less time to be replayed. Pair rotation with removal of stale secrets from code, CI systems, and vendor integrations.
• Map third-party identity paths end to end Inventory every OAuth app, vendor account, service principal, and delegated integration that can reach sensitive systems. Revoke access that has no current business owner or offboarding record.
• Instrument identity-specific detection Alert on unusual token use, impossible travel for human access, abnormal API call patterns, and access from unapproved locations or workloads. Detection must focus on behaviour after authentication, not only on login success.
• Tie breach response to entitlement scope During investigation, identify which identities were over-privileged before containment. Use that scope to prioritize revocation, reset, and customer notification decisions.

Key takeaways

• Breach statistics still point to the same root issue: credentials, delegated access, and slow detection drive most of the damage.
• The scale is material, with months-long dwell times and billions of victim notices showing that identity failures can become enterprise failures.
• The control that changes the outcome is narrower, shorter-lived, better-observed access across humans, NHIs, and third parties.

Key terms

• Credential trust debt: Credential trust debt is the accumulated risk created when passwords, tokens, keys, and certificates live longer or travel farther than the business need that justified them. In practice, it describes how stale secrets keep granting access after ownership, scope, or context has changed.
• Identity blast radius: Identity blast radius is the amount of damage a single compromised identity can cause before it is detected and contained. It depends on privilege scope, lateral reach, third-party connectivity, and the speed of response. Smaller blast radius means less organisational damage when access fails.
• Third-party identity path: A third-party identity path is any external account, OAuth connection, delegated token, or vendor-managed access route that can reach internal systems. These paths matter because they extend the trust boundary beyond direct employee control and often persist longer than the relationship that created them.

Deepen your knowledge

Data breach statistics and identity control failure are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning human, NHI, and delegated access governance to breach realities, it is worth exploring.

This post draws on content published by StrongDM: 35+ alarming data breach statistics for 2026. Read the original.