Identity-based attacks expose the limits of IAM and PAM controls

At a glance

What this is: This is an overview of identity-based attacks and the ways attackers compromise credentials, sessions, and privileged access to reach sensitive systems.

Why it matters: It matters because IAM, PAM, and lifecycle controls only reduce exposure if they address reuse, phishing resistance, privilege scope, and recovery after compromise across human and non-human identities.

By the numbers:

• According to Keeper’s 2022 Password Practice Report, 56% of users reuse their passwords.
• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read Keeper Security’s blog on identity-based attacks and prevention

Context

Identity-based attacks succeed because authentication and privilege decisions are still too often anchored to credentials that can be stolen, replayed, or guessed. In practice, that means a compromised password, token, or certificate can become the first step in broader account takeover and lateral movement across the enterprise.

For IAM and PAM teams, the key problem is not just preventing one login from being abused. It is breaking the attacker’s path from initial identity compromise to higher privilege, broader access, and data exposure across both human and non-human identity programmes.

Key questions

Q: How should security teams reduce the damage from identity-based attacks?

A: Security teams should assume the first credential compromise is only the beginning. The right response is to reduce reuse, harden authentication, narrow privileged access, and make it difficult for one stolen identity to reach many systems. That means pairing phishing-resistant login controls with PAM, secrets governance, and continuous review of lateral movement paths.

Q: Why do password reuse and credential stuffing remain so effective?

A: They remain effective because many users still reuse passwords and many environments still accept credentials without enough contextual risk checks. Attackers can test stolen credentials at scale, often quietly enough to avoid detection. The more identities that share a secret pattern, the more one breach can become many account takeovers.

Q: What breaks when least privilege is not enforced after initial compromise?

A: When least privilege is weak, one compromised account can reach additional applications, admin tools, or data stores that were never necessary for the original user. That is when identity compromise turns into lateral movement and broader impact. Without tight privilege boundaries, a single login can become an enterprise-wide incident.

Q: How should organisations govern secrets and privileged identities together?

A: Organisations should manage secrets, service accounts, and privileged human access as one control problem. If tokens, API keys, and admin accounts are reviewed in separate processes, attackers can exploit the gaps between them. Unified ownership, revocation, and access review reduce the chance that a stolen identity persists unnoticed.

Technical breakdown

Phishing and credential theft as identity entry points

Phishing remains the most common identity entry path because it turns trust in a familiar sender into credential capture or session theft. Once a user enters credentials into a spoofed site or opens a malicious link, the attacker often has enough material to authenticate as the victim, especially where MFA is weak, absent, or bypassable through token theft. These attacks are effective because they exploit the human side of identity assurance, not just password strength.

Practical implication: strengthen phishing-resistant authentication and monitor for login patterns that indicate stolen credentials rather than normal user behaviour.

Credential stuffing, password spraying, and reused secrets

Credential stuffing and password spraying work because many organisations still rely on password reuse and predictable passwords. Attackers use lists of known credentials or common passwords to test accounts at scale, often avoiding lockouts by spreading attempts across many usernames or using slow rates. This is an identity governance failure as much as an authentication problem, because the same credential can be reused across multiple systems and identities.

Practical implication: remove password reuse where possible, enforce strong authentication controls, and detect repeated low-and-slow authentication attempts across accounts.

Pass-the-hash and lateral movement through privileged access

Pass-the-hash attacks show how compromised identity material can be used without ever recovering the original password. By reusing a captured hash or similar authentication artefact, attackers can move laterally into additional systems and escalate access where privilege boundaries are too loose. This is why PAM, least privilege, and segmentation matter: they reduce how far a single identity compromise can travel once an attacker is inside.

Practical implication: limit standing privilege, isolate high-risk accounts, and assume one compromised identity can become a pathway to multiple systems.

Threat narrative

Attacker objective: The attacker wants to turn one compromised identity into broader unauthorized access, data theft, and account or privilege misuse across the environment.

1. entry occurs when the attacker uses phishing, credential stuffing, password spraying, or a stolen hash to obtain an initial authenticated identity.
2. escalation follows when that identity is reused to access additional accounts, systems, or privileged resources that were not meant to be reachable from the first compromise.
3. impact occurs when the attacker steals sensitive data, impersonates the user, or extends access far enough to affect multiple systems and business operations.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity-based attacks are really governance failures, not just authentication failures. The article correctly frames phishing, password reuse, and pass-the-hash as different techniques, but the underlying issue is that organisations still treat identity as a login event instead of a lifecycle problem. When credentials can be reused, replayed, or escalated, the control plane has already failed before the attacker touches data. Practitioners should treat identity compromise as a programme-level exposure, not a single user mistake.

Least privilege only works when it limits lateral movement after the first compromise. The article’s own advice points toward PAM and reduced access scope because identity-based attacks become dangerous once one account can reach many systems. In modern environments, over-entitled service accounts and privileged users create the conditions for broad blast radius. The implication is that access design, not just password policy, determines how far an identity attack can spread.

Assurance controls built for human logins do not fully cover identity reuse across systems. Phishing-resistant MFA, strong password policy, and user training all help, but they do not by themselves solve reused secrets, exposed API keys, or privileged account sprawl. That is why identity governance must extend beyond the workforce into non-human credentials and session-level access paths. Practitioners should align human IAM, PAM, and NHI controls as one identity security programme.

Standing privilege is the named concept that identity-based attacks exploit most reliably. When access persists by default, attackers need only one foothold to turn a stolen credential into lasting reach. The article’s focus on least privilege is directionally correct, but the field should be clearer that persistent access is the real multiplier. Practitioners should redesign for shorter-lived, more constrained access across both humans and NHIs.

Attackers do not care which identity type opens the door. The same compromise logic applies whether the entry point is a user password, a service account secret, or a privileged session token. That is why the discipline must span human IAM, NHI governance, and PAM together. Practitioners should stop separating identity risk into silos that attackers can move between freely.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity exposure persists below the threshold of normal monitoring.
• That visibility gap makes the case for 52 NHI Breaches Analysis more compelling, because the most useful lessons now sit in the overlap between account compromise and lifecycle failure.

What this signals

Standing privilege remains the core organisational weakness behind identity-based attacks. When credentials can be reused or replayed, the attacker’s cost to move from entry to impact falls sharply. Teams should treat every identity path as a potential blast-radius problem, not just an authentication problem, and map where privilege persists longer than business necessity.

The governance signal is clear: identity controls have to be designed for both human compromise and non-human persistence. As more workload and service identities accumulate, the operational question becomes whether owners can see, revoke, and rotate them quickly enough to cut off attacker reuse before the next system is reached.

Credential reuse is the bridge concept that ties user phishing to machine identity abuse. The same governance weakness appears when passwords, tokens, or API keys are allowed to persist across multiple systems. Practitioners should align phishing-resistant authentication, secrets management, and PAM under one review cycle so attackers cannot move from a stolen login to a durable foothold.

For practitioners

• Reduce credential reuse across the estate Enforce unique credentials, eliminate shared passwords where possible, and monitor for repeated use of the same secret across multiple accounts and services.
• Prioritise phishing-resistant authentication Adopt stronger authentication methods for workforce access, especially where email compromise or token theft could lead directly to account takeover.
• Tighten privileged access boundaries Review which accounts can move laterally after first access, then remove standing privilege and isolate high-value systems from broad identity reach.
• Extend identity controls to NHIs and secrets Treat API keys, tokens, and certificates as governance items with owners, rotation, and revocation paths so non-human identity compromise does not become silent persistence.

Key takeaways

• Identity-based attacks exploit weak credential hygiene, permissive access, and identity reuse rather than only software vulnerabilities.
• The scale of the problem is measurable, with password reuse and secrets exposure turning a single compromise into broader access risk.
• Teams should treat human IAM, PAM, and NHI governance as one defence model if they want to shrink attacker reach.

Key terms

• Identity-based attack: An identity-based attack is an intrusion method that targets credentials, sessions, certificates, or other identity material instead of exploiting software alone. The goal is to impersonate a trusted identity and move through systems using legitimate-looking access, which makes governance, detection, and revocation as important as prevention.
• Credential stuffing: Credential stuffing is the automated use of stolen username and password pairs against multiple services. It succeeds when people reuse passwords and when systems do not detect reused credentials, repeated login attempts, or suspicious authentication patterns across accounts and channels.
• Pass-the-hash attack: A pass-the-hash attack uses a captured password hash or similar authentication artefact to gain access without recovering the original password. It is dangerous because the attacker can reuse the artefact for lateral movement, turning one compromised identity into access across multiple systems.
• Least privilege: Least privilege means giving each identity only the access needed to perform its current task and nothing more. In practice, it reduces blast radius by limiting where a stolen or misused identity can move, which matters for human users, service accounts, and privileged accounts alike.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Keeper Security: Identity-based attacks, their risks, and how to prevent them. Read the original.