By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: GlobalSignPublished November 19, 2025

TL;DR: Cyberattacks in Latin America rose 38% last year, and incidents affecting Mercado Libre, Samsung, Nvidia, and PressReader show how account compromise, data extortion, and system takeover can spread quickly across large enterprises, according to GlobalSign. The pattern reinforces that identity controls, not just perimeter security, determine how far attackers can move once access is obtained.


At a glance

What this is: This is a GlobalSign roundup of notable Latin America cyberattacks, highlighting account compromise, data theft, and system takeover across major brands.

Why it matters: It matters because the incidents show how identity exposure, employee credentials, and access control gaps can become the practical entry point for broader enterprise compromise.

By the numbers:

👉 Read GlobalSign's roundup of major cyberattacks in Latin America


Context

Latin America is facing a higher volume of cyberattacks, but the more important signal is the mix of incidents: account compromise, credential exposure, data theft, and full system disruption. For identity and security teams, that mix shows how access paths, not just malware, determine the real blast radius of an incident.

The article is a regional incident roundup rather than a technical postmortem, so the main governance question is how quickly compromised identities can be detected, contained, and revoked. Where employee credentials or user accounts are involved, NHI governance, access review, and offboarding discipline become part of the same control conversation.


Key questions

Q: What breaks when an attacker gets a valid user account instead of malware?

A: A valid account bypasses many perimeter defenses and often looks legitimate in logs, which makes early detection harder. The main failure is not authentication alone, but the amount of access that account can reach before revocation. If session control, privilege limits, and monitoring are weak, a single login can become data theft or internal lateral movement.

Q: Why do compromised identities create such large blast radius in enterprise incidents?

A: Because access is usually broader than organisations expect. When one identity can reach shared systems, admin consoles, or sensitive repositories, the attacker inherits that reach immediately. Blast radius is controlled by entitlement scope, segmentation, and how quickly access can be removed, not by the breach headline itself.

Q: How can security teams know whether identity controls are actually reducing breach impact?

A: Look for evidence that suspicious accounts are contained fast, active sessions are terminated, and privileged access is limited to the smallest possible set of systems. If a compromised account can still reach sensitive resources after detection, the controls are not working well enough to limit impact.

Q: How should organisations respond when an incident starts with stolen credentials?

A: Treat it as a containment race. Disable the account, invalidate sessions and tokens, check for privilege escalation, and verify whether the same identity can reach cloud, email, or administrative systems. Where service accounts exist, review them too, because a human compromise often exposes broader access paths.


Technical breakdown

Account compromise as an access vector

Account compromise is often the simplest route into a larger environment because valid credentials bypass many perimeter controls. Once an attacker can authenticate as a real user or employee, they can blend into normal activity, move between internal systems, and look legitimate in logs unless behavioural detection is strong. In incidents like these, the real weakness is not only authentication failure but the absence of continuous verification, tight session controls, and rapid revocation. For identity teams, the lesson is that compromised accounts must be treated as an access-control event, not only a fraud or helpdesk issue.

Practical implication: build detection and revocation workflows around suspicious logins, not just password resets.

Why credential theft turns into broader data exposure

Credential theft becomes dangerous when the stolen identity has more access than it should, or when lateral movement is possible after the first login. Attackers do not need to break every system if one account grants access to shared repositories, admin consoles, email, or cloud services. That is why excessive privilege and poor segmentation keep showing up in real breaches. The security question is not whether a credential was stolen, but what that credential could reach before the organisation noticed. This is where IAM, PAM, and NHI governance overlap: the same access discipline must cover users, service accounts, and tokens.

Practical implication: reduce reachable systems per identity and review standing access to limit post-compromise movement.

System takeover and extortion after initial access

PressReader’s reported system control and ransom demand illustrate a common escalation pattern: once attackers gain sufficient internal access, they can disrupt services, pressure employees, and force recovery decisions before full containment is complete. In these cases, identity controls matter because privileged access often determines whether an attacker can disable security tooling, alter accounts, or reach critical servers. The operational failure is usually not a single control gap but a chain of weak identity governance, weak segmentation, and insufficient monitoring of high-risk actions. For practitioners, recovery speed depends on how much power compromised identities already held.

Practical implication: restrict privileged paths, monitor administrative actions, and predefine containment steps for account-led intrusions.


Threat narrative

Attacker objective: The attacker objective is to use legitimate access to steal data, disrupt operations, and create leverage for extortion or wider compromise.

  1. Entry occurred through compromised user credentials or account access, allowing attackers to operate with legitimate authentication in the target environment.
  2. Escalation followed when those accounts could reach sensitive systems, employee data, or administrative resources without enough privilege restriction.
  3. Impact appeared as account compromise, data theft, and in some cases system takeover and ransom pressure.

NHI Mgmt Group analysis

Account compromise is now a governance problem, not just a user problem. When a breach begins with stolen or abused credentials, the control failure sits in identity policy, session oversight, and revocation speed. That makes IAM and access governance part of cyber incident response, not a separate administrative function. Practitioners should treat every compromised account as a potential enterprise access event.

Blast radius is defined by reachable privilege, not by the initial phishing or theft vector. The same stolen identity can be low impact in one environment and catastrophic in another depending on entitlement scope. That is why privilege review, segmentation, and access minimisation matter as much as detection. Teams should map which accounts can reach crown-jewel systems and reduce those paths before attackers find them.

Identity governance must extend beyond human accounts to service identities and operational tokens. Even though this article focuses on human compromise, the same failure mode appears when organisations do not know which non-human identities can act, what they can reach, or how quickly they can be revoked. This is where the NHI governance model intersects with breach containment. Practitioners should align user access reviews with service identity controls so revocation is consistent across both.

Regional breach clusters often reveal the same structural weakness: delayed containment. When attackers have time to exploit legitimate access, they can move from one account to data theft or service disruption without triggering fast enough response. That points to a detection and containment gap, not just a malware problem. Teams should build incident playbooks around identity compromise, because the account is frequently the first system the attacker actually controls.

What this signals

Compromised-account response is becoming a board-level resilience issue. When incidents begin with stolen credentials, the decisive metric is not only whether access was detected, but whether it was removed before attackers could turn a user account into a broader compromise. Organisations that still separate IAM operations from incident response will continue to lose time at the exact point where speed matters most.

Credential-led incidents also expose the gap between user identity governance and NHI governance. Human accounts are often reviewed more frequently than service accounts, tokens, and keys, even though attackers can pivot through either. The operational lesson is to connect access review, offboarding, and revocation across the whole identity estate, not just employees.

Account compromise becomes materially harder to exploit when privileged paths are narrow and visible. Mapping who can reach cloud consoles, finance systems, admin portals, and automation controls gives teams a practical containment map before the incident starts. The same logic applies across identity programmes: if access is broad and hidden, the breach will travel farther.


For practitioners

  • Tighten account-level containment workflows Create playbooks that isolate suspicious user accounts immediately, revoke active sessions, and force re-authentication before attackers can pivot to other systems.
  • Map high-risk access paths Identify which employee, admin, and service identities can reach sensitive data stores, financial systems, and cloud consoles, then remove unnecessary standing access.
  • Extend governance to non-human identities Apply the same lifecycle discipline to service accounts, API keys, and tokens so compromised automation does not become a hidden escalation path.
  • Test containment under realistic compromise scenarios Run exercises that start with a stolen account and measure how quickly teams can disable access, preserve evidence, and stop secondary abuse across endpoints and cloud services.

Key takeaways

  • The article shows that account compromise, not just malware, remains a primary route to data exposure and operational disruption.
  • The incidents cited by GlobalSign span user accounts, employee credentials, and system takeover, which makes access scope the critical variable in breach impact.
  • Practitioners should treat identity revocation, privilege reduction, and service-account governance as core incident containment controls.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access management is central because the incidents begin with compromised accounts.
NIST SP 800-53 Rev 5AC-6Least privilege limits what a stolen account can reach after compromise.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe article’s incident pattern aligns with stolen credentials followed by internal spread.
OWASP Non-Human Identity Top 10NHI-01The post touches service accounts, tokens, and revocation discipline.

Apply NHI governance to service accounts and tokens that can be abused after user compromise.


Key terms

  • Account Compromise: Account compromise occurs when an attacker gains unauthorised access to a legitimate user identity. The danger is that the activity can look normal at first, allowing the attacker to reach internal systems, read data, or trigger privileged actions before the organisation detects the abuse.
  • Blast Radius: Blast radius is the amount of damage an attacker can cause after gaining initial access. In identity-driven incidents, it is determined by how much privilege the compromised account has, which systems it can reach, and how quickly access can be revoked or segmented.
  • Credential Revocation: Credential revocation is the process of disabling a secret, token, or key so it can no longer authenticate or authorize action. It is the operational half of detection, because exposed credentials remain dangerous until they are invalidated and replaced across every dependent system.

What's in the full article

GlobalSign's full blog covers the incident-by-incident detail this post intentionally leaves for the source:

  • The original Spanish-language incident summaries for Mercado Libre, Samsung, Nvidia, and PressReader.
  • The specific chronology of the reported attacks and the public statements made after each incident.
  • The regional context GlobalSign uses to frame why Latin America remains a target for cybercriminal groups.
  • The source article's exact wording on the security implications and response steps.

👉 The full GlobalSign post covers the incident summaries and regional context in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management for practitioners who need to connect access control to operational risk. It is designed for security and identity teams that need practical governance skills across human and non-human identity programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org