Modern IGA would have reduced the damage in recent breaches

At a glance

What this is: This is Opal Security's review of ten major breaches and the identity governance failures that enabled them.

Why it matters: It matters because the same gaps show up across NHI, human IAM, and third-party access programmes, so practitioners need governance controls that match how access is actually used.

By the numbers:

• The following ten breaches from 2023 to 2025 represent some of the most consequential cybersecurity incidents in recent history.
• Collectively, these incidents affected over 700 million individuals.
• Seven of 10 breaches involved credentials that were stolen, unrotated, or stored insecurely.
• Six of 10 breaches exploited accounts or systems where MFA was not enforced.

👉 Read Opal Security's review of 10 breaches preventable with modern IGA

Context

Modern identity governance fails when credentials outlive the systems and relationships they were meant to protect. In this review, Opal Security argues that the decisive breach factor across recent incidents was not exploit novelty, but weak control over access lifecycle, MFA enforcement, and third-party privilege.

That pattern cuts across human users, service accounts, and vendor connections. When standing access is left in place, attackers do not need sophisticated tradecraft to create outsized impact; they need only find the oldest, broadest, or least-reviewed path in.

The result is a governance problem that looks different in each environment but behaves the same operationally. Whether the subject is a legacy portal, a SaaS tenant, a help desk workflow, or a support account, the control failure is usually traceable back to identity oversight.

Key questions

Q: What breaks when access reviews are only treated as an audit exercise?

A: Access reviews fail when they do not lead to revocation, scope reduction, or ownership correction. In that case, they document risk without changing it. Effective reviews must identify orphaned accounts, stale privileges, and excessive third-party access, then trigger removal before attackers can reuse those paths.

Q: Why do third-party accounts create disproportionate breach risk?

A: Third-party accounts often connect external operators directly to production systems, support tools, or sensitive data with wider scope than internal users need. If those accounts are not segmented, time-bounded, and reviewed, a single supplier compromise can create a large identity blast radius across multiple environments.

Q: How do organisations know whether credential governance is actually working?

A: Credential governance is working when exposed, stale, or unused secrets are discovered quickly and removed before they become active risk. Useful signals include rotation coverage, dormant account counts, MFA enforcement rates, and how fast revocation happens after a role, vendor relationship, or system changes.

Q: Who is accountable when a legacy system or vendor path is left with standing access?

A: Accountability sits with the identity, platform, and application owners who allowed the access to persist, not just the team that noticed the breach first. Governance must define ownership for review, removal, and exception handling so legacy systems and vendor paths do not remain permanently outside control.

Technical breakdown

Stale credentials and why credential lifecycle breaks down

Stale credentials become breach fuel when passwords, keys, or tokens persist long after the original context has changed. In these incidents, the common technical pattern is not just exposure, but duration: credentials dating back years, accounts never rotated, and secrets retained in places attackers could later discover or reuse. That turns one compromise into a durable access path. Identity governance fails when it cannot answer who still owns the credential, whether it is still needed, and whether the access scope matches the current workload or relationship.

Practical implication: inventory all high-risk credentials and enforce lifecycle controls that remove or rotate access before attackers can reuse it.

Missing MFA and the collapse of remote access trust

When MFA is absent on remote access portals, SaaS logins, or support systems, stolen credentials become immediately useful. The technical issue is not authentication alone, but the absence of a second binding factor that interrupts simple credential replay. In several of these breaches, attackers moved from password possession to authenticated access with no further challenge. That makes legacy portals and outsourced support flows especially dangerous because they often survive outside modern enforcement standards even after acquisitions or platform changes.

Practical implication: enforce MFA everywhere that grants production access, including legacy portals, support tooling, and acquired environments.

Third-party access and over-privileged accounts

Third-party and over-privileged accounts expand breach impact because they connect external operators to sensitive systems with more privilege than the job requires. Once those accounts are compromised, socially engineered, or abused internally, lateral movement becomes much easier. The technical failure is usually poor segmentation plus weak review discipline: service accounts bypass MFA, vendor access is too broad, and dormant or orphaned accounts remain active. That creates a standing bridge between the attacker and the data or systems they want.

Practical implication: segment third-party access by task and client, then review it continuously for privilege creep and dormant entitlements.

Threat narrative

Attacker objective: The attacker’s objective is to turn ordinary access paths into broad, durable reach across high-value systems and data.

1. Entry occurred through stolen credentials, social engineering, exposed secrets, or unprotected remote access portals.
2. Escalation followed when attackers used those valid identities to reach sensitive applications, vendor tools, or support systems with too much privilege.
3. Impact came from lateral movement, data theft, ransomware deployment, or prolonged unauthorized access across critical business systems.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Standing access is the breach condition, not the exception. These incidents show that attackers still succeed by finding identity paths that were never fully expired, reviewed, or constrained. That is a governance failure, not a tooling glitch. When credentials, vendor access, and legacy accounts remain usable after their original purpose has ended, the organisation has already lost control of the access lifecycle.

Modern IGA is now a breach prevention layer, not just an audit layer. The article makes the case that access reviews, lifecycle enforcement, and privilege scoping are no longer administrative clean-up tasks. They are operational controls that would have interrupted the attack chain before compromise became exfiltration, ransomware, or business disruption. Practitioners should treat review cadence, entitlement scope, and revocation speed as security metrics.

Third-party access creates identity blast radius when it is not segmented tightly. Caesars, Treasury, and Conduent all illustrate how external operators can become high-impact pathways when access is broad and poorly governed. The named concept here is identity blast radius: the amount of damage a single credential, account, or vendor relationship can create once it is abused. Practitioners should reduce that blast radius before the next supplier or support path is targeted.

Help desk workflows remain an under-governed identity control plane. Social engineering succeeds when identity proofing is weak, reset rights are broad, and secondary verification is absent. The breach pattern here is not merely human error; it is an identity process that can be manipulated into granting new trust without sufficient challenge. Teams need to treat help desk procedures as access governance, not just service operations.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
• For a deeper case-library view, see 52 NHI Breaches Analysis, which maps recurring identity failure patterns across real incidents.

What this signals

Standing credential debt: the longer a credential, token, or service account remains valid after its original purpose ends, the more it behaves like hidden breach inventory. That is why reviews must be operational, not ceremonial, and why teams should pair review cadence with actual removal outcomes.

With 72% of organisations reporting or suspecting a breach of non-human identities, the governance gap is already mainstream rather than exceptional, according to The 2024 ESG Report: Managing Non-Human Identities. Practitioners should expect board-level questions about third-party access, dormant accounts, and the speed of entitlement removal.

Teams that still treat third-party access as a procurement problem will miss the real risk. The programme signal to watch is whether vendor access is scoped to task, time, and data sensitivity, then revalidated every time the relationship, system, or support model changes.

For practitioners

• Audit all standing credentials and service accounts Prioritise remote access portals, support tooling, OAuth apps, and contractor accounts. Flag anything that has not been rotated, reviewed, or tied to an active business owner.
• Enforce MFA on every production access path Include legacy portals, acquired systems, help desk resets, and third-party access channels. If a system cannot enforce MFA, isolate it and plan its retirement or compensating control.
• Segment vendor access by task and entitlement Give outsourced teams only the fields, systems, and durations required for the job. Review those grants continuously so vendor relationships do not become permanent attack bridges.
• Rebuild help desk verification for sensitive resets Require stronger identity proofing before password or MFA re-enrollment. Use multi-party approval and anomaly checks for privileged resets instead of relying on static knowledge questions.
• Tie access reviews to deprovisioning outcomes An access review that produces no removal is only paperwork. Track how many dormant or excessive entitlements are actually revoked after review and use that as the governance success measure.

Key takeaways

• These breaches were driven by ordinary identity failures such as stale credentials, weak MFA coverage, and excessive access, not by exotic attack methods.
• The scale was severe, with more than 700 million individuals affected across the ten incidents and repeated evidence of reusable access paths.
• Practical prevention comes from continuous governance, meaning tighter lifecycle control, stronger authentication enforcement, and faster removal of unused or over-privileged access.

Key terms

• Standing Access: Access that remains active after the original need has passed. In identity programmes, standing access is dangerous because it creates an ongoing window for misuse, especially when it is not tied to a current owner, current task, or current review cycle.
• Identity Blast Radius: The amount of damage a single account, credential, or vendor relationship can cause when it is compromised or abused. It is shaped by privilege scope, segmentation, and how quickly access can be removed once something looks wrong.
• Access Lifecycle: The full path from provisioning through review, rotation, and removal. Strong lifecycle governance keeps identities aligned to current business need, while weak lifecycle governance leaves stale permissions, orphaned accounts, and exposed credentials in place long after they should have expired.
• Third-Party Access Governance: The controls that define how external vendors, contractors, and support partners get, use, and lose access. It combines least privilege, time limits, review discipline, and auditability so supplier access does not become a permanent security shortcut.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Opal Security: Back 10 Recent Breaches that Could Have been Prevented with Modern IGA. Read the original.