By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: EnzoicPublished October 16, 2025

TL;DR: Recent breaches at Qantas, DraftKings, Red Hat, and Veradigm show how credential theft, reuse, and third-party access can expose millions of records across sectors, according to Enzoic. The lesson is simple: credential hygiene and continuous monitoring remain core identity controls, not background tasks.


At a glance

What this is: This is a breach roundup showing that compromised credentials and third-party access continue to drive high-impact incidents across consumer, healthcare, and technology environments.

Why it matters: It matters because the same access weaknesses that affect human accounts also expose shared partner credentials and other non-human identities, so IAM and security teams need one governance model across all three.

By the numbers:

👉 Read Enzoic's roundup of recent breaches and credential abuse patterns


Context

Credential abuse remains one of the most reliable ways into enterprise environments because it turns legitimate access into an attacker foothold. In this breach roundup, the common failure is not a novel exploit but weak identity hygiene, reused passwords, and third-party access that outlived trust.

For IAM and security teams, the practical issue is that human users, partner accounts, and other non-human identities can all become breach entry points when monitoring and lifecycle controls are inconsistent. The article shows how a single compromised login can cascade into customer exposure, supply-chain risk, or extortion leverage.


Key questions

Q: What breaks when reused passwords are not screened at login?

A: Reused passwords turn one unrelated breach into a new access path. Attackers can automate login attempts at scale, bypassing many perimeter controls because the credentials are valid. The result is often temporary account access, profile exposure, and follow-on fraud. Breached-password screening and rate limiting reduce that risk before attackers can exploit reused credentials.

Q: Why do third-party credentials create disproportionate breach risk?

A: Third-party credentials often carry trusted access into systems that are not tightly watched like employee logins. If the partner environment is compromised, those credentials can be reused against cloud storage, admin portals, or shared applications. The risk grows when access has no clear expiry or offboarding trigger and can outlive the business relationship.

Q: What do security teams get wrong about credential stuffing?

A: They often treat it as a customer nuisance rather than an identity control failure. Credential stuffing succeeds because password reuse, weak detection, and poor monitoring combine to make automation effective. Teams should evaluate it as a governance problem that requires login defences, anomaly detection, and strong customer authentication options.

Q: Who is accountable when leaked credentials lead to data exposure?

A: Accountability usually sits across the owning business, the identity team, and any third-party relationship owner. If access was not revoked, scoped, or monitored properly, the failure is governance, not just incident response. Organisations should be able to show which account was used, why it existed, and how it was retired.


Technical breakdown

Credential stuffing as an access path

Credential stuffing is an automated login attack that uses username and password pairs stolen from other breaches against unrelated services. It succeeds when people reuse passwords and when the target lacks rate limiting, anomaly detection, or compromised credential screening. The attacker does not need to break authentication directly. They simply test large volumes of valid credentials until some work, then pivot through whatever data or account functions the session allows. In consumer services, that often means exposure of profile data and account metadata rather than full financial compromise.

Practical implication: monitor for reused credential patterns and add controls that detect logins using compromised passwords before attackers can enumerate accounts.

Third-party access as a hidden identity risk

The Veradigm case shows how partner credentials can be abused after the upstream environment is already compromised. In these incidents, the weakness is not only the stolen password but the trust relationship attached to it. Third-party access often persists longer than the business need, and cloud storage or shared platforms can widen the blast radius if access is not tightly scoped. This is an NHI and IAM problem because partner accounts, service credentials, and delegated access frequently operate outside standard human onboarding and offboarding workflows.

Practical implication: inventory third-party identities, define explicit scopes for each connection, and revoke access as soon as the business relationship or security posture changes.

Extortion campaigns amplify exposure after exfiltration

Once attackers exfiltrate records, publication becomes a secondary pressure tactic. In the Qantas case, the data was reportedly taken during a third-party compromise and later leaked after ransom demands were refused. This pattern shows that the security issue continues after initial access, because personal data can be repurposed for phishing, impersonation, and fraud long after the original intrusion. From an identity perspective, leaked profile data also lowers the cost of follow-on account takeover attempts by making social engineering more convincing.

Practical implication: treat identity data exfiltration as an active fraud exposure and coordinate containment, customer warning, and authentication hardening together.


Threat narrative

Attacker objective: The attackers sought to monetize valid access by stealing records, enabling account compromise, and applying ransom pressure through public data exposure.

  1. Entry occurred through compromised or reused credentials, including third-party access that had already been stolen elsewhere.
  2. Escalation followed when attackers used those valid logins to access accounts, storage, or customer records without triggering immediate blocking.
  3. Impact came through record exposure, account access, and public leak sites that increased fraud, phishing, and extortion pressure.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Credential reuse remains the easiest breach multiplier: When attackers can log in with valid credentials, they bypass much of the control stack that organisations rely on to detect forceful intrusion. The pattern cuts across consumer identity, partner access, and machine-facing accounts because the credential itself becomes the trust anchor. For IAM teams, that means password hygiene and compromised credential monitoring are still frontline controls, not support functions.

Third-party access without lifecycle offboarding is a standing exposure: The Veradigm pattern shows what happens when partner access remains valid after the original trust basis has weakened or changed. That is an identity lifecycle failure, not simply a cloud storage issue. The practical conclusion is that delegated access must be governed as actively as employee access, with clear ownership and revocation triggers.

Credential stuffing is an identity governance issue, not just a fraud problem: DraftKings shows that automated login abuse can expose enough account data to fuel later social engineering and payment fraud. That puts IAM, fraud, and customer security on the same dependency chain. When reused passwords are still common, the organisation is effectively carrying hidden identity debt across every login surface.

Ephemeral access debt: The most damaging part of these incidents is not only the compromise but the time gap between credential exposure and detection. Once a credential has escaped into the wild, the organisation inherits an exposure window that can be exploited repeatedly across systems. Practitioner teams should treat every exposed login as an unresolved governance liability until it is rotated, revoked, or bound to stronger authentication.

The identity programme needs one control model across humans and NHIs: The article’s incidents involve customer passwords, partner credentials, and system access used for storage and delegation. Those are different actor types, but the governance failure is the same: trust outlived control. Security teams should unify visibility, lifecycle, and monitoring so that access reviews do not stop at employee identities.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • A separate finding shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, with inadequate monitoring and logging and over-privileged accounts both at 37%.
  • For a deeper governance view, NHI Lifecycle Management Guide explains how offboarding, rotation, and review close the trust gap that these incidents expose.

What this signals

Ephemeral access debt: security programmes are still carrying credentials and delegated access beyond their useful life, which turns every compromise into a reusable trust problem. The immediate agenda is not only detection, but faster retirement of access that no longer has a live business purpose. Teams that tie account review to the business event, not the calendar, will reduce downstream exposure.

The control pattern here is cross-domain. Human passwords, partner logins, and non-human credentials all fail in similar ways when lifecycle ownership is unclear, and that is why identity monitoring should be unified across IAM, PAM, and NHI workflows. The teams that can see reused, shared, or delegated credentials in one inventory will respond faster to breach signals and fraud attempts.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, the practical gap is not a lack of policy but a lack of operational visibility. That means the next control investment should focus on inventorying who can still authenticate, where, and under what delegated authority.


For practitioners

  • Block compromised credential reuse at the login layer Use breached-password screening, rate limiting, and step-up checks on repeated login failures so reused credentials cannot become a durable foothold. Pair those controls with alerting on unusual geolocation, device, or velocity patterns.
  • Inventory and scope every third-party identity Map partner users, delegated access, and shared credentials to specific business purposes. Remove access that no longer has a live need and verify that cloud storage, support portals, and admin functions are separately constrained.
  • Rotate any credential exposed in a partner incident If a third-party breach occurs, assume downstream trust is contaminated. Reset affected passwords, revoke API keys where relevant, and validate that no reused secret can authenticate into adjacent services.
  • Link identity monitoring to fraud and customer response When personal data is exposed, expand response beyond containment. Warn affected users, harden account recovery paths, and watch for phishing or impersonation attempts that use the leaked profile data.

Key takeaways

  • Recent breaches show that credential abuse still scales faster than many identity controls can respond.
  • The highest-risk pattern is not just stolen passwords, but the combination of reused credentials, partner trust, and weak lifecycle offboarding.
  • IAM teams should treat login monitoring, third-party identity inventory, and exposed-credential response as one control problem.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementCredential theft and reuse are the core attack steps in these breaches.
OWASP Non-Human Identity Top 10NHI-01The article centers on compromised credential handling and access control.
NIST CSF 2.0PR.AA-1Identity proofing and authenticators are implicated in compromised-login incidents.
NIST SP 800-53 Rev 5IA-5Authenticator management directly addresses password reuse and rotation failures.
CIS Controls v8CIS-5 , Account ManagementAccount lifecycle and access scope failures are central to third-party abuse.

Use account management controls to remove stale access and validate delegated identities.


Key terms

  • Credential Stuffing: Credential stuffing is an automated login attack that reuses usernames and passwords leaked in other breaches. It succeeds when people reuse passwords and when defenders do not monitor for compromised credentials, making valid access the attacker’s easiest path into customer or employee accounts.
  • Third-Party Access: Third-party access is any login or delegated permission granted to an external partner, contractor, or supplier. It can be human or non-human, and it becomes risky when the access scope is broader than the business need or remains active after the trust relationship changes.
  • Identity Blast Radius: Identity blast radius is the amount of data, systems, or accounts exposed when one credential is abused. The smaller the blast radius, the less damage a single login failure can cause, which is why scope, monitoring, and revocation timing matter so much in breach containment.
  • Compromised Credential Monitoring: Compromised credential monitoring is the continuous checking of login identifiers against known breach data and suspicious reuse patterns. It helps defenders find leaked passwords before attackers can use them and is especially important where customer access, partner access, and service accounts all coexist.

What's in the full article

Enzoic's full article covers the incident details this post intentionally leaves at the pattern level:

  • Per-incident summaries for Qantas, DraftKings, Red Hat, and Veradigm with the exact exposure paths involved.
  • Operational guidance on credential monitoring and password hygiene that the source uses to interpret the week’s breaches.
  • The article’s own breach-specific context for why these incidents matter to defenders beyond the initial compromise.
  • Examples of how the same compromise pattern can surface across airline, betting, healthcare, and vendor environments.

👉 The full Enzoic article breaks down the Qantas, DraftKings, Red Hat, and Veradigm incidents in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org