TL;DR: 2025’s biggest breaches were driven by credential reuse, third-party access, weak logging, delayed detection, and exposed personal data, according to Secureframe’s review of major incidents. The lesson is that access governance, monitoring, and vendor oversight remain the controls most likely to prevent small failures from becoming enterprise-scale events.
NHIMG editorial — based on content published by Secureframe: Biggest Data Breaches of 2025 and what businesses should learn for 2026
By the numbers:
- small businesses are targeted roughly every 11 seconds, while larger enterprises face more than 1,900 attempted attacks each week.
- roughly 16 billion login credentials compiled from infostealer malware logs, phishing kits, and prior data breaches.
- over 74% of breaches involve the human element, including credential misuse and social engineering.
Questions worth separating out
Q: What breaks when credential reuse is still allowed in high-value accounts?
A: Credential reuse turns one leaked password into many takeover opportunities because attackers can test it across services at scale.
Q: Why do third-party connections increase breach exposure?
A: Third-party connections increase exposure because they extend your trust boundary into another organisation's identity controls.
Q: How do security teams know whether access abuse is being detected early enough?
A: They look for short dwell time, complete authentication and access logs, and fast correlation between login activity and sensitive data access.
Practitioner guidance
- Eliminate password reuse in high-risk access paths Require MFA, block known compromised credentials, and enforce passwordless or phishing-resistant authentication for privileged users, admins, and external partners where possible.
- Inventory and govern delegated third-party access Maintain a live inventory of vendor accounts, OAuth connections, service integrations, and support credentials.
- Correlate identity events with data-access telemetry Tie authentication logs, privileged session records, and file or database access events together so analysts can see whether valid access is being abused.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- Breakdowns of the specific breach narratives behind AT&T, SK Telecom, Yale New Haven Health, and Allianz Life.
- The article's remediation checklists for credential hygiene, vendor governance, logging, and incident response.
- Expanded commentary on why data minimisation and segmentation are framed as resilience controls.
- Secureframe's downloadable 2026 cybersecurity checklist for teams that want an implementation aid.
👉 Read Secureframe's review of the biggest 2025 data breaches and 2026 controls →
2025 breach patterns: what access control gaps are teams missing?
Explore further
Credential exposure is now a systemic identity governance problem, not an isolated breach cause. The 16 billion-credential event in the article is a reminder that password reuse and exposed secrets continue to defeat organisations faster than they can remediate them. In identity programmes, the control failure is not simply weak authentication, but the assumption that credentials will remain private long enough to be safe. That assumption no longer holds, especially where privileged access and external access are involved. Practitioners should treat exposed credentials as a standing governance crisis, not a one-time incident.
A question worth separating out:
Q: Who is accountable when a vendor platform is the breach entry point?
A: Accountability should be shared across the business owner, the identity team, and the vendor risk function, but the enterprise still owns the decision to grant, scope, and revoke access. Frameworks such as NIST CSF 2.0 and NIST SP 800-53 expect clear ownership for access control, monitoring, and incident response, including third-party relationships.
👉 Read our full editorial: 2025 data breaches exposed the same access control gaps