Credential stuffing and NHI sprawl: what IAM teams miss

TL;DR: Credential stuffing made up 24.3% of login attempts in Okta’s State of Security Incident Report 2024, while the same technique increasingly targets API keys and service accounts that hold elevated access across automation and integration paths. The real issue is not only reused human passwords but the governance assumptions behind static non-human credentials.

NHIMG editorial — based on content published by Entro Security: The anatomy of a credential stuffing attack, with insights and countermeasures

By the numbers:

• Credential stuffing attacks accounted for 24.3% of all login attempts.

Questions worth separating out

Q: How should security teams reduce credential stuffing risk across human and machine identities?

A: Treat reuse as the common failure mode.

Q: Why do service accounts make credential stuffing more dangerous than it looks?

A: Service accounts often hold broader privileges than user accounts and are trusted by workflows, APIs, and pipelines.

Q: What breaks when secrets are hardcoded or widely shared?

A: Hardcoded or shared secrets break revocation, accountability, and blast-radius control.

Practitioner guidance

• Eliminate shared and hardcoded machine credentials Move API keys, tokens, and service-account secrets out of source code, configuration files, and team chat.
• Add secrets detection to development and CI/CD pipelines Scan repositories, build logs, and deployment artefacts for exposed secrets before they can be replayed.
• Rotate credentials on a defined lifecycle, not an ad hoc basis Set rotation rules by credential type and privilege level, then tie them to offboarding, vendor changes, and environment changes.

What's in the full article

Entro Security's full blog covers the operational detail this post intentionally leaves for the source:

• A step-by-step explanation of credential stuffing versus password spraying for practitioners building detection logic.
• Specific countermeasure guidance for bot detection, including behavioural signals and IP reputation analysis.
• Secrets management tactics for hardcoded credentials in CI/CD and infrastructure as code workflows.
• Examples of how compromised NHIs can be used to access cloud storage, deployment pipelines, and other privileged systems.

👉 Read Entro Security's analysis of credential stuffing across human and NHI access →

Credential stuffing and NHI sprawl: what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →