TL;DR: A 16 billion credential leak gathered from infostealer activity, exposed clouds, and project tools shows how reused passwords and long-lived access paths can fuel account takeover, lateral movement, and fraud across major services, according to Unosecur citing Cybernews. Identity security fails when leaked credentials remain usable.
NHIMG editorial — based on content published by Unosecur: 16 billion credential leak, why 2025’s biggest breach is an identity-security wake-up call
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: How should security teams respond when leaked credentials may still be valid?
A: Security teams should assume the credentials are active until proven otherwise.
Q: Why do leaked credentials remain such a serious risk even with MFA?
A: MFA reduces the chance that a stolen password alone is enough, but it does not remove every path to access.
Q: What do organisations get wrong about credential rotation after a leak?
A: Many teams rotate the most visible accounts and leave hidden dependencies untouched.
Practitioner guidance
- Purge exposed credentials at the source and at the identity provider Invalidate any password, token, or API key that may have been exposed, then force reauthentication everywhere the secret may have been reused.
- Block password reuse with policy and technical controls Use password blacklists, breached-password checks, and passkey or hardware-token adoption for high-risk roles so leaked credentials cannot be replayed.
- Review third-party and dormant access as one exposure surface Audit vendor accounts, legacy integrations, and inactive identities for standing privilege and stale secrets.
What's in the full article
Unosecur's full article covers the operational detail this post intentionally leaves for the source:
- Day-by-day containment steps for forced password resets, token revocation, and MFA revalidation
- Practical checks for leaked-password blocking, including built-in identity-provider controls and breach-list screening
- The vendor's walkthrough of least-privilege reviews, third-party hardening, and monitoring workflows for reused credentials
- Implementation detail on detection, lockout, and response automation for credential-stuffing activity
👉 Read Unosecur's analysis of the 16 billion credential leak and identity risk →
16 billion credentials leaked: what identity teams need to act on?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Credential replay has become the dominant identity failure mode, not password quality alone. A leak of this scale matters because attackers do not need to crack modern cryptography when the access material is already valid. The operational problem is whether the organisation can detect reuse, revoke access, and stop credential stuffing before accounts become entry points. Practitioners should treat leaked credentials as a live access-management event, not a cyber-hygiene headline.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- A separate finding shows that 97% of NHIs carry excessive privileges, which broadens the blast radius when leaked access is reused.
A question worth separating out:
Q: Who is accountable when leaked credentials are reused for breach activity?
A: Accountability usually spans IAM, security operations, application owners, and vendor risk management, because exposed credentials cross organisational boundaries. The practical test is whether each owner can prove timely revocation, MFA enforcement, and detection coverage for the identities they control.
👉 Read our full editorial: 16 billion credential leak exposes identity security’s weak points