Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

16 billion credentials leaked: what identity teams need to act on


(@unosecur)
Honorable Member
Joined: 1 year ago
Posts: 188
Topic starter  

TL;DR: A 16 billion credential leak gathered from infostealer activity, exposed clouds, and project tools shows how reused passwords and long-lived access paths can fuel account takeover, lateral movement, and fraud across major services, according to Unosecur citing Cybernews. Identity security fails when leaked credentials remain usable.

NHIMG editorial — based on content published by Unosecur: 16 billion credential leak, why 2025’s biggest breach is an identity-security wake-up call

By the numbers:

Questions worth separating out

Q: How should security teams respond when leaked credentials may still be valid?

A: Security teams should assume the credentials are active until proven otherwise.

Q: Why do leaked credentials remain such a serious risk even with MFA?

A: MFA reduces the chance that a stolen password alone is enough, but it does not remove every path to access.

Q: What do organisations get wrong about credential rotation after a leak?

A: Many teams rotate the most visible accounts and leave hidden dependencies untouched.

Practitioner guidance

What's in the full article

Unosecur's full article covers the operational detail this post intentionally leaves for the source:

  • Day-by-day containment steps for forced password resets, token revocation, and MFA revalidation
  • Practical checks for leaked-password blocking, including built-in identity-provider controls and breach-list screening
  • The vendor's walkthrough of least-privilege reviews, third-party hardening, and monitoring workflows for reused credentials
  • Implementation detail on detection, lockout, and response automation for credential-stuffing activity

👉 Read Unosecur's analysis of the 16 billion credential leak and identity risk →

16 billion credentials leaked: what identity teams need to act on?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Credential replay has become the dominant identity failure mode, not password quality alone. A leak of this scale matters because attackers do not need to crack modern cryptography when the access material is already valid. The operational problem is whether the organisation can detect reuse, revoke access, and stop credential stuffing before accounts become entry points. Practitioners should treat leaked credentials as a live access-management event, not a cyber-hygiene headline.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • A separate finding shows that 97% of NHIs carry excessive privileges, which broadens the blast radius when leaked access is reused.

A question worth separating out:

Q: Who is accountable when leaked credentials are reused for breach activity?

A: Accountability usually spans IAM, security operations, application owners, and vendor risk management, because exposed credentials cross organisational boundaries. The practical test is whether each owner can prove timely revocation, MFA enforcement, and detection coverage for the identities they control.

👉 Read our full editorial: 16 billion credential leak exposes identity security’s weak points



   
ReplyQuote
Share: