TL;DR: A review of ten major 2023 to 2025 breaches found recurring identity failures, including stale credentials, missing MFA, over-privileged accounts, and weak third-party access, with the incidents collectively affecting over 700 million people and costing billions, according to Opal Security. The pattern shows governance gaps, not novel exploits, are still driving large-scale compromise.
NHIMG editorial — based on content published by Opal Security: Back 10 Recent Breaches that Could Have been Prevented with Modern IGA
By the numbers:
- The following ten breaches from 2023 to 2025 represent some of the most consequential cybersecurity incidents in recent history.
- Collectively, these incidents affected over 700 million individuals.
- Seven of 10 breaches involved credentials that were stolen, unrotated, or stored insecurely.
Questions worth separating out
Q: What breaks when access reviews are only treated as an audit exercise?
A: Access reviews fail when they do not lead to revocation, scope reduction, or ownership correction.
Q: Why do third-party accounts create disproportionate breach risk?
A: Third-party accounts often connect external operators directly to production systems, support tools, or sensitive data with wider scope than internal users need.
Q: How do organisations know whether credential governance is actually working?
A: Credential governance is working when exposed, stale, or unused secrets are discovered quickly and removed before they become active risk.
Practitioner guidance
- Audit all standing credentials and service accounts Prioritise remote access portals, support tooling, OAuth apps, and contractor accounts.
- Enforce MFA on every production access path Include legacy portals, acquired systems, help desk resets, and third-party access channels.
- Segment vendor access by task and entitlement Give outsourced teams only the fields, systems, and durations required for the job.
What's in the full article
Opal Security's full article covers the operational detail this post intentionally leaves for the source:
- Per-breach root cause notes across all ten incidents, including which access control failed in each case.
- The specific IGA capabilities Opal maps to each breach pattern, including access reviews, JIT access, and policy enforcement.
- The full breakdown of third-party access failures, support desk abuse, and legacy system exposure across the cases.
- The article's own breach-by-breach remediation mapping for teams building an identity governance programme.
👉 Read Opal Security's review of 10 breaches preventable with modern IGA →
Recent breaches and the IGA gaps teams keep missing?
Explore further
Standing access is the breach condition, not the exception. These incidents show that attackers still succeed by finding identity paths that were never fully expired, reviewed, or constrained. That is a governance failure, not a tooling glitch. When credentials, vendor access, and legacy accounts remain usable after their original purpose has ended, the organisation has already lost control of the access lifecycle.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who is accountable when a legacy system or vendor path is left with standing access?
A: Accountability sits with the identity, platform, and application owners who allowed the access to persist, not just the team that noticed the breach first. Governance must define ownership for review, removal, and exception handling so legacy systems and vendor paths do not remain permanently outside control.
👉 Read our full editorial: Modern IGA would have reduced the damage in recent breaches