Notifications
Clear all
Topic starter
27/06/2026 1:23 pm
TL;DR: Compromised credentials were responsible for 20% of all data breaches in 2021, and organisations often needed 250 days to detect compromise plus 91 days to contain it, according to the article. The underlying problem is not just login theft but delayed detection, weak containment, and an access model that assumes one stolen account stays isolated.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- In 2021, compromised credentials were responsible for 20% of all data breaches.
- It takes an average of 250 days to realize that the compromise has even occurred and another 91 days to contain the breach.
- The average cost of a data breach is $4.35 million.
Questions worth separating out
Q: How should security teams reduce account takeover risk after credential compromise?
A: Focus on identity-layer containment, not only stronger passwords.
Q: Why do compromised credentials remain such an effective attack vector?
A: They work because they bypass many technical barriers by entering through the front door as valid access.
Practitioner guidance
- Treat email as a privileged identity Apply stronger monitoring, session controls, and recovery protections to employee mailboxes because they often anchor password resets, approval flows, and internal discovery.
- Remove unsafe recovery dependencies Audit which critical accounts can be reset or re-authenticated through email alone, then replace that dependency with stronger step-up verification and separate recovery paths.
- Monitor for abnormal post-login behaviour Alert on inbox rule creation, unusual forwarding, suspicious search activity, new device enrollment, and mass access to sensitive threads or attachments.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Troy Hunt's perspective on how compromised credentials are discovered and reused in real attacks.
- Practical examples of what attackers can do after gaining access to a single email account.
- Abnormal CISO Mike Britton's discussion of prevention steps for account takeover risk.
- The webinar recording and CPE information for teams that need a training-oriented follow-up.
👉 Read Abnormal AI's webinar on account takeover attacks and compromised credentials →
Account takeovers and compromised credentials: are controls keeping up?
Explore further
27/06/2026 2:44 pm
Compromised credential exposure is still the simplest path into an organisation because identity systems often treat successful authentication as a signal of legitimacy. That model was designed for the user who owns the credential, not the attacker who has copied it. Once the credential is stolen, the organisation is defending a false assumption about who is behind the session. Practitioners should treat authenticated access as a starting condition for scrutiny, not a trust endpoint.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when a compromised account leads to a broader breach?
A: Accountability usually spans identity owners, security operations, and the business teams that defined recovery and approval flows. If a mailbox or user account can unlock other systems, then ownership of that trust path matters as much as ownership of the account itself.
👉 Read our full editorial: Account takeovers expose the limits of compromised credential defences
