TL;DR: Credential stuffing remains a major account takeover path, with the source article citing IBM data that 16% of breaches involve stolen credentials, 292 days is the average containment time for compromised credential attacks, and the average cost is $4.81M per breach. The governance problem is not just blocking bots, but reducing the durability and usefulness of stolen identity material.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 16% of breaches are caused by stolen credentials.
- 292 days on average to contain compromised credential attacks.
- $4.81M average cost of a breach involving stolen credentials.
Questions worth separating out
Q: How should security teams reduce credential stuffing risk in customer login flows?
A: Start with risk-based authentication and bot detection on the highest-volume login surfaces, then add step-up controls where attack volume and account value justify the friction.
Q: Why does credential stuffing remain effective even when MFA exists?
A: Credential stuffing can still succeed when MFA is inconsistently enforced, when attackers target weak recovery flows, or when the account is protected only at initial login but not during later high-value actions.
Q: What do security teams get wrong about account takeover detection?
A: They often focus on the login event alone.
Practitioner guidance
- Tighten login risk controls Apply risk-based authentication, bot detection, and step-up checks at the highest-volume login paths where reused credentials are most likely to be tested.
- Reduce credential replay value Accelerate password reset, credential invalidation, and breached-password screening so exposed identity material loses usefulness faster.
- Correlate authentication with downstream abuse Link sign-in telemetry to session changes, reward redemption, support-contact changes, and payment events so a valid login can still be flagged as malicious.
What's in the full announcement
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- The specific detection signals used in its real-time risk assessment flow for credential stuffing and account takeover.
- How adaptive challenges are tuned to stop automation while preserving legitimate customer access.
- The platform components the vendor positions for account takeover, fake account creation, SMS toll fraud, API security, MFA compromise, and device intelligence.
- Customer examples and product-level context that go beyond the governance implications covered here.
👉 Read Arkose Labs' analysis of credential stuffing and account takeover defenses →
Credential stuffing and account takeover: what IAM teams need to act on?
Explore further
Credential stuffing is an identity governance failure, not just a bot problem. The article correctly treats stolen credentials as a breach driver because the real weakness is persistent trust in reusable identity material. In practice, password-based authentication still assumes that possession of a valid credential means the user is legitimate, even after that credential has appeared in the wild. For IAM teams, the implication is that identity assurance must be treated as dynamic, not static.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: Who is accountable when stolen credentials are used to drain customer accounts?
A: Accountability usually spans IAM, fraud, security operations, and the business owner for the affected workflow. The right framework is shared responsibility: authentication controls may fail at the door, but downstream teams often control the actions that turn access into loss. Clear ownership is needed for both detection and containment.
👉 Read our full editorial: Credential stuffing and account takeover still drive breach risk