Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

16 billion stolen credentials: what account takeover teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A reported cache of 16 billion credentials is more a reuse event than a fresh breach, but it still fuels credential stuffing, password spraying, and account takeover attempts at scale, according to Proofpoint. The real issue is not discovery volume alone, but how exposed credentials keep defeating identity controls built around static trust assumptions.

NHIMG editorial — based on content published by Proofpoint: analysis of the 16 billion stolen credentials story and its account takeover implications

Questions worth separating out

Q: How should security teams respond when credentials are exposed at massive scale?

A: Start with session invalidation, then rotate or revoke the affected secrets, tokens, and passwords.

Q: Why do exposed credentials still matter if there was no new breach?

A: Because old credentials remain usable wherever accounts, passwords, and recovery flows still trust them.

Q: What do teams get wrong about MFA after credential theft?

A: They often assume MFA alone closes the gap.

Practitioner guidance

  • Block known-compromised credentials at authentication time Feed exposed-password intelligence into identity provider controls so reused credentials are rejected before they can reach email, VPN, cloud, or SSO entry points.
  • Prioritise phishing-resistant MFA for high-value users Move administrators, finance, help desk, and executives to phishing-resistant methods and review recovery paths that still allow password-based fallback.
  • Audit post-login abuse paths in cloud and email Look for mailbox rule changes, new OAuth grants, unusual delegation, and session token reuse because these are common next steps after takeover.

What's in the full article

Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:

  • Concrete examples of how attackers chain credential stuffing into account takeover across email, VPN, and cloud services.
  • Specific guidance on MFA hardening, including phishing-resistant options and recovery-flow review points.
  • Response steps for suspending accounts, removing malicious mailbox rules, and revoking unauthorized OAuth applications.
  • Behavioural and threat-intelligence signals used to detect post-login abuse in real time.

👉 Read Proofpoint's analysis of the 16 billion credential collection and account takeover risk →

16 billion stolen credentials: what account takeover teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Credential reuse has become an identity supply chain problem, not just a user hygiene problem. The article shows how older credentials, once aggregated, are repackaged into automation against modern identity systems. That means the organisation's exposure is determined by password reuse, account persistence, and how quickly compromised credentials are recognised as active attack material. Practitioners should treat exposed-credential intelligence as a live access-control input, not a retrospective incident metric.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.

A question worth separating out:

Q: Who is accountable when email impersonation leads to account takeover?

A: Accountability sits with the organisation that owns the sender domain, the security team operating mail authentication, and the business owners responsible for customer communication. If brand trust is weak, those functions have to coordinate the controls and maintain them over time.

👉 Read our full editorial: Account takeover risk rises as reused credentials resurface at scale



   
ReplyQuote
Share: