TL;DR: Compromised credentials are increasingly the first step into Active Directory-connected environments, with infostealer logs turning stolen logins, cookies, and session artifacts into a scalable access market, according to Enzoic. The operational shift is clear: password policy alone cannot contain identity exposure once credentials are already circulating outside the enterprise.
NHIMG editorial — based on content published by Enzoic: The Login Was the Breach
By the numbers:
- 46% of infostealer-infected systems containing corporate login data were tied to unmanaged devices, likely representing personal or BYOD systems.
- 30% of compromised systems could be identified as enterprise-licensed devices.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: What breaks when valid credentials are stolen before an attack begins?
A: The main failure is that identity controls still trust successful authentication as proof of legitimacy.
Q: Why do infostealer logs make credential abuse so scalable?
A: Infostealer logs package usernames, passwords, cookies, login URLs, and device context into ready-to-use access kits.
Q: How do security teams know whether password controls are actually working?
A: They should measure how many active credentials are known to be exposed externally, how quickly those credentials are blocked, and whether privileged accounts are screened before reuse.
Practitioner guidance
- Identify externally exposed credentials already active in AD Prioritise privileged users, service accounts, stale accounts, and delegated admin identities that still authenticate successfully even after appearing in breach or infostealer data.
- Block compromised passwords at creation and reset Do not wait for periodic rotation cycles.
- Inventory browser-stored identity paths Map which browsers, extensions, and password managers store access to VPN, SSO, cloud consoles, and admin portals, then decide which of those paths must be reduced or monitored.
What's in the full article
Enzoic's full blog covers the operational detail this post intentionally leaves for the source:
- How the article ties infostealer infection to Active Directory-connected access paths across VPN, SSO, and remote administration.
- The specific role of browser-stored credentials, cookies, and session artefacts in attacker reuse workflows.
- Practical guidance for spotting exposed credentials already active in hybrid identity environments.
- Vendor context on how compromised passwords can be detected and blocked in active directory workflows.
👉 Read Enzoic's analysis of why valid logins are now the breach →
Active Directory valid-account abuse: are your controls keeping up?
Explore further
Valid-account abuse is replacing exploit-led intrusion as the default identity breach pattern. The article shows a mature access economy where stolen credentials become the entry mechanism and identity systems unknowingly validate the attacker. That changes the security model from perimeter defense to exposure management, because the first malicious action may look like an ordinary login. Practitioners should treat successful authentication as an insufficient signal of trust.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- A separate finding shows only 5.7% of organisations have full visibility into their service accounts, which explains why exposed credentials so often remain undetected.
A question worth separating out:
Q: Which frameworks are most relevant to exposed credential governance?
A: NIST SP 800-63B is relevant for screening compromised passwords, while MITRE ATT&CK helps map valid-account abuse as an adversary technique. For identity programmes, that combination is useful because it connects the governance problem to the actual intrusion path rather than treating password policy in isolation.
👉 Read our full editorial: Credential exposure is redefining Active Directory breach entry