Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Credential breaches at scale: what IAM teams need to fix now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: 2025 data breaches were shaped by healthcare losses, Salesforce-related customer exposures, and massive credential dumps built from infostealer logs and ULP lists, while AI mostly amplified phishing and credential stuffing rather than replacing old attack patterns, according to Enzoic. The operational lesson is blunt: identity hygiene, credential monitoring, and MFA still determine whether broad exposure becomes account takeover or stays contained.

NHIMG editorial — based on content published by Enzoic: Retrospective: 2025 Data Breaches and Credential Threat Trends

Questions worth separating out

Q: What breaks when compromised credentials are reused across multiple services?

A: When credentials are reused, one exposure becomes many access paths.

Q: Why do infostealer logs make credential theft more dangerous than a single breach?

A: Infostealer logs package credentials with the login URL, which removes attacker guesswork and speeds up abuse.

Q: What do security teams get wrong about AI and credential attacks?

A: Many teams assume AI creates a new category of attack when, in practice, it often accelerates existing ones like phishing and credential stuffing.

Practitioner guidance

  • Prioritise credential compromise monitoring Track exposed usernames, passwords, and authentication endpoints across employee, contractor, and service accounts.
  • Reduce password and token reuse across services Enforce unique credentials, limit browser-based storage where possible, and remove shared secret patterns that let one capture become many valid logins.
  • Review third-party and SaaS delegated access Map API keys, OAuth grants, and customer-managed integrations to named owners and offboarding triggers.

What's in the full article

Enzoic's full retrospective covers the operational detail this post intentionally leaves for the source:

  • Year-by-year breakdown of the healthcare, Salesforce, and credential-breach patterns behind the 2025 retrospective
  • Practical guidance on detecting infostealer-derived credential exposure and validating whether a login is already circulating
  • The source article's discussion of ULP lists, attacker access-broker behaviour, and how those records are used in reuse campaigns
  • Enzoic's recommended hygiene measures for users and organisations, including monitoring and endpoint-driven prevention

👉 Read Enzoic's retrospective on 2025 data breaches, credential dumps, and AI-driven attack scale →

Credential breaches at scale: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Credential reuse remains the highest-probability failure mode in 2025. The retrospective shows that attackers still win by using credentials that were harvested elsewhere, not by inventing new access paths. That is why authentication hygiene, compromise monitoring, and account-level containment continue to matter more than speculative threat narratives. The practitioner conclusion is simple: if a credential can be replayed, it can be abused.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: Who is accountable when third-party access exposes customer data?

A: Accountability sits with the organisation that granted, governed, and failed to retire the access path, not only with the external provider. If a vendor relationship, SaaS integration, or customer-managed deployment can access sensitive data, it needs the same ownership, review, and offboarding discipline as internal identity.

👉 Read our full editorial: 2025 credential breaches show why basics still fail at scale



   
ReplyQuote
Share: