Notifications
Clear all
Topic starter
08/06/2026 4:14 pm
TL;DR: Data breaches now average 241 days to detect and contain, while 22% involve stolen credentials overall and 88% of basic web app attacks use them, according to IBM and Verizon. The data shows that access control, detection speed, and third-party governance remain the real control points, not just perimeter defense.
NHIMG editorial — based on content published by StrongDM: 35+ alarming data breach statistics for 2026
By the numbers:
- In 2025, the mean time to identify (MTTI) was 181 days, and the mean time to contain (MTTC) was 60 days, 241 days end-to-end.
- In 2025, 22% of breaches involved stolen credentials overall; in basic web app attacks, 88% used stolen creds.
- Roughly 30% of all data breaches involve third-party vendors.
Questions worth separating out
Q: How should security teams reduce breach risk from stolen credentials?
A: Security teams should reduce credential lifetime, remove stale secrets from code and tooling, and make access revocation faster than attacker reuse.
Q: Why do third-party connections increase breach exposure?
A: Third-party connections increase exposure because they extend your trust boundary into another organisation's identity controls.
Q: What breaks when breach detection takes months?
A: When detection takes months, attackers have time to enumerate permissions, exfiltrate data quietly, and build persistence.
Practitioner guidance
- Reduce credential lifetime aggressively Shorten the usable life of passwords, tokens, API keys, and certificates so stolen secrets have less time to be replayed.
- Map third-party identity paths end to end Inventory every OAuth app, vendor account, service principal, and delegated integration that can reach sensitive systems.
- Instrument identity-specific detection Alert on unusual token use, impossible travel for human access, abnormal API call patterns, and access from unapproved locations or workloads.
What's in the full article
StrongDM's full blog post covers the source data and commentary this post intentionally leaves at the summary level:
- The full statistical list with cited source notes for each breach metric and trend
- Industry-by-industry examples showing where breach frequency and cost concentrate
- The article's broader access-control framing, including StrongDM's product context
- Reference links for IBM, Verizon, ITRC, and other cited research sources
👉 Read StrongDM's data breach statistics roundup for 2026 →
Data breach statistics in 2026: where IAM controls still break?
Explore further
08/06/2026 5:45 pm
Credential trust debt is the hidden cost behind breach statistics: once an organisation allows credentials to stand in for trust, every exposed password, token, or key becomes a reusable breach primitive. The article's numbers reinforce that stolen credentials remain dominant because identity systems still grant access after a secret has already escaped. The implication is that breach reduction now depends on reducing the lifetime and portability of credentials, not only on protecting the perimeter.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when a breach comes through a vendor identity?
A: Accountability remains with the organisation that granted and retained the access, even if the attacker entered through a supplier. External identities need the same lifecycle ownership as internal ones, including business ownership, review cadence, and offboarding. If no one can prove who approved the access and who would remove it, the governance model is already failing.
👉 Read our full editorial: Data breach statistics show identity controls still fail at scale
