Stolen credentials and breach patterns: what IAM teams need to change

TL;DR: Verizon’s 2023 DBIR analysis of 953,894 incidents found that stolen credentials remain the top breach entry method, accounting for 44.7% of breaches, while the human element appears in 74% of incidents. The real lesson is that identity programmes still over-rely on credential possession instead of stronger verification and access assurance.

NHIMG editorial — based on content published by 1Kosmos: analysis of Verizon DBIR breach patterns and credential risk

By the numbers:

• 74% of all breaches include the human element, with people involved via error, privilege misuse, stolen credentials, or social engineering.
• Stolen credentials account for 44.7% of breaches.
• Stolen credentials play a role in 86% of web application breaches.

Questions worth separating out

Q: How should security teams reduce breaches caused by stolen credentials?

A: They should make credential possession less decisive by adding stronger identity proofing, phishing-resistant authentication, tighter recovery controls, and narrower privilege scope.

Q: Why do stolen credentials remain such an effective attack path?

A: Stolen credentials work because many systems still treat a successful login as enough evidence of legitimacy.

Q: What do organisations get wrong about passwordless authentication?

A: They often assume removing passwords removes the identity problem.

Practitioner guidance

• Separate assurance from possession in login design Require higher proofing for sensitive access paths, especially where a credential alone can unlock high-value systems.
• Harden recovery and reset workflows Review password reset, account recovery, and help desk override processes for social engineering exposure.
• Map the full human identity journey Assess enrolment, authentication, step-up checks, privilege approval, and offboarding as one continuous control chain.

What's in the full article

1Kosmos's full blog covers the operational detail this post intentionally leaves for the source:

• Identity verification flow details for replacing credentials with verified identity across operating systems.
• The ID+Selfie enrolment and access-request model used to bind authentication to a verified person.
• Operational distinctions between passwordless authentication and identity verification in real deployments.
• Vendor-specific implementation claims about IAL2 and AAL2 certification scope.

👉 Read 1Kosmos's analysis of Verizon DBIR breach patterns and credential risk →

Stolen credentials and breach patterns: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →