TL;DR: Verizon’s 2023 DBIR analysis of 953,894 incidents found that stolen credentials remain the top breach entry method, accounting for 44.7% of breaches, while the human element appears in 74% of incidents. The real lesson is that identity programmes still over-rely on credential possession instead of stronger verification and access assurance.
NHIMG editorial — based on content published by 1Kosmos: analysis of Verizon DBIR breach patterns and credential risk
By the numbers:
- 74% of all breaches include the human element, with people involved via error, privilege misuse, stolen credentials, or social engineering.
- Stolen credentials account for 44.7% of breaches.
- Stolen credentials play a role in 86% of web application breaches.
Questions worth separating out
Q: How should security teams reduce breaches caused by stolen credentials?
A: They should make credential possession less decisive by adding stronger identity proofing, phishing-resistant authentication, tighter recovery controls, and narrower privilege scope.
Q: Why do stolen credentials remain such an effective attack path?
A: Stolen credentials work because many systems still treat a successful login as enough evidence of legitimacy.
Q: What do organisations get wrong about passwordless authentication?
A: They often assume removing passwords removes the identity problem.
Practitioner guidance
- Separate assurance from possession in login design Require higher proofing for sensitive access paths, especially where a credential alone can unlock high-value systems.
- Harden recovery and reset workflows Review password reset, account recovery, and help desk override processes for social engineering exposure.
- Map the full human identity journey Assess enrolment, authentication, step-up checks, privilege approval, and offboarding as one continuous control chain.
What's in the full article
1Kosmos's full blog covers the operational detail this post intentionally leaves for the source:
- Identity verification flow details for replacing credentials with verified identity across operating systems.
- The ID+Selfie enrolment and access-request model used to bind authentication to a verified person.
- Operational distinctions between passwordless authentication and identity verification in real deployments.
- Vendor-specific implementation claims about IAL2 and AAL2 certification scope.
👉 Read 1Kosmos's analysis of Verizon DBIR breach patterns and credential risk →
Stolen credentials and breach patterns: what IAM teams need to change?
Explore further
Credential possession is not identity assurance: The article reinforces a basic governance failure in many IAM programmes, which is that a successful login is still treated as proof of the right actor. That assumption was designed for a world where credentials were hard to copy and easier to contain. It fails when attackers can steal, reuse, or socially engineer those credentials at scale. The implication is that access governance must treat possession and assurance as separate problems.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when social engineering leads to credential compromise?
A: Accountability sits with the identity programme, the help desk, and the business process owners who define recovery and approval paths. Social engineering succeeds when identity controls are too easy to override, so governance has to cover the workflow, not just the authentication toolset.
👉 Read our full editorial: Credentials still drive most breaches, but verification is the real gap