Credential abuse, secrets sprawl and what IAM teams need to do

TL;DR: Credential abuse accounted for 22% of breaches in the 2025 Verizon DBIR, while GitGuardian found 28.65 million new hardcoded secrets in public GitHub commits in 2025 and 64% of exposed secrets from 2022 were still valid in 2026. The evidence shows static credentials remain the centre of breach exposure, not a solved control problem.

NHIMG editorial — based on content published by Aembit: credential abuse, secrets sprawl and what security teams should do now

By the numbers:

• Credential abuse accounted for 22% of all breaches as an initial access vector, the single most common entry point.
• 64% of valid secrets exposed in 2022 were still active in 2026.

Questions worth separating out

Q: What breaks when stolen credentials are the main entry point for breaches?

A: When stolen credentials become the primary entry point, traditional perimeter and exploit-focused controls lose much of their value because the attacker is already authenticated.

Q: Why do service accounts and API keys make breach containment harder?

A: Service accounts and API keys often lack the human controls that limit abuse, such as MFA prompts, clear ownership and natural offboarding events.

Q: How do security teams know whether secret rotation is actually working?

A: Rotation is working only if exposed credentials are found quickly, revoked everywhere they are used and replaced before attackers can reuse them.

Practitioner guidance

• Prioritise revocation for known exposed secrets Build an incident workflow that revokes a leaked credential as soon as it is discovered, then replaces every dependent secret or token in downstream systems before the next scheduled rotation.
• Move critical service connections to workload identity Start with production databases, financial APIs and customer data services, then replace stored static secrets with runtime-issued credentials that expire automatically after use.
• Correlate login anomalies with secret exposure signals Join infostealer intelligence, SaaS authentication logs and CI/CD secret scanning so the team can spot whether a valid credential is being used outside its expected workload or user context.

What's in the full article

Aembit's full article covers the operational detail this post intentionally leaves for the source:

• The DBIR breakdown of breach vectors by category, including credential abuse, phishing and vulnerability exploitation.
• The IBM breach cost and breach lifecycle figures that quantify the business impact of credential-driven incidents.
• The practical comparison between secrets management, MFA and workload IAM for machine-to-machine access.
• The operational recommendations for moving from static credentials to policy-scoped runtime access.

👉 Read Aembit's analysis of credential abuse, secrets sprawl and workload identity →

Credential abuse, secrets sprawl and what IAM teams need to do?

Explore further

View Full Forum →  |  NHI Foundation Course →