The 2025 Verizon Data Breach Investigations Report (DBIR), based on 22,052 incidents and 12,195 confirmed breaches from 139 countries, provides a detailed account of how threat actors are gaining and maintaining access to systems. Identity-based attack vectors—particularly the use of stolen credentials—remain dominant across environments and sectors.
We are proud to be a contributor to the Verizon DBIR, and helped provide insights into the role of stolen credentials in attacks.
-
Stolen Credentials Reign as Defining Method in Attacks
Credentials were involved in 88% of basic web application attack breaches, making them not only the most common initial attack vector but also, frequently, the only one.
These credentials are often acquired through:
- Infostealers – malware designed to scrape saved passwords, cookies, and crypto wallets.
- Brute force attacks – relentlessly guessing credentials until one breaks.
- Backdoors and C2s – persistent access after initial compromise.
These tactics reflect a growing criminal ecosystem where credentials are valuable. Entire marketplaces have emerged for buying and selling stolen data, including:
- Dark web forums & marketplaces
- Premium access chat rooms
- Live infostealer databases
- Illicit Telegram channels
-
Infostealer Malware Impacts Corporate Assets
Infostealer malware steals more than login credentials from a victim’s device, and can take stored passwords and cookies. From the analysis of over 33,000 infostealer logs, researchers uncovered that many credentials lead to far more than personal email or streaming services. Threat actors are also obtaining access to:
- VPNs
- Cloud admin consoles
- Internal GitHub repos
- Developer tools
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
Out of the analyzed stealer logs, 30% of the systems were enterprise-licensed, meaning that they were corporate devices. In addition, an estimated 46% of compromised devices with potential corporate credentials were non-managed—suggesting inadequate BYOD controls or shadow IT usage.
Stronger BYOD controls would help organizations protect against stealer log access to corporate login data on personal devices.
To learn more about the role of stealer logs in cybercrime concerning corporate devices, read Stealer Logs, Single Sign On, and the New Era of Corporate Cybercrime.
-
Infostealer Malware & Ransomware are Correlated
Stolen credentials are also finding their way into ransomware operations. The DBIR reveals that:
- 54% of ransomware victims had their credentials found in infostealer logs
- 40% of those logs included corporate emails
In addition, as the median time between ransomware victim disclosure and detection of related stolen credentials is two days, which strongly indicates that ransomware operators leverage infostealer malware.
This is some of the clearest research yet that has tied exposed credentials to ransomware attacks.
Simplified Attacks, Complex Impacts
This year’s DBIR is a continued reminder that complex breaches often begin with something simple—a reused password, a forgotten login, or a BYOD policy that’s more suggestion than standard. Espionage may be escalating, but the vector remains basic: stolen credentials.
Main Takeaways for Security Teams
- Credential-based access is still the dominant entry point. Organizations should prioritize visibility into external credential exposure—especially from infostealer logs and third-party systems.
- Non-managed devices represent a major identity risk surface. Identity data collected from unmanaged endpoints should be evaluated alongside endpoint telemetry.
- Shadow SaaS/shadow IT and related credential reuse remains under-monitored: Reducing remediation time for shadow SaaS or unaccounted for corporate SaaS identity exposures should be a KPI.
- Leaked secrets function as identity artifacts. Treat authentication tokens, API keys, and JWTs as high-value identity data requiring the same protection as passwords.
- Behavioral and usage-based signals are not enough. External intelligence on leaked credentials complements internal monitoring by offering early detection signals that aren’t otherwise visible.
Download and read the full report: 2025 Data Breach Investigations Report to learn more about today’s threat landscape.
Threat Exposure Management with Flare
The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.
