Strengthening Identity Security

Osterman’s 2025 Findings on Compromised Passwords

Cybercriminals haven’t given up on passwords; they’ve doubled down on them. Osterman Research’s new white paper, Strengthening Identity Security: Governance, Visibility and Autonomous Remediation (Aug 2025), confirms what security teams see every day: compromised credentials remain the most reliable path to account takeover (ATO), and too many organizations still can’t spot (let alone neutralize) those exposures fast enough.

Dark Web Threats Are Escalating for Identity Security

Interest in stolen credentials is rising: 58.7% of organizations say adversaries have become more interested in stealing and abusing compromised credentials over the last year; another 12.7% say it hasn’t slowed down. In short: the external threat environment isn’t easing up. (See Figure 1, p.4.)
Organizations are worried, and with good reason: 93.7% are concerned about ATO due to compromised credentials in the next two years. (Figure 1, p.4.)
The volume of exposed secrets is staggering: a mega breach uncovered in early 2025 contained 16 billion stolen credentials; another dataset from 2024 logged 11.8 billion newly breached identity records, including billions of emails and passwords. (pp.3, 19.)
Exposure is widespread: 1 in 10 Fortune 500 employees had credentials exposed over the last three years. (p.3.)
Infostealers keep feeding the fire: activity spiked to siphon cloud account credentials at scale. (p.3.)

The Identity Security Visibility Gap: Passwords Are Being Sold, But Teams Don’t See It Fast Enough

Inside most organizations, visibility simply isn’t where it needs to be:

More than half (56.3%) say they cannot immediately detect when employees’ credentials show up on dark web forums, stretching the window of opportunity for attackers. (Figure 1, p.4.)
Looking at active identity threats, like compromised employee credentials for sale on the dark web, only 19% of organizations have complete visibility. (Figure 3, p.6.)

That’s a dangerous combination: more credentials available to attackers, and too little visibility to catch them in time. As the chart on page 6 illustrates, this visibility gap extends to other active threats as well, which makes early detection and rapid response even more critical.

Underused Identity Security Tools: Dark Web Monitoring Adoption Lags

Despite the risk, only 35.7% of organizations currently use technology to detect compromised credentials on dark web forums. (Figure 12, p.14.) The good news: among those not using it, dark web monitoring ranks among the top capabilities slated for deployment in the next 0–3 months. (Figure 15, p.18.)

Osterman also found a maturity reality check: while 60% of teams claim high maturity in dark web detection, only 22% show evidence to back it up when you correlate claims with actual outcomes like visibility and time-to-detect. (p.16.) Translation: this is an area where intent and impact often diverge, and where tightening the feedback loop matters. It’s important not to rely solely on publicly available breached data, but to continuously monitor for the newest breached data in the depths of the deep and dark web where high-value compromised logins are exposed and traded.

Detection Isn’t Enough: The Clock Starts When The Password Leaks

Three more findings underscore why speed and automation matter:

Confidence outpaces capability: 76.2% report high confidence today in detecting attempts to use valid but compromised credentials. But as the report notes, the real test is how quickly leaked passwords are identified and neutralized. (Figure 16 and commentary, p.19.)
Manual response can’t keep up: the top barriers to stopping identity threats are a lack of automated remediation, followed by manual processes (long investigations). Budget comes third. (Figure 6, p.9.)
Lateral risk grows while you wait: once a credential is abused, attackers move laterally and escalate privileges. The report shows many teams believe better tooling will raise their real‑time confidence, but only if detection is paired with action. (Figure 17, p.20.)

What “Good” Looks Like: Dark Web Monitoring Plus Autonomous Remediation

Drawing from the report’s roadmap and our experience working with customers, here’s a pragmatic blueprint:

Continuous dark web coverage. Ingest breach dumps, infostealer logs, paste sites, and closed forums at high frequency. Relying on internal signals alone leaves blind spots; in Osterman’s data, only 5.6% keep it internal‑only, while 30.2% use external breach intel, correlation to users, and automated policy enforcement. (Figure 20, p.23.)
Precise correlation to your identities. Tie exposures to corporate email domains, passwords in your environment, and other relevant data points such as compromised payment card numbers. Make sure you’re not just collecting leaks, you’re identifying who is at risk. (pp.3, 6, 23.)
Autonomous remediation. When a match hits, immediately expire the risky password, and restrict access until the user resets to a safe credential, all without waiting for a ticket to be worked. (pp.3–4, 9, 19.)
Measure what matters. Track time‑to‑detect and time‑to‑neutralize for compromised passwords. Shortening those two intervals is the surest way to reduce your ATO blast radius. (p.19.)

Executive Momentum For Dark Web Monitoring

If you’re seeking internal alignment, the timing is favorable. Three out of four organizations are prioritizing identity‑security investments in the next 12 months, and executive urgency is surging: the proportion selecting the highest importance rating more than doubles from 27.8% to 65.9% over two years. (Figures 14 & 21, pp.17, 24.) For context, this research surveyed 126 U.S. organizations with 500+ employees across industries in June 2025. (p.27.)

Enzoic’s Identity Security Approach

At Enzoic, we agree with Osterman’s conclusion: identity protection requires continuous visibility and autonomous remediation, especially for compromised passwords. That’s why Enzoic delivers real‑time dark web monitoring for credentials, high‑fidelity matching to your users, and automated workflows that neutralize leaked passwords the moment they’re discovered—turning hours and days of exposure into seconds and minutes. (See sponsor summary, p.26.)

Bottom line: Passwords aren’t going away tomorrow, but the risk from compromised passwords can be dramatically reduced today. If you can see exposures quickly and act automatically, you shrink the attacker’s window and cut off the most reliable route to ATO. That’s the core message from Osterman’s 2025 research, and it’s the approach we build for our customers every day.

→ Join us for our September 18 webinar, Strengthening Identity Security: Governance, Visibility & Autonomous Remediation, featuring Osterman Research, to explore the findings in depth and discover practical steps to improve your identity security posture.

Navigating Compliance With a Security-First Approach

Beyond Passwords: Advanced Enterprise Security Protection

Fortune 500 Employee-Linked Account Exposure

Prevent ATO Without Compromising User Experience