Over the past decade, the number of data breaches in almost every industry has accelerated. Healthcare, finance, retail, SaaS, government and education all have one thing in common: attackers are still getting in through user logins. In Verizon’s 2025 Data Breach Investigations Report (DBIR), the use of compromised credentials was an initial access vector in 22 percent of the breaches they analyzed, making credential abuse the single most common way attackers start a breach.
The picture is even more stark for web apps. In the same 2025 DBIR data, 88 percent of basic web application attacks involved stolen credentials. For any organization that exposes portals, VPNs or SaaS logins to the internet, compromised credentials are the normal starting point for modern attacks.
The financial impact has kept pace. IBM’s Cost of a Data Breach Report 2025 found that the global average cost of a breach is 4.44 million dollars, which is a serious hit for most organizations. When compromised credentials are the initial attack vector, those incidents are even more expensive, averaging 4.67 million dollars per breach and taking about 246 days on average to identify and contain. That is roughly eight months where an attacker may be quietly exploring your environment with apparently legitimate access.
For Active Directory and hybrid identity environments, this is especially concerning. Once an attacker has a valid username and password for VPN, SSO or a privileged AD account, they can often bypass many perimeter controls and start moving laterally, harvesting more credentials as they go.
To tackle the compromised credentials problem effectively, technical and nontechnical stakeholders need a shared language. The Open Web Application Security Project (OWASP) created the Automated Threats to Web Applications project and handbook to describe the most common automated attacks and the defenses that work against them.
Within that framework, OWASP defines credential cracking as brute force, dictionary and guessing attacks against authentication processes that try different username and password values in order to identify valid accounts. In practice, this umbrella includes:
All of these techniques involve automated interaction with a login endpoint. The attacker never has to exploit a software vulnerability; they simply keep asking the identity system, again and again, which combinations will work.
OWASP also highlights credential stuffing as a separate but closely related threat. Credential stuffing is the automated injection of stolen username and password pairs into login forms to gain unauthorized access to user accounts. Instead of guessing passwords, the attacker replays credentials that were already exposed in earlier breaches or stolen by malware.
Verizon’s 2025 DBIR analysis of credential abuse shows why this distinction matters. Their additional research on credential stuffing found that compromised credentials were the initial access vector in 22 percent of breaches and that, for some organizations, up to 44 percent of all authentication attempts on a given day were part of active credential stuffing attacks. The volume alone makes it clear that compromised credentials are a systemic issue, not a rare edge case.
Once attackers have valid login details, the hard part is usually over. Compromised credentials let them:
Because the attacker is using real accounts, the activity often blends in with normal user behavior. IBM’s 2025 analysis shows that breaches where compromised credentials are the entry point take longer than average to detect and contain, which directly drives up costs.
The supply of compromised credentials keeps growing. Infostealer malware has become a major pipeline for fresh credentials, quietly harvesting browser and application logins from infected devices. Verizon’s 2025 DBIR found that 30 percent of systems seen in infostealer logs were enterprise licensed devices and that nearly half of the devices with corporate logins were unmanaged, mixing personal and business credentials on the same machine.
Even more troubling, when Verizon looked at users with infostealer infections, the median user had only 49 percent unique passwords across services, which means many of their logins were reused across multiple sites. In other words, one successful compromise can unlock a long list of unrelated applications and services.
Those credentials do not just get used once. They feed a criminal ecosystem where access brokers, bot operators and fraud actors:
For identity teams trying to protect Active Directory and cloud directories, this creates a dangerous asymmetry. Attackers can cheaply test millions of passwords that were already proven to work somewhere else, while defenders must assume that any given user may already be exposed.
Compromised credentials will continue to be a favorite tool of attackers, but they do not have to be an inevitability for your organization. With the right controls in place around Active Directory and your broader identity stack, you can dramatically reduce the chances that a leaked or guessed password becomes the start of your next breach.