More Attackers Are Logging In, Not Breaking In

Credential theft is now the main way that attackers get into business networks This article explores credential theft especially. . They are using stolen credentials faster, on a larger scale, and in more advanced ways than defenders can stop them.

Recorded Future's new look at 2025 threat data shows that the number of stolen credentials for sale on underground markets rose sharply last year. This suggests that attacks on usernames, passwords, authentication tokens, and other sensitive login information are becoming more common. In 2025, Recorded Future indexed almost two billion credentials from malware combo lists, which are lists of stolen usernames and passwords from different breaches.

The threat intelligence company found that there were 50% more compromised credentials in the second half of 2025 than in the first half. In the fourth quarter, there were about 90% more than in the first quarter. A Sharp Rise in Credential Theft: Delinea's StrongDM Acquisition Shows How PAM's Role Is Changing Alexander Leslie, a senior advisor at Recorded Future, says that the rise in credential theft, especially in the fourth quarter, was caused by the industrialization of infostealer malware, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering.

"Businesses need to move away from perimeter and MFA-based defenses and toward continuous identity monitoring and response." Recorded Future's results back up what a lot of other people have said recently: attackers are moving away from traditional vulnerability exploits and toward credential-based access, where they use valid usernames, passwords, and session tokens to get into systems without setting off alarms. Identity Security 2026: Four Predictions and Suggestions Google's Threat Intelligence Last year, 21% of ransomware attacks involved threat actors using stolen credentials to get in.

The group was able to figure out how the attackers got in in the first place. Google said in a report this week that in many of the incidents, the credentials let the attacker log in to a victim's VPN or remote desktop protocol.

Also, Verizon found that attackers used stolen and compromised credentials in 22% of the incidents it looked into last year, making it one of the most common ways to get into a system. Leslie suggests that companies use device- and behavior-based conditional access policies to stop MFA bypassing techniques like session hijacking, adversary-in-the-middle phishing, and valid account abuse.