Stolen credentials remain the most common way attackers get in. The 2025 Verizon DBIR, covering more than 22,000 security incidents and 12,000 confirmed breaches, makes the case plainly: credential abuse was the leading initial access vector for the second consecutive year.
What’s changed is the ecosystem around those credentials. Infostealers are harvesting them at scale, third-party breaches are doubling and the volume of hardcoded secrets in code repositories continues to climb. Credential theft and secrets theft are no longer isolated risks. They feed the same attack chain. For security teams responsible for both human and nonhuman identities, the 2025 data shows exactly where the risk is concentrated and what it costs. This article breaks down the key findings from the DBIR alongside data from IBM and GitGuardian, then outlines what security teams should prioritize in response.
What the 2025 DBIR Says About Credential-Based Attacks
Credential abuse accounted for 22% of all breaches as an initial access vector, the single most common entry point. Vulnerability exploitation followed at 20%, and phishing accounted for 16%. The gap between credential abuse and other vectors has narrowed compared to prior years, but stolen credentials still top the list.
The damage is most visible in web application attacks. In the basic web application attack pattern, 88% of breaches involved stolen credentials. Brute force attacks against these applications nearly tripled year over year, climbing from roughly 20% to 60% of incidents in that category. Because these attacks try one credential per account and can modify request headers to blend in with normal traffic, they are difficult to distinguish from legitimate authentication attempts at the network level.
Third-party risk also accelerated. Breaches involving external partners doubled from 15% to 30% of all incidents, driven in part by credential exposures from vendors and misconfigured SaaS environments. The Snowflake breach exemplified the pattern: attackers exploited the fact that multifactor authentication was not mandatory, then used compromised credentials to breach approximately 165 customer accounts. Roughly 80% of those accounts had prior credential exposure in infostealer logs.
Infostealers have become a primary supply line for credential theft. The 2025 DBIR found that 30% of corporate-managed devices and 46% of unmanaged devices in infostealer logs contained company credentials. The connection to ransomware is direct: among ransomware victims, 54% had prior credential exposure in infostealer logs before the attack. Ransomware itself appeared in 44% of all breaches, up from 32% the prior year, and stolen credentials were a recurring entry point for those operations.
The human element was present in 60% of all breaches, whether through phishing, social engineering or misuse. Verizon’s credential stuffing analysis adds another dimension: in analyzing single sign-on provider logs, the DBIR team found that credential stuffing accounted for 19% of all authentication attempts on a median daily basis. These attacks try each stolen credential only once against a given account, so they blend into normal login traffic and rarely trigger rate-limiting or lockout protections. In the median case, only 49% of a user’s passwords across different services were unique, which gives attackers a large pool of reusable credentials to test across multiple targets.
Secrets Sprawl Is Making the Problem Worse
While the DBIR tracks how stolen credentials are used in breaches, other data sources reveal how fast secrets theft is accelerating on the supply side.
GitGuardian’s 2026 State of Secrets Sprawl report found that 28.65 million new hardcoded secrets were added to public GitHub commits in 2025, a 34% increase year over year and the largest single-year jump on record. The growth outpaces the developer population: since 2021, leaked secrets have increased 152% while GitHub’s public developer base grew 98%.
AI-assisted development is accelerating the trend. Leaks tied to AI services increased 81% year over year, and eight of the ten fastest-growing leak categories were tied to AI infrastructure. Internal repositories are also a major blind spot: they are six times more likely than public ones to contain hardcoded secrets, and roughly 28% of leak incidents originated from collaboration tools like Slack, Jira and Confluence rather than code repositories.
The remediation picture is worse. According to GitGuardian, 64% of valid secrets exposed in 2022 were still active in 2026. Secrets that should have been revoked years ago remain usable, and the window of exposure for any given leaked credential is measured in years, not days.
The cost data reinforces the point. IBM’s 2025 breach report puts the global average breach cost at $4.44 million. Breaches where stolen credentials were the initial access vector averaged $4.67 million and took 246 days to identify and contain, one of the longest breach lifecycles in the report. That 246-day lifecycle means organizations are often operating with compromised credentials for roughly eight months before detecting the breach.
The pattern is consistent across all three data sets: credential theft is outpacing the defenses designed to prevent it, and the secrets that slip through stay exploitable for far too long.
Why Traditional Credential Protections Fall Short
Most organizations have invested in some combination of secrets management, password policies and multifactor authentication. These measures have value, but the 2025 breach data exposes their limits.
Secrets managers centralize storage and automate rotation, but they still depend on static credentials that exist, move across environments and can be exposed. Rotation shortens the window of risk but does not close it. If a hardcoded key leaks into a public repository, even a 90-day rotation cycle leaves months of exposure before the credential is replaced. The “secret zero” problem compounds this: the workload still needs an initial credential to authenticate to the vault itself, and that bootstrap secret has to live somewhere. As the GitGuardian data shows, many organizations are not revoking secrets at all: 64% of four-year-old secrets are still valid.
Multifactor authentication is critical but no longer sufficient on its own. The 2025 DBIR documents a surge in MFA bypass techniques, including prompt bombing, token theft and adversary-in-the-middle attacks. The Snowflake breach demonstrated that when MFA is optional rather than enforced, attackers simply target the accounts where it’s absent.
For nonhuman credentials, the challenge is even more acute. Service accounts, API keys, tokens and certificates operate outside the boundaries of human-focused security controls. They don’t respond to MFA prompts. They often lack clear ownership, which means no one is responsible for rotating or decommissioning them when the workload they serve is retired. In cloud-native environments where workloads are constantly created and destroyed, the number of nonhuman credentials scales faster than any manual process can manage. The GitGuardian finding that internal repositories are six times more likely than public ones to contain hardcoded secrets underscores the scope of the problem: the most dangerous credential exposures are often the ones that teams assume are safe because they’re behind a private repository boundary.
What Security Teams Should Do Now
The breach data points to a clear priority order. Rather than waiting for a complete inventory of every credential in the environment, security teams should start by securing what they already know is sensitive. The 246-day average lifecycle for credential-based breaches means that every month of inaction on known exposures is a month of exploitable access for attackers.
Protect your most critical connections first. Your production databases, financial APIs and customer data stores are the highest-value targets for attackers. The workloads that access them should be the first to move from static credentials to identity-based access. Workload IAM verifies the identity of each workload at runtime and issues short-lived, policy-scoped credentials that expire in minutes. The workload never stores a secret, and there are no bootstrap credentials to protect.
Eliminate credentials where you can, manage them tightly where you can’t. Not every system supports secretless access today. Legacy applications, certain third-party integrations and vendor-imposed authentication requirements may still demand static credentials. For those that remain, enforce automated rotation, scope access to the minimum necessary and monitor usage continuously. But treat these as transitional measures, not the end state. The goal is to shrink the inventory of static credentials over time, not to manage a growing one.
The GitGuardian data makes clear that revocation is where most organizations fail. When a credential leaks, the priority is immediate revocation rather than waiting for the next scheduled rotation. Automated detection and response built into continuous integration/continuous deployment (CI/CD) pipelines can catch leaked secrets before they reach production, but only if the tooling is in place and the revocation workflow is enforced.
MFA remains one of the most effective controls for human accounts, even with the rise in bypass techniques. For nonhuman identities, where MFA does not apply, workload identity verification and conditional access policies provide the equivalent layer of continuous authentication. Enforce these controls everywhere, not just where they are convenient.
Aembit’s Workload IAM platform handles this at the architecture level. By verifying workload identity at runtime and issuing ephemeral credentials based on policy, Aembit eliminates stored secrets for workload-to-workload connections. Every access decision is logged with the workload identity, the resource accessed and the policy evaluated, which gives security teams the audit trail that credential-based approaches lack.
