Credential theft now accounts for one-in-five data breaches, with the number of compromised credentials skyrocketing.
Analysis from Check Point shows the volume of compromised credentials has surged 160% so far in 2025. The cybersecurity giant said in one month alone it reported 14,000 cases where employee credentials were exposed in data breaches.
This big increase in numbers, researchers noted, could be down to the increasing use of AI improving the sophistication of phishing attacks, along with an increasing number of stealer families.
These are making it easier for less-experienced threat actors to enter the playing field by using Malware as a Service offerings on the dark web.
The research also found that, in cases where stolen credentials originate from GitHub repositories, it takes an average of 94 days for businesses to remediate the leaked secrets by revoking them or disabling affected accounts.
"This suggests that businesses struggle to identify leaked login information quickly, giving threat actors plenty of time to take advantage of it," researchers said.
There was quite a bit of variation in the rates for different countries. Brazil and India were big outliers, with rates of 7.64% and 7.10% respectively. The rest of the top ten included Indonesia, Vietnam, Pakistan, Egypt, the US, the Philippines, Türkiye, and Argentina, all with rates of between 4.3% and 3%.
As for the websites and domains most frequently impacted by leaked credential attacks, those owned by Discord, Microsoft - which owns live.com - and Facebook top the list. Gmail and Roblox accounts are also frequently implicated.
According to Verizon’s 2025 Data Breach Investigation Report, stolen credentials were the root cause of 22% of data breaches in 2024.
Unlike software vulnerability exploits or malware deployment, stolen credentials are a particularly easy method of attack, said Check Point.
"Once threat actors obtain the credentials for a legitimate user – which they can do by breaking into databases or launching phishing attacks, among other methods – they can simply log in as if they were that user. In turn, they can access any resources available to that user," the researchers said.
"And they can typically do so without being easily detected, since they are not bypassing security controls or disabling systems."
How to prevent credential theft
There's not much that organizations can do to completely prevent the theft of login credentials. Even anti-phishing tools and email gateways are no guarantee, researchers noted.
However, Check Point recommends tightening up password management policies, implementing multi-factor authentication (MFA), and where possible prioritizing single sign-on (SSO) over direct credential logins.
Login attempts should be limited to prevent brute-force attacks and cross-account credential stuffing, it recommends, and user access rights should be limited to the bare minimum necessary. Employees should be trained to recognize and resist phishing attempts.
Similarly, network-level protections, such as intrusion detection systems and firewalls, should be used, while access to third-party websites should be restricted.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
HPE promises “cross pollinated" future for Aruba and JuniperNews Juniper Networks’ Marvis and LEM capabilities will move to Aruba Central, while client profiling and organizational insights will transfer to Mist
-
HPE Discover Barcelona 2025: All the news, updates, and announcements live from BarcelonaNews ITPro is on the ground in Spain for the European addition of HPE Discover – join our rolling coverage of the event
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
