Imagine this. A hacker frantically types code into a (punk sticker-laden, if the movies are accurate) laptop, trying to get around the active firewall that stands between them and access to the organization’s information. It’s burdensome work. There’s sweat and a certain amount of genius involved. And really, if that were an accurate picture of the threat landscape, we might have a better idea of how to stop breaches from happening. Unfortunately, a growing number of incidents are happening because the hacker just…gained access through credential-based attacks.
How does this happen?
It starts with something called infostealer malware, which is small, fast, and widely available. These programs quietly infiltrate personal or enterprise devices and harvest login credentials, browser cookies, and authentication tokens. Once captured, those credentials are sold or traded on dark web marketplaces. Some go for pennies. Others, if they offer access to high-value enterprise tools like Okta, Salesforce, or Microsoft 365, can fetch hundreds or even thousands of dollars.
And attackers are buying. According to the recent 2025 M-Trends report from Mandiant and Google Cloud, stolen credentials have now overtaken phishing as the second most common method of initial access in breaches, and this is a significant nugget for understanding how the threat landscape is shifting. The top spot still belongs to known vulnerabilities and exploits, but the credential economy is closing the gap.
Why? Because it works. And because too many organizations still treat identity protection as a checkbox, not a control surface.
See also: The Cost of Poor Software Quality is Higher Than Ever
Why are organizations continuing to fumble credentialing?
“Locking down credentials” seems like an obvious way to protect critical data assets from breaches, but let’s be clear. The security landscape is highly complex. Companies, especially large enterprises operating across borders with flexible workforces, are struggling with layers of access because full lockdowns create friction for hackers and workers. It’s a delicate balance between restricting access enough to follow security best practices and restricting it so much that your own teams can’t move quickly or get their jobs done.
Small businesses may not have this level of complexity, but they still face budget and resource complications. Many rely on default settings, shared logins, or one-size-fits-all access controls simply because they don’t have the time or staffing to manage anything more granular. Tools that could improve credential management often come with financial and operational costs that are hard to justify without a clear short-term payoff. As a result, even well-meaning teams end up taking on more risk than they realize.
There are two key components of the struggle.
Misconfigurations are easy to miss and hard to unwind
Most organizations don’t intend to leave the door open. However, as SaaS ecosystems expand, identity management becomes increasingly challenging. Business units spin up tools independently. Permissions are granted temporarily and rarely revoked. Logs aren’t always configured in ways that surface credential misuse.
Even in companies with strong security policies, misconfigurations happen. And they’re hard to detect until something goes wrong. Mandiant’s latest report points to this dynamic as a key driver behind the rise in credential-based attacks. In many cases, attackers didn’t have to force their way in. They simply walked through an open side door that no one realized was still connected to sensitive systems.
Security teams are stretched thin and SaaS keeps growing
At the same time, security teams are under pressure to monitor more systems with fewer people. Every new tool, integration, or vendor expands the identity surface and increases the number of places credentials can be misused. Visibility across this landscape isn’t always complete, especially in environments where multiple identity providers or custom access systems are in use.
According to Mandiant, the global median dwell time for intrusions rose to 11 days in 2024. That doesn’t mean security teams aren’t working hard. It means attackers are getting better at blending in. And in a world where a single login can grant access to dozens of connected apps, detection is becoming just as much a scale problem as it is a strategy problem.
See also: Experts Weigh in on Container Security
What’s starting to work against credential-based attacks
While credential abuse is on the rise, so is awareness. More organizations are beginning to treat identity not as a secondary concern, but as a core element of infrastructure security.
FIDO2 and phishing-resistant MFA
One of the most promising shifts is the move toward FIDO2-compliant multi-factor authentication. Unlike legacy MFA, which often relies on SMS or push notifications that can be intercepted or spoofed, FIDO2 uses physical hardware keys or platform-based authenticators that are much more resistant to phishing and credential replay attacks.
Uptake is still uneven but growing. For companies that have implemented FIDO2, the drop in successful credential misuse attempts is significant. And while rollout can be challenging, especially in mixed-device environments, it is one of the most effective ways to prevent attackers from using stolen credentials as a foothold.
Visibility, logging, and identity-centric monitoring
Another area seeing improvement is visibility into SaaS and cloud access patterns. More companies are prioritizing centralized identity providers, auditing their access logs regularly, and enforcing least-privilege principles. In environments where dozens of tools are used daily, this kind of oversight is no longer optional.
Mandiant notes that organizations making gains in this area often treat SaaS security as a living, dynamic practice rather than a static control. That means regularly reviewing who has access to what, removing dormant accounts, and making sure third-party app integrations do not quietly expand exposure. There’s no one time set up for security that provides the perfect coverage. Instead, it’s a continual implementation, a habit that can change as circumstances do.
The tools for implementing this effectively are improving, but they only work when combined with attention and process. Credential defense is no longer just about strong passwords or rotating secrets. It is about building a system that can recognize when access is being used in ways that don’t match expectations.
Credential risk isn’t new, but it is changing
Attackers will undoubtedly continue to target perimeter defenses, but let’s not forget that sometimes they just walk right in through that forgotten side door. The rise of infostealers, the growing complexity of SaaS environments, and limited visibility into access behavior have made credential misuse a reliable tactic and a difficult one to detect.
Still, the outlook is not all bad. Organizations that approach identity as part of their infrastructure, adopt phishing-resistant authentication, and commit to regular access reviews are already reducing their exposure to cyber threats. This work can be tedious and sometimes thankless, but it’s where real gains are happening.
Credential security is not a one-time fix. It is a continuous practice that needs attention, adaptation, and support from every level of the organization.
Elizabeth Wallace is a Nashville-based freelance writer with a soft spot for data science and AI and a background in linguistics. She spent 13 years teaching language in higher ed and now helps startups and other organizations explain – clearly – what it is they do.
