Credential Compromise and the Risks of Password-Based Authentication
Cybercriminals are increasingly targeting enterprise credentials through phishing, brute force attacks, and exploitation of password reuse, leading to widespread compromise and monetization of login details. Attackers use tactics such as convincing phishing emails, credential stuffing, and the sale of stolen credentials on underground markets, enabling further exploitation including data theft and ransomware. The prevalence of password reuse and weak password management practices among employees exacerbates the risk, as users often rotate between a small set of passwords or make only minor variations, making it easier for attackers to gain access to multiple accounts once a single credential is compromised.
Security experts are urging organizations to move away from traditional password-based authentication and adopt phishing-resistant, device-bound cryptographic solutions such as FIDO2, passkeys, and certificate-based authentication. These measures are seen as essential to counter the growing threat posed by automated attacks leveraging AI agents and large-scale credential theft. SaaS providers are also encouraged to integrate with identity platforms that support these advanced authentication methods to strengthen overall security posture and reduce the risk of credential-based breaches.
Sources
Related Stories
Credential-Based Attacks and Identity Threats in Modern Cybersecurity
Credential abuse, phishing, and vulnerability exploitation remain the primary vectors for cyber breaches, with attackers increasingly leveraging automation, AI-driven social engineering, and new evasion techniques. Recent research highlights a 160% surge in leaked credentials, with billions exposed in single incidents, and a significant rise in email-based threats, including a 130% increase in malware delivered via email and a resurgence of ransomware. Attackers exploit overlooked file types and advanced obfuscation tactics to bypass security controls, while compromised credentials and endpoint exploitation are now frequently blended in multi-stage attacks. The rapid proliferation of non-human digital identities, such as AI agents, has dramatically expanded the attack surface, with non-human accounts now outnumbering human users by 82 to 1. This shift has led 90% of business leaders to rank identity attacks as their top concern, and most organizations are reevaluating their identity and access management strategies. The growing complexity and scale of identity-based threats have eroded confidence in rapid recovery, underscoring the need for robust identity resilience and specialized security staff to defend against increasingly sophisticated credential and identity attacks.
3 months agoCredential-Based Attacks and the Shift Toward Phishing-Resistant MFA
Recent high-profile breaches at major UK retailers, including M&S and Co-op Group, have highlighted the growing threat of identity-based attacks. Attackers used vishing techniques to obtain corporate passwords, which enabled ransomware deployment and resulted in significant financial and reputational damage. The distributed nature of modern IT environments, with resources spread across cloud and on-premises systems, has made identity the new security perimeter, increasing the value of credentials for cybercriminals. Infostealer malware and various forms of phishing, including smishing and vishing, are now primary methods for harvesting credentials, contributing to a surge in identity-related breaches across industries. To counter these threats, security experts emphasize the importance of robust multifactor authentication (MFA), particularly methods that are resistant to phishing. While traditional MFA methods such as one-time passwords (OTPs) sent via SMS or email are still widely used, they are increasingly vulnerable to social engineering and interception. The adoption of passkeys and other phishing-resistant MFA solutions is being promoted as the gold standard, with Microsoft reporting that MFA blocks over 99% of unauthorized access attempts. Organizations are urged to move beyond basic MFA and implement stronger, phishing-resistant authentication to protect against evolving identity-based attacks.
3 months agoChallenges and Progress in Enterprise Passwordless Authentication
Enterprises are increasingly adopting passwordless authentication methods such as biometrics, passkeys, and security keys to enhance security and reduce the risks associated with traditional passwords. However, widespread implementation remains difficult, particularly for legacy systems, operational technology, and specialized applications that were never designed for anything other than passwords. Security leaders report that while most organizations can cover the majority of their threat landscape with passwordless solutions, the final 15%—often the most critical and legacy-dependent systems—remains resistant to change, creating operational and security challenges. Major technology providers like Google are actively promoting passwordless authentication, urging users to adopt passkeys and stronger authentication tools in response to increasingly sophisticated phishing and vishing attacks. Despite these efforts, the transition is hampered by technical, operational, and user experience hurdles, and attackers are exploiting gaps between multiple authentication systems. The push for a passwordless future is ongoing, but experts caution that full adoption may never be realized, and organizations must remain vigilant against evolving credential-based threats.
4 months ago