Preventing credential theft and responding to stolen credentials isn’t impossible in theory, but in reality, it’s a growing challenge—with no signs of improvement on the horizon.
Credentials
The term “credentials” in cybersecurity traces back to the Latin word *creder*, meaning “to believe.” In ancient times, someone might say, “I am Socrates—trust that.” By the Middle Ages, this evolved into carrying a physical document—proof of that claim. These documents became known as *credentialis*: written proof verifying who you are.
Today, credentials are digital, not physical, but their purpose remains the same: enabling trust in your identity. They confirm, “I am who I claim to be—act accordingly.” Your username (e.g., ‘Socrates’) is your identity; your password or token is the credential that verifies it.
Cyber Credentials
Modern cybersecurity divides credentials into two main types: those for people and those for machines. Human credentials include passwords, passkeys, fingerprint scans, and security tokens (both software and hardware). Machine or non-human credentials cover API keys, SSH keys, X.509 certificates, service accounts, and session tokens. Session tokens deserve special attention—while a company may have 3,000 staff, it could have 300,000 active session tokens. These tokens are frequently stolen by infostealers, one of the most common threats to credential security.
It’s important to distinguish between credential compromise and the resulting breach. “Compromise doesn’t mean the credential has been used yet,” says Ran Geva, CEO and co-founder of Webz.io. “It just means the rightful owner no longer has exclusive control over it.”
However, that stolen data could be used at any moment—and when it is, systems treat it as coming from the legitimate user. Erin Meyers, an identity expert at Huntress, explains: “Attackers aren’t forcing their way in the traditional sense. They’re logging in—or reusing an active session—and inheriting all the user’s permissions. This makes their malicious actions look identical to normal activity.”
Ariel Parnes, co-founder and COO of Mitiga, adds that from the system’s viewpoint, “everything appears authorized, making detection extremely difficult.”
Dan Schiappa, president of technology and services at Arctic Wolf, says, “Credential compromise is—if not *the* most widespread—one of the most effective tactics used by attackers. It requires minimal technical skill yet grants easy entry into target systems.”
Often, all that’s needed is a username and password. Bob Long, president for the Americas at Daon, warns: “A single successful breach can trigger a chain reaction across multiple accounts—especially if users recycle the same login details elsewhere.”
Reinhard Hochrieser, SVP of product and technology at Jumio, emphasizes that sensitive documents like Social Security numbers (SSNs) and government IDs are also credentials. “Fraudsters use this information to craft sophisticated attacks—including altering IDs and generating AI-powered deepfakes to fool biometric verification systems. This puts everyday people at greater risk than ever before.”
Jan Bee, CISO at TeamViewer, sums it up: “Stolen credentials let attackers slip past perimeter defenses, avoid detection, and operate within trusted processes. As a result, securing infrastructure alone isn’t enough anymore. We must now focus on protecting identities around the clock.”
Theft of Credentials
Before a breach occurs using compromised credentials, attackers must first steal them. While we should—and can—make this harder, fully preventing credential theft is likely unachievable. The core issue? The agility gap: the lag between when hackers adopt new methods and when defenders update their protections.
AI is a prime example. Phishing remains the top method for stealing individual credentials, but modern AI tools can generate highly convincing deepfakes with realistic backstories. There’s no foolproof tech to catch every attempt—it often comes down to a person’s vigilance and gut instinct.
Torsten George, CMO at ID Dataweb, shares a real-world example: “I recently got an email claiming to be from my CEO—but it was sent from an unusual address and the tone felt off. So I sent him a screenshot via Teams asking if he’d sent it. He hadn’t.” When in doubt, always verify.
Attackers don’t always need advanced tech—just look at groups like Scattered Spider. “Imagine pretending to be a senior VP who’s about to walk into a customer meeting but can’t access their files,” says George. “You call the Help Desk in a panic. That pressure is often enough for the agent to hand over full access—effectively giving away the keys to the kingdom. From there, attackers move laterally until they reach valuable data and steal it.” Whether through phishing or impersonation, these attacks exploit human psychology.
Erin Meyers suggests one proactive approach: Identity Security Posture Management (ISPM). “ISPM helps answer the critical question: *Which identities are most likely to be targeted next?* It identifies which credentials attackers will go after—and explains why.”
Schiappa notes that the threat extends beyond individual logins. “Our latest threat report shows phishing was behind 85% of incident responses. But credential theft also happens through dataHere is the paraphrased version:
Data exfiltration, infostealer malware, and man-in-the-middle attacks continue to pose serious threats.
Infostealers remain a significant danger when it comes to credentials. Once they infiltrate a victim’s system, they harvest passwords (among other sensitive data) and transmit them back to the attacker.
The X-Force 2025 Threat Intelligence Index (published February 25, 2026) reveals that out of 400,000 tracked vulnerabilities, 56% could be exploited without any authentication. “Attackers are exploiting systems through remote code execution without needing authentication,” explains Michelle Alvarez, manager at X-Force Threat Intelligence. “They might upload a file to a server that doesn’t require credentials, and just like that, they’re in. No passwords needed, no MFA to bypass.” This opens the door to even more credential theft.
Knowing whether credentials have been compromised
If we can’t stop credentials from being stolen in the first place, can we at least determine whether they’ve been taken and are now in attackers’ hands? A stolen credential means an attack could happen at any moment. As with freedom, the price of security is constant vigilance — and it’s often hard to achieve.
“Some companies monitor the dark web for breached data and alert individuals when their information shows up in exposed datasets. While that offers useful insight, it’s not something people can fully depend on,” says Long.
“For consumers,” says Renee Burton, VP of threat intelligence at Infoblox, “one of the simplest ways to check is through public breach notification services like Have I Been Pwned, where you can enter your email address and find out if it has appeared in known data breaches. That provides some visibility, but it’s not the whole picture.”
But Hochreiser cautions, “Determining whether your credentials have been stolen is nearly impossible. If your email is compromised, you might receive a notification, but with biometric data, there are no public services capable of telling you whether that information was exposed in a breach.”
Parnes recommends, “Leverage dedicated breach intelligence databases, including public repositories like ‘Have I Been Pwned’ and Dark Web Monitoring services (commonly offered by password managers and identity protection solutions that track ‘stealer logs’ — private marketplaces where hackers sell credentials before they ever make it to public databases).”
There isn’t a straightforward, single solution. “Detection demands multiple methods,” says Geva, pointing to breach dataset monitoring, dark web and marketplace surveillance, infostealer log intelligence, closed forum scraping, and Telegram channel monitoring.
It was the complexity and time required to monitor all these sources for every credential loss that motivated Geva to create lunarcyber.com (commonly known as Lunar), launched in late 2025. It handles all the monitoring for you (continuously checking for signs of compromise).
“Lunar gives organizations early visibility into exposed credentials and identity artifacts, so they can act before attackers do,” he explains. “Lunar also includes advanced intelligence specifically focused on infostealer malware, which can reveal when company endpoints have been breached and when attackers have extracted high-value assets like session cookies and real-time username/password captures. This matters because even if a user changes their password, stolen sessions and tokens can remain valid and continue providing access.”
From credential compromise to a full breach
The core issue remains: just because you haven’t found evidence doesn’t mean nothing has happened. “Credentials may be used long before breach information is identified and relayed to the affected person. By the time a notification arrives, the attacker may have already exploited the access,” says Long.
For most organizations, the first sign of credential compromise comes with the discovery of a breach, though sometimes the attack can be detected early. “Unwelcome password reset emails and ‘new login detected’ alerts are a clear indication that your credentials have been stolen,” warns Schiappa.
MFA falls into a similar category, he continues. “MFA is a straightforward yet effective access control that not only blocks threat actors from gaining access with stolen credentials but can also serve as an alert mechanism for security teams, signaling unusual login activity.”
But MFA is no longer flawless. George remarks, “If you’d asked me 18 months ago, I would have said it’s a solid deterrent. According to Microsoft, the bypass rate was 0.7%, still within acceptable limits. But today, the MFA bypass rate has climbed into the low double digits, which represents a significant threat.”
Stuart Sharp, VP of product at One Identity, adds, “Phishing-resistant MFA methods, such as WebAuthn and Passkeys, incorporate two layers of protection — confirming that the target website address is legitimate and not a fake replica of a real site, and verifying that the authentication request originates from a known, registered device. When paired with on-device biometric verification like Face ID or fingerprints, these phishing-resistant forms of MFA substantially reduce the risk of unauthorized access.”
Roy Katmor, CEO at Orchid Security, adds, “MFA is highly effective against basic password replay, but it’s less effective against session theft, token replay, and MFA fatigue/push bombing (where attackers flood users with approval prompts until one gets accepted) unless it’s properly hardened. Phishing-resistant MFA is a meaningful improvement and significantly raises the bar.”
Still, concludes George, “People will always remain the weakest link in the cyber attack chain, and that’s exactly what many attackers take advantage of.”
Regardless, “In many cases, people only realize their credentials have been compromised after something goes wrong, such as an unexpected password reset, an
Unfortunately, by the time you notice signs like an account lockout or unauthorized charges on your credit card, hackers may have already circulated or used your stolen login details,” explains Burton.
When a stolen credential breach happens, the focus shifts to spotting it early and acting fast to limit the damage. Once an attacker gets in using hijacked credentials, is there any way to fight back? “Yes,” Meyers confirms, “but the strategy changes from blocking login attempts to containing the attacker and staying ahead of their moves.” This means detecting and slowing the attacker’s progress, resetting compromised credentials to stop further misuse, revoking active sessions, and enforcing least privilege everywhere.
“Once an attacker logs in, the goal shifts from blocking access to detecting suspicious activity and limiting the damage,” Bee agrees. “The faster strange behavior is caught and contained, the less harm is done.”
Two of the most effective tools for detection and containment are behavioral anomaly detection and zero trust principles.
Behavioral detection
Behavioral detection systems create a baseline of normal user activity and can spot anything unusual that deviates from that pattern. Any such deviation likely signals an intruder, even if they used valid credentials to get in. “Once attackers log in, it’s their behavior that gives them away,” Meyers notes.
Long describes it as continuous authentication. “Instead of trusting a user just because they logged in once, companies can watch behavior throughout the whole session. Techniques like behavioral biometrics track how a customer normally uses a service, including their typical location, devices, how they handle their device, and common transaction habits. If something unusual happens, the system can step up security when the customer tries to do anything sensitive.”
Access should not be a one-time decision, he says. Bee agrees. “The real question isn’t whether the login was valid, but whether what follows matches the user’s usual patterns. If trust is given at login and never questioned again, an attacker can work freely during that time. That’s why resilience depends on always checking if the user, device, and context still match what ‘normal’ looks like.”
He adds, “Unusual access to new systems, privilege changes, or unexpected SaaS activity should trigger re-authentication, session isolation, or immediate revocation. In connected, SaaS-driven environments, speed is crucial. The faster misuse is caught and contained, the lesser the impact.”
Zero trust
Zero trust helps contain stolen credential breaches but is still widely mistaken as a product or piece of software.
“Zero trust isn’t software you install. It’s not something you buy,” George clarifies. “It’s really a mindset, an approach that says, ‘Never trust automatically, always verify.’ In today’s complex threat landscape, every organization should take this approach. If you trust credentials blindly and assume the identity behind them is real, you’ll be wrong more than 70% of the time.”
It’s that automatic trust attackers exploit. “If you never take trust for granted, ask more questions, don’t assume a credential equals an identity, but check it against factors like location, timing, and behavior – through the lens of identities – then you cut your risk enormously.”
Carlos Aguilar Melchor, principal research scientist at SandboxAQ, agrees. “Zero Trust is a way of operating, not a destination. The aim is straightforward: keep reducing the blast radius wherever identity and cryptography are properly managed and controlled.
“The old perimeter is disappearing,” he explains. “Keep moving toward continuous verification for users, devices, services, data, and agents. Make every transaction check policy, and treat identity as the control center for both people and machines.”
While zero trust is neither a product nor a destination, “Even partial zero trust implementation is valuable if you can measure it,” he says. “Start with phishing-resistant multi-factor authentication, signed software and models, workload identity, and service-to-service mutual TLS (Transport Layer Security). Keep cryptography robust so machine identities stay trustworthy.”
Meyers highlights that continuous verification is key. “Zero trust challenges the idea that ‘credentials mean full access,’ by focusing on constant verification and conditional access. It works especially well when paired with enforcement that catches trust violations and limits lateral movement after the attacker first gets in.”
Microsegmentation, often seen as central to zero trust, is more of a strategy than a specific technology. It helps contain attackers. “It limits the damage by making sure one stolen account can’t roam freely across the whole network,” explains Parnes.
‘Freely’ is the important word. It doesn’t block lateral movement completely but slows it down significantly. That alone might be enough. Cybercriminals prefer quick, easy targets and tend to avoid situations where they might get caught. If things get difficult, they’re likely to give up and move on to another victim.
The agility gap in action
One critical factor we haven’t discussed is the danger of stolen API keys in agentic AI systems. These can lead to much faster breaches with far greater damage, and the risk grows rapidly as businesses adopt agentic AI systems heavily. This is another case where AI widens the gap between attackers’ speed and defenders’ ability to respond.
A stolen API key doesn’t just unlock a data store – it gives attackers control of an AI agent that operates like a trusted employee, communicating with other trusted agents, moving freely across the network, and acting independently. It can access not just data but entire workflows. Since agents are built into the system as trusted components, they usually won’t trigger security alerts or be stopped by firewalls until after they’ve already taken action.
Once inside an agentic system, the attacker effectively controls every connected platform (like Jira, Slack, AWS, etc.) that the system integrates with. Hard to detect, such an attacker could study the system through the agentic interface and then strike, potentially launching thousands of malicious actions at machine speed across the entire infrastructure before anyone notices.
With stolen API keys, detection and containment are difficult, while the potential damage is severe.
The future
“I believe, honestly, like any type of attack, attackers will always stay ahead of us,” says George. “Our job is to close the gap between attacker and defender as much as possible, but we’ll never eliminate it entirely. We can never fully protect against any attack, including identity-based ones. And if any vendor or expert promises 100% protection… you should laugh at them.”
Related: Autonomous AI Agents Create New Type of Supply Chain Attack
Related: Hackers Trade 183 Million Stolen Logins on Telegram and Dark Web Forums
Related: The Wild West of Agentic AI – A Security Risk CISOs Must Address
Related: Cyber Insights 2026: Zero Trust and the Path Ahead
Related: 136 NPM Packages Spreading Info-stealers Downloaded 100,000 Times
