One Stolen Password Can Breach Your Entire System
▼ Summary
– Identity-based attacks, primarily using stolen credentials and phishing, were the dominant initial access method in 2025, involved in 65% of intrusions.
– Attackers increasingly exploit browser activity and SaaS integrations, with 48% of investigations involving malicious sites and OAuth misuse enabling persistence.
– AI is accelerating attack timelines, with the fastest intrusions reaching data exfiltration in 72 minutes and being used for reconnaissance and automated extortion.
– Supply chain risks are expanding beyond software to include SaaS integrations and vendor tools, with dormant permissions creating hidden access paths.
– Ransomware extortion tactics are shifting, with slightly less reliance on encryption but higher median ransom demands and payments in 2025.
A single compromised password can unlock a company’s entire digital kingdom, granting attackers a direct route to move undetected across networks, cloud services, and critical data. This alarming reality stems from overly broad access permissions and fragmented security visibility, turning a routine credential theft into a catastrophic breach. The latest threat intelligence reveals that in a staggering 87% of investigated incidents, attacker activity spanned multiple surfaces, forcing defenders to chase threats across endpoints, identity systems, and cloud environments within a single intrusion.
This pattern underscores a fundamental shift in the cyber threat landscape, where identity has become the dominant driver of initial access. Investigations from the past year show that identity weaknesses were a material factor in nearly 90% of cases, with techniques like phishing, stolen credentials, and brute force attacks accounting for 65% of initial compromises. Security experts point to a range of exploitable challenges, including excessive user permissions, a lack of phishing-resistant multi-factor authentication, reused or default passwords, and misconfigured access management systems. Unmonitored OAuth grants, stale user accounts, and shared login credentials further widen the attack surface.
Phishing and vulnerability exploitation were tied as the top entry vectors, while the misuse of previously stolen passwords and social engineering tactics remained highly significant. A particularly concerning trend is the rise of session hijacking and token theft, methods that allow adversaries to bypass traditional MFA protections. By abusing OAuth applications or leveraging long-lived access tokens, attackers can maintain a persistent presence inside software-as-a-service platforms without triggering repeated login prompts, quietly blending in with normal user activity.
The surge in identity-focused attacks mirrors profound changes in corporate infrastructure. The first key driver is the explosive growth of SaaS applications, cloud infrastructure, and machine identities, which often surpass human user accounts in number. This expansion has created a vast and frequently unmanaged digital estate, where every new integration represents a potential, unmonitored pathway into the network. An analysis of hundreds of thousands of cloud identities found that 99% had excessive permissions, with many privileges going unused for months, creating ready-made escalation paths for any intruder.
The second driver is the adversary’s adaptation to this new environment. Attackers have refined their playbooks to exploit this sprawling identity footprint, relying heavily on stolen credentials to log in rather than break in. This approach allows malicious activity to seamlessly mimic legitimate traffic, severely challenging the detection capabilities of even advanced security teams.
Browser-based activity is now a major entry point, implicated in nearly half of all investigations. Attacks frequently begin when users visit malicious sites through poisoned search engine results, click on compromised sponsored ads, or download tampered software. In documented cases, employees searching for everyday information like a restaurant were redirected to spoofed pages that prompted them to execute malicious code, leading to memory-resident malware or credential theft.
The intrusion timeline is accelerating, with artificial intelligence playing a notable role. Threat actors are leveraging AI to conduct faster reconnaissance, craft convincing social engineering messages, and generate deployment scripts. The window for defenders is shrinking dramatically; the fastest intrusions now reach the data exfiltration stage in just over an hour, a fraction of the time required previously. Furthermore, attackers are beginning to misuse legitimate enterprise AI tools, using compromised accounts to query internal documentation and system guides at scale, a technique being called “living off the AI land.”
Supply chain risks are also evolving beyond vulnerable software, now encompassing SaaS integrations and vendor management tools. Data from SaaS applications played a role in nearly a quarter of recent cases, with poorly monitored OAuth integrations and API connections creating hidden backdoors. Similarly, legitimate remote management tools are frequently abused for command-and-control functions, while open-source dependency sprawl in development pipelines introduces vulnerabilities long before deployment.
In the realm of cyber extortion, tactics are shifting. While data encryption remains prevalent, its occurrence has slightly decreased as data theft-alone incidents hold steady. Financial pressures are intensifying, with median ransom demands and payments seeing significant increases. Organizational resilience heavily depends on backup integrity; although over 40% of victims restored systems from backups, attackers successfully targeted those backups in more than a quarter of cases, compounding recovery challenges and downtime.
(Source: HelpNet Security)
