The Rising Role of Stolen Credentials in Cybercrime: 3 Insights from the 2025 Verizon DBIR 

La Rapport d'enquête sur les violations de données Verizon 2025 (DBIR), based on 22,052 incidents and 12,195 confirmed breaches from 139 countries, provides a detailed account of how threat actors are gaining and maintaining access to systems. Identity-based attack vectors—particularly the use of stolen credentials—remain dominant across environments and sectors.

We are proud to be a contributor to the Verizon DBIR, and helped provide insights into the role of stolen credentials in attacks.

1. Stolen Credentials Reign as Defining Method in Attacks

Credentials were involved in 88% of basic web application attack breaches, making them not only the most common initial attack vector but also, frequently, the only one. 

These credentials are often acquired through:

• Infovoleurs – malware designed to scrape saved passwords, cookies, and crypto wallets.
• Attaques par force brute – relentlessly guessing credentials until one breaks.
• Backdoors and C2s – persistent access after initial compromise.

These tactics reflect a growing criminal ecosystem where credentials are valuable. Entire marketplaces have emerged for buying and selling stolen data, including:

• Dark web forums & marketplaces
• Premium access chat rooms
• Live infostealer databases
• Illicit Telegram channels
  

2. Infostealer Malware Impacts Corporate Assets

Infostealer malware steals more than login credentials from a victim’s device, and can take stored passwords and cookies. From the analysis of over 33,000 infostealer logs, researchers uncovered that many credentials lead to far more than personal email or streaming services. Threat actors are also obtaining access to:

• VPN
• Consoles d'administration cloud
• Internal GitHub repos
• Outils de développement
  

Out of the analyzed stealer logs, 30% of the systems were enterprise-licensed, meaning that they were corporate devices. In addition, an estimated 46% of compromised devices with potential corporate credentials were non-managed—suggesting inadequate BYOD controls or shadow IT usage. 

Stronger BYOD controls would help organizations protect against stealer log access to corporate login data on personal devices. 

To learn more about the role of stealer logs in cybercrime concerning corporate devices, read Journaux des voleurs, authentification unique et nouvelle ère de la cybercriminalité en entreprise.

3. Infostealer Malware & Ransomware are Correlated

Stolen credentials are also finding their way into opérations de Rançongiciels. The DBIR reveals that:

• 54% of Rançongiciels victims had their credentials found in infostealer logs
  
• 40% of those logs included corporate emails
  

In addition, as the median time between Rançongiciels victim disclosure and detection of related stolen credentials is two days, which strongly indicates that Rançongiciels operators leverage infostealer malware. 

This is some of the clearest research yet that has tied exposed credentials to Rançongiciels attacks.

Simplified Attacks, Complex Impacts

This year’s DBIR is a continued reminder that complex breaches often begin with something simple—a reused password, a forgotten login, or a BYOD policy that’s more suggestion than standard. Espionage may be escalating, but the vector remains basic: stolen credentials.

Main Takeaways for Security Teams

• Credential-based access is still the dominant entry point. Organizations should prioritize visibility into external credential exposure—especially from infostealer logs and third-party systems.
• Non-managed devices represent a major identity risk surface. Identity data collected from unmanaged endpoints should be evaluated alongside endpoint telemetry.
• Shadow SaaS/shadow IT and related credential reuse remains under-monitored: Reducing remediation time for shadow SaaS or unaccounted for corporate SaaS identity exposures should be a KPI.
• Leaked secrets function as identity artifacts. Treat authentication tokens, API keys, and JWTs as high-value identity data requiring the same protection as passwords.
• Behavioral and usage-based signals are not enough. External intelligence on leaked credentials complements internal monitoring by offering early detection signals that aren’t otherwise visible.

Download and read the full report: Rapport d'enquêtes sur la violation de données 2025 to learn more about today’s threat landscape. 

Threat Exposure Management with Flare

La fusée Gestion de l'exposition aux menaces (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Flare s'intègre à votre programme de sécurité en 30 minutes et remplace souvent plusieurs outils SaaS et open source. Apprenez-en davantage en vous inscrivant à notre essai gratuit.