Compromised creds fuel 80% breaches

Identity has become the real attack surface. That’s the simple version. Attackers still use malware and software bugs, but a huge share of modern break-ins now starts with a login, a token, or a certificate that looks legitimate. That matters because the old mental model — keep bad traffic out at the edge — no longer matches how many intrusions actually work. The latest reports from Verizon and Google Cloud make that gap hard to ignore. (verizon.com) ### What changed in the newest data? Verizon’s 2025 DBIR looked at 22,052 incidents and 12,195 confirmed breaches. In that set, credential abuse accounted for 22% of initial attack vectors, just ahead of vulnerability exploitation at 20%. Third-party involvement doubled to 30%, which matters because partner access and outsourced systems often come with trusted identities attached. (verizon.com) ### Why does the “80%” claim keep showing up? Turns out people are often mixing different slices of the problem. In cloud and SaaS-heavy environments, Google Cloud’s Threat Horizons report says identity issues were used for initial access in 83% of major incidents it studied for H2 2025. That is not the same thing as saying 80% of every breach eve(verizon.com)se now dominates a lot of real-world intrusions. (cloud.google.com) ### What counts as an identity issue? More than just a reused password. It includes stolen credentials, session cookies, API keys, OAuth grants, service account secrets, and certificates that let an attacker authenticate without tripping the alarms built for malware. Mandiant’s 2025 reporting also flagged stolen credentials as 16% of obs(cloud.google.com)valid seat at the table. (cloud.google.com) ### Why are certificates part of this story? Because Active Directory Certificate Services can hand out trust that lasts. If AD CS is misconfigured, an attacker can mint or abuse certificates for user auth, persistence, and even domain escalation. SpecterOps laid out years ago how that works, and Microsoft later said roughly 30% to 40% of environments w(cloud.google.com)ertificate abuse keeps showing up in identity defense conversations. (specterops.io) ### Why is AD CS so dangerous when it breaks? A password can be reset. A certificate often blends in better and can survive longer. That makes AD CS abuse feel less like stealing a house key and more like getting a perfect copy of the building’s badge printer. Microsoft’s Defender for Identity now has a whole certificate posture section focused on(specterops.io)ettings. (learn.microsoft.com) ### So what should defenders do first? Start with phishing-resistant MFA — ideally FIDO or passkeys for human users. Then go after service accounts, stale secrets, and overprivileged app identities, because those are the accounts defenders tend to inventory badly and attackers love to keep. For Windows-heavy shops, AD CS needs the same hardening attention as domain controllers, not some forgotten PKI sidecar. (cloud.google.com) ### Does this mean passwords are the whole problem? No — and that’s the trap. The bigger issue is trusted authentication material of any kind. If an attacker can present something your systems accept as proof, the intrusion can look like normal business traffic. That is why “identity is the new perimeter” sounds cliché but keeps proving true. (cloud.google.com) ### What’s the bottom line? The headline number matters less than the direction. Across enterprise, cloud, and hybrid environments, the center of gravity has moved toward identity abuse. If defenders still treat credentials, tokens, certificates, and service accounts as side issues, they are protecting the walls while attackers walk through the front door. (cloud.google.com)