They Log In
People continue to think of hackers as people with the technical know-how to break in to systems using obscure loopholes or flaws in the technology. And yet, that outdated image of hackers forcefully breaking into systems through sophisticated exploits bears little resemblance to the increasingly typical pattern: attackers are simply logging in using stolen credentials. This shift underscores a critical point for security practitioners—identity is at the core of your security strategy.
According to the 2024 Verizon Data Breach Report, “Over the past 10 years, stolen credentials have appeared in almost one-third (31%) of breaches.” Hackers get these credentials from phishing efforts, social engineering attacks, and plain old brute force. As long as systems continue to use passwords without phishing-resistant MFA, this attack vector will continue as a problem.
The Snowflake breach, possibly one of the largest data breaches in history, is an eye-opening example of how expansive a single credential-based breach can be. According to reports as to the breadth and depth of the breach, potentially 165 organizations may have been exposed. Ticketmaster, Santander Bank, Advanced Auto Parts, AT&T, and others, have all reported data breaches linked to Snowflake. The accounts breached did not use MFA.
These examples are not anomalies; they represent a growing trend where attackers leverage existing credentials, often obtained through phishing, social engineering, or purchasing from dark web marketplaces. RockYou2024 exposed over 10 billion credentials, and it is a fair bet that too many of those don’t use MFA. They no longer need to find and exploit zero-day vulnerabilities; they can simply walk through the front door.
In the case of Okta’s breach last year, a key player in identity and access management, the supply chain vulnerabilities were exploited, demonstrating that even the gatekeepers of digital identities are not immune. The entirety of Okta’s customer service accounts had their data exposed, including session tokens and cookies, as a result of stolen credentials.
The Okta incident particularly underscores the complexity of modern security environments. When your suppliers and partners are part of your security ecosystem, their vulnerabilities become your vulnerabilities. This interconnectedness requires a holistic approach to identity management that extends beyond your organization.
After a user authenticates (even if they are using strong authentication to do so), they are identified in subsequent interactions with a session token, typically stored in a browser cookie or in a mobile or desktop app the user uses to communicate with the app’s backend. Similar tokens are also used by identity providers. If an attacker is able to access this token (for example, in the Okta breach, the attackers were able to retrieve tokens from crash dump files stored in their customer service application), then they can assume the user’s identity, thereby negating even the strongest of authentication the user may have used.
For security practitioners, there must be a greater understanding that robust identity management is no longer optional—it’s essential. Identity and access management (IAM) is not just about compliance or user convenience; it’s a fundamental pillar of your security posture.
Hackers logging in instead of breaking is a fundamental change in the threat landscape. Security practitioners must integrate identity as a core component of their strategy and use a multifaceted approach to protect against credential-based attacks. This approach must include strong authentication measures, continuous monitoring, a zero-trust mindset, and proper SSF/CAEP signaling mechanisms. Additionally, minimizing the blast radius of a security breach through zero standing privilege is crucial—we must ensure that users only have access when necessary and for the shortest duration possible. With zero standing privilege, an identity compromise is reduced to being an incident for your SOC team to handle, rather than an calamitous event where your finance, legal, PR and leadership teams have to get involved.
By understanding and adapting to this new reality, organizations can better protect their assets and ensure that they remain resilient against the evolving tactics of modern cyber adversaries.
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.