Are credential leaks a growing threat?

Passwords have been a problem for a long time. But in 2025, the extent of credential attacks is escalating. According to a report from Fortinet, 1.7 billion stolen credential records were shared in underground forums in the past year alone. 

This enormous vault of sensitive data is fuelling credential-based attacks that are increasingly efficient, devastating, and difficult to detect.

What does the data say? 

Credential compromise is often the entry point for much worse. Recent research by eSentire found that valid credentials were used in 48.6% of initial access cases in 2024. These credentials (whether stolen, phished, or bought) let attackers quietly slip into targets’ systems without raising red flags.

That’s not just theory. According to KELA’s 2025 Infostealer Epidemic report, ransomware followed stolen credentials within 2.5 weeks on average. Once inside, attackers don’t hang around – they move fast to do real damage.

And who’s most at risk? KELA found that project management roles made up 28% of infostealer victims, followed by consulting (12%) and software development (10.7%). That’s a wide attack surface – and attackers are using increasingly industrialised methods to exploit it.

Why Passwords Are So Easy to Break

Poor password hygiene is part of the problem, but it’s far from being the only cause. Tools for password cracking are becoming faster and more accessible than ever. Hive Systems recently found that password cracking is now 20% faster than in 2024, thanks to advances in consumer GPU capabilities.

And users who think their password is strong just because it’s long need to think again. Hive’s latest password table shows just how quickly brute force attacks can break common patterns; especially if those passwords have been reused or follow predictable formats.

When we spoke to Umer Khan (Chief Information Officer and SVP at Relativity Space) about passwordless security, he said “Passwords... seriously... suck!”

He explained that they’re vulnerable at every stage. “They can be guessed, intercepted, phished, cracked, or stolen.” And even with strong passwords, the sheer number of ways they can be leaked (through memory dumps, clipboard theft, or reuse) means we’re always playing catch-up.

But it’s not just about the passwords 

Credential leaks go beyond password alone, and Khan noted that credential phishing remains one of the most common attack vectors – “it’s often an early step towards compromising the entire network.” 

Add to this the alarming fact that 35%+ of people had an account compromised due to weak passwords in the past year (according to the FIDO Alliance’s 2025 report), and you get a sense of the scale.

eSentire’s data backs this up. It shows that stolen VPN credentials, often lacking MFA protection, were used to gain deep access into corporate networks – particularly in ransomware attacks.

And if you’re wondering whether organisations are taking this seriously, researchers at Logicalis found that 76% of CIOs say credential leaks are a growing threat.

Why passwordless security is the future 

Passwordless authentication won’t eliminate credential leaks; but it’s a valuable part of the solution – especially phishing-resistant options like FIDO2, Passkeys, and biometrics.

Khan explained: 

“Passwordless authentication makes use of FIDO2 to skip passwords altogether...there is no symmetric secret (i.e. a password) which can be stolen from a server, intercepted during transmission, or phished from a user remotely.”

And when we interviewed Brett Winterford (Chief Security Officer, APJ at Okta), he echoed this: 

“The vast majority of cyber security incidents stem from password-based attacks,” he said; and “the only MFA factors that are resilient to these attacks are passwordless, phishing resistant factors.”

He also addressed the challenge of getting there:

“The hard part is the ‘chicken and egg’ challenge of having enough assurance about a user’s identity to enrol them in phishing resistant factors in the first place.”

But passwordless authentication tech is already showing real-world results. And it has the added benefit of improving user experience, instead of adding more layers of friction. 

Credentials as a commodity 

The cybercrime ecosystem treats corporate credentials as a commodity. As the KELA report noted, credentials are being traded at scale via automated markets, subscription services, and even ULP lists (URL:Login:Password) – and this makes it easier than ever for attackers to launch targeted campaigns.

A single leaked credential can lead to widespread outages, ransomware attacks, or data breaches – with the potential to harm both reputation and revenue. So securing the processes we use to authenticate users is critical.