One of the most pressing cyber threats businesses face today is the rampant rise in compromised credentials. Data from Check Point External Risk Management (previously known as Cyberint), reveals a staggering 160% increase in compromised credentials so far in 2025 compared to 2024. This isn’t just a statistic; it’s a direct threat to your organization’s security. Late last year, we reported 14,000 cases in just 1 month where our customers’ employee credentials, even those adhering to company password policies, were exposed in data breaches – a clear indicator of real and present risk.
Where in the World are Credentials Most Targeted?
Unsurprisingly, countries with the largest populations dominate the top 10 list for targeted credentials in 2025. However, it’s concerning to see nations like Vietnam, Pakistan, and Turkey appear despite not being in the top 10 for population, highlighting their increasing digital footprint and vulnerability. The consistent presence of the USA, a global business hub, is also a significant red flag.
Read the full ebook “The Rise of Compromised Credentials.”
How Do Corporate Passwords Get Compromised?
The methods cyber criminals employ to steal credentials are diverse and sophisticated, making a single defense strategy insufficient.
- Hacked Databases: Attackers breach organizational systems to access databases containing usernames and passwords. This can involve exploiting software vulnerabilities, compromising admin accounts, or using injection attacks to extract login information.
- Phishing: Deceptive emails, vishing (voice phishing), and smishing (SMS phishing) are common tactics to trick employees into divulging sensitive login data.
- Malware: Malicious software, including infostealers can be planted on computers or servers can directly steal login information. Keyloggers record keystrokes, capturing usernames and passwords as they are typed. Advanced spyware can take screenshots or intercept data in transit.
The unfortunate reality is that there isn’t one simple method for credential theft, making a comprehensive defense plan essential.
Compounding the threat, Check Point External Risk Management research reveals that businesses take an alarming 94 days on average to remediate compromised credentials originating from GitHub repositories.
This suggests that businesses struggle to identify compromised login information quickly. This significant delay provides a wide-open window for attackers to exploit compromised accounts and sensitive data.
The Underground Market: What Happens to Stolen Credentials?
Once obtained, these valuable credentials are then often compiled into “combo-lists” and sold and traded in open, deep, and dark web forums. Threat actors purchase them to launch account takeover attacks, gaining unauthorized access to confidential company information, or to initiate sophisticated social engineering campaigns. These forums operate like illicit marketplaces, offering a range of stolen data beyond just credentials.
Threat actors continue to have success stealing and using compromised credentials, so they continue to focus on this vector.
They’re constantly innovating new ways to steal credentials and finding new techniques to bypass MFA. As long as credential stealing and usage continues to yield results, threat actors will continue to use this method.
Scan Your Organization for Compromised Credentials: https://cyberint.com/uncover-your-compromised-credentials-from-the-deep-and-dark-web/
Mitigation Strategies to Strengthen Your Organization’s Defense
Protecting your organization requires a multi-layered approach:
- Password Management Policies: Enforce regular password updates and prohibit password reuse across accounts to limit the window of exploitation for stolen credentials.
- Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it harder for attackers to log in with just a username and password. However, it’s important to acknowledge that MFA can be circumvented and isn’t a foolproof solution.
- Single Sign-On (SSO): Where possible, prioritize SSO over direct credential logins to reduce the overall risk of compromise.
- Limited Login Attempts: Implement limits on login attempts to prevent brute-force attacks and cross-account credential stuffing.
- Principle of Least Privilege (PoLP): Restrict user access rights to the bare minimum necessary for their roles. This limits the scope of damage if an account is compromised.
- Phishing Education: Train employees to recognize and resist phishing attempts, making them less susceptible to this common attack vector.
- Network Defenses: Network-level protections, such as intrusion detection systems and firewalls, can detect and block connections from untrusted endpoints, restricting attackers’ ability to reach databases that store credentials.
- Blocking Third-Party Sites: Restrict access to third-party websites that may have weaker security and could serve as vectors for malware infection.
Staying Ahead of the Threat with Proactive Detection
Crucially, detecting compromised credentials before they are abused is paramount. Threat actors often don’t immediately exploit stolen logins; they take time to analyze the data. Effective detection methods include:
- Forum Scanning: Experts can navigate deep and dark web forums to identify username/password combinations linked to your company. While threat actor communities may restrict access, skilled teams can gain the necessary information.
- Log Analysis: Attackers often post “logs” as proof of their breaches on the deep or dark web when selling stolen credentials. These logs may not name the victim company directly but include details like size, industry, and geography. Companies like Check Point External Risk Management, specialize in piecing together this information to identify and notify affected organizations.
The Compromised Credential Mitigation Cycle
Stopping Credential Leaks with Check Point External Risk Management
When it comes to detecting credential leaks that impact your company or customers, Check Point External Risk Management offers a comprehensive solution.
Beyond scanning the deep and dark web for compromised credentials, Check Point ERM conducts undercover investigations to verify threats and assess their scope. We also integrate with SIEM and SOAR tools, enabling fast, automated notifications when compromised credentials appear. Businesses can also configure automated remediations, such as immediately requiring employees to update passwords when credential theft is detected.
These protections extend beyond corporate devices to personal computers. Check Point ERM can detect instances where employees use company accounts on personal devices, even when endpoint monitoring and security tools are absent – a critical capability given that 46% of devices associated with compromised corporate credentials lack such tools, according to Check Point ERM data.