What the 2025 DBIR Taught Us About Identity Risk
RSA 2025 had no shortage of buzzwords and vendor pitches, but Verizon’s presentation of the 2025 Data Breach Investigations Report (DBIR) cut through the noise. If you didn’t have time to sit through the session or didn’t go to RSA, don’t worry—I did. And here’s the bottom line:
Identity is now the primary battleground in cybersecurity.
If you’re in security, risk, or IT, you’ve probably seen this shift coming. But the DBIR makes it official—and urgent. Here were the most important takeaways from the session, especially for anyone concerned about credential abuse, identity security, or access control.
1. Credential Abuse Is the #1 Attack Vector
For the first time in DBIR history, credential abuse took center stage as the top-most common method of breach. It factored into over 30% of all reported breaches overall, and in 21% of this year’s incidents, outpacing phishing, misconfigurations, and even vulnerability exploitation.
And it doesn’t stop at the initial compromise. In 34% of breaches, credentials were either the entry point or used laterally post-intrusion. The takeaway? If you don’t have strong visibility into where credentials are used and who has access to what, you’re not managing risk; you’re flying blind.
2. Infostealers Are Fueling the Fire
Infostealer malware is having a moment—and it’s making the credential problem exponentially worse, fueling the credential abuse surge. Malware strains like Redline, Vidar, RisePro, and Lumma Stealer are quietly exfiltrating saved passwords, cookies, and system info from infected machines. These tools are cheap, easy to deploy, and operate under a Malware-as-a-Service (MaaS) model and are distributed through SEO poisoning, malvertising, and even social media.
The scale? Staggering:
- 23 million compromised devices in 2024
- 2.1 billion passwords leaked
- The average device leaked 27 passwords across 18 services
Nearly half of those passwords were reused, making credential stuffing trivial. It’s not just bad hygiene—it’s a systemic vulnerability.
3. Your Real Problem Might Be BYOD
Here’s the stat that should scream expletives: 46% of the devices leaking corporate credentials were unmanaged. Translation? That means nearly half of the compromised endpoints weren’t even a corporate asset. They were personal laptops, mobile devices, or BYOD devices—often operating outside policy, detection, or both.
Once infostealer malware hits these unmanaged systems, it vacuums up both personal and corporate credentials, blurring the lines and expanding the blast radius. Whether you’re operating under strict EU data protection rules or a looser North American endpoint policy, one thing is clear: If your devices aren’t visible, your credentials aren’t safe.
4. Credential Marketplaces Are Thriving
So, where do all those stolen credentials go? They’re sold cheaply. Going straight into a booming underground economy.
Credential marketplaces like Genesis Market (before it was shut down), Russian Market, and Telegram-based bot farms, sell access to “live logs”, session tokens and other forms of recently compromised data, for pennies. Some even sell bots preloaded with session cookies that can be used to bypass MFA and hijack live sessions.
This isn’t theoretical. The DBIR found that:
- Credential stuffing represents 19% of all daily authentication activity
- It jumps to 25% in enterprise environments
- Tools and “combo lists” are widely available for free or for a few dollars
5. Ransomware Often Starts with a Stolen Credential
Forget zero-days and exotic payloads. The most common ransomware precursor today is a stolen login.
One of the DBIR’s most eye-opening findings was the link between credential leaks and ransomware. When researchers mapped victims of ransomware attacks to infostealer logs, they found:
- 54% of ransomware victims had credentials exposed before the breach
- 40% had corporate email addresses in credential dumps
This suggests many of these incidents started not with a flashy exploit, but with a simple login. If you’re not monitoring for stolen credentials or reviewing identity blast radius, you’re leaving yourself exposed.
Lessons
Security teams are no longer looking for theoretical value. They need to:
- Detect compromised credentials in real time
- Monitor who has access to what across SaaS, cloud, and on-prem
- Enforce least privilege before attackers escalate access
- Integrate access insights into incident response and risk scoring
Take Identity Seriously Before Someone Else Does
If you’re still treating identity as an IT admin task, stop. It’s your new attack surface. Your new perimeter. And the most abused asset in the threat landscape.
Whether you’re a CISO trying to reduce breach risk or a vendor helping customers secure their environments, identity is job one. Because attackers aren’t breaking in anymore—they’re logging in.
Where to Go From Here
If identity is the new battleground, it’s time to arm yourself with insight, strategy, and execution.
- State of Access Report 2024
Explore how organizations are managing (or failing to manage) identity risk across human and non-human accounts. This report reveals the hard truths and trends shaping the access security landscape. - Modern Identity Security Maturity Model
Not sure where your organization stands—or where to go next? This maturity model helps you benchmark your current state and chart a practical path toward intelligent identity security. - A Practitioner’s Guide to Intelligent Access
Ready to move from theory to action? This guide delivers the tactical framework for implementing risk-based, least-privilege access across your enterprise.
