In recent years, stolen login credentials have become the top initial attack vector in cyber breaches, eclipsing other tactics like phishing or malware exploits. Multiple cybersecurity reports confirm that most successful attacks begin with compromised passwords or tokens. High-profile incidents – from fuel pipelines to tech giants – all illustrate how a single stolen username/password can lead to a major breach. Below, we examine case studies and statistics from the last 3–5 years that prove this trend, and we explore emerging developments in the marketplace for stolen credentials on both the dark web and Clearnet. We also discuss how early detection of stolen credentials and robust response capabilities can thwart these threats.
Stolen Credentials as the Top Breach Vector
Industry data consistently shows credential theft is the leading cause of breaches. According to Verizon’s 2023 Data Breach Investigations Report, nearly half of all breaches analyzed (49%) involved the use of stolen credentials, far outpacing phishing (the next most common vector at 12% [Enterprise Cybersecurity Trends From the 2023 DBIR | Verizon]).
IBM’s 2022 Cost of a Data Breach report likewise found that compromised credentials were the most common root cause, accounting for 19% of breaches studied – the highest of any vector that year (Explore the 2022 IBM Report, Annual Cost of Data Breach Report).
In fact, Verizon notes that stolen passwords have “continued their reign” as the top way attackers gain access, appearing in about 44–49% of breaches in recent years (Key Takeaways from the Verizon 2023 Data Breach Investigations Report, Enterprise Cybersecurity Trends From the 2023 DBIR | Verizon). This makes credential-based attacks more prevalent than even malware or vulnerability exploitation in successful intrusions.
One reason stolen passwords are so pervasive is that they are often an easy path in. Verizon’s data shows the “human element” is involved in 74% of breaches, including improper use of credentials and social engineering (Enterprise Cybersecurity Trends From the 2023 DBIR | Verizon). Weak or reused passwords, in particular, allow attackers to log in undetected. For example, Verizon found that in basic web application attacks (which make up about a quarter of all breaches), 86% involved stolen credentials (Key Takeaways from the Verizon 2023 Data Breach Investigations Report).
With so many leaked passwords available from past data breaches, attackers can simply try those credential pairs in automated attacks (credential stuffing) or purchase ready-made logins to bypass security. As one cybersecurity analysis succinctly put it, “credentials are king” in today’s threat landscape (Key Takeaways from the Verizon 2023 Data Breach Investigations Report).
The Underground Market for Stolen Credentials
The prevalence of credential-based attacks is fueled by a thriving underground economy that trades in stolen login data. On dark web forums and even Clearnet sites, cybercriminals buy and sell usernames, passwords, and session cookies at scale.
Key trends in the stolen credential markets over the last few years include:
– Specialized Marketplaces: Dedicated criminal marketplaces have emerged for buying stolen credentials and even active network access. One of the most notorious was Genesis Market, which from 2018 until its takedown in 2023 sold “packages” of account credentials (often including password hashes, browser fingerprints, and cookies) harvested from over 1.5 million malware-infected computers (Office of Public Affairs | Criminal Marketplace Disrupted in International Cyber Operation | United States Department of Justice).
Genesis listed more than 80 million account credentials for services like email, banking, and even government systems (Office of Public Affairs | Criminal Marketplace Disrupted in International Cyber Operation | United States Department of Justice). It essentially acted as an initial access broker (IAB), providing logins and session tokens that ransomware gangs could purchase to effortlessly infiltrate victims (Office of Public Affairs | Criminal Marketplace Disrupted in International Cyber Operation | United States Department of Justice). Genesis was shut down by an international law enforcement operation in April 2023, alongside other forums like Hydra and BreachForums, but many other marketplaces still operate (Office of Public Affairs | Criminal Marketplace Disrupted in International Cyber Operation | United States Department of Justice).
– Infostealer Malware Logs: A major source of credentials for these markets is information-stealing malware that quietly infects PCs and siphons autofilled passwords, cookies, and keystrokes. According to SpyCloud researchers, in 2022 they recovered 721 million stolen credentials from criminal sources, and 48.5% of them came from infostealer infections on victim devices (Key Takeaways from the Verizon 2023 Data Breach Investigations Report). Cybercriminal “log shops” aggregate these records (often called bot logs) and sell them in bulk. For example, the 2easy marketplace is an automated platform where multiple sellers offer data from their malware botnets.
As of late 2021, 2easy was advertising stolen data from nearly 600,000 infected machines; most packages of a victim’s saved logins and cookies were priced under $5 USD (2easy: Logs Marketplace on the Rise • KELA Cyber Threat Intelligence). The wide availability of such cheap, ready-to-use credential bundles means even low-skilled attackers can purchase access to hundreds of accounts or endpoints with minimal effort.
– Initial Access Brokers and RDP/VPN Access Sales: The rise of ransomware-as-a-service has given impetus to a cadre of initial access brokers who focus on breaching organizations, and then selling that foothold to others. These brokers often advertise RDP credentials, VPN logins, or domain administrator accounts for sale on hacking forums. In 2023, the majority of illicit access listings were for compromised Remote Desktop Protocol credentials (over 60% of listings), but by 2024, sales of VPN access had surged – VPN logins made up roughly 45% of access listings, nearly overtaking RDP in popularity (A Deep-Dive Into Initial Access Brokers: Trends, Statistics, Tactics and more). This shift reflects how threat actors adapt to target whatever remote access technologies are prevalent (VPN, cloud credentials, etc.). The business model is clear: an attacker who obtains a foothold (say, by password-spraying to find a weak credential, or by buying an employee’s leaked password) can turn around and sell that access for a profit to ransomware groups or espionage actors. Security analysts have noted that the sheer volume of exposed credentials and the automated tools to exploit them have made credential-based entry “cost-effective” and scalable for attackers (Ransomware attackers down shift to ‘Mid-Game’ hunting in Q3).
– Clearnet Forums and Data Dumps: Not all stolen credential trading happens on the dark web; some occur on Clearnet sites or messaging platforms. Breach data repositories and hacking forums have openly hosted stolen databases containing millions of user logins. These often stem from large corporate data breaches and are packaged as “combo lists” (lists of email/password pairs) that other criminals can use for credential-stuffing attacks. Additionally, Telegram channels and Discord communities have become popular for advertising or sharing stolen creds away from law-enforcement-scrutinized dark websites. Despite crackdowns on major marketplaces, the market simply splinters into smaller venues – the supply of passwords from continuous breaches and malware campaigns ensures that fresh credentials are constantly entering the criminal ecosystem.
In summary, stolen credentials are widely available and actively traded. Everything from an individual’s streaming service password to a Fortune 500 company’s VPN account can be bought online. Threat actors can purchase credentials in bulk for low prices, or pay a premium for higher-privilege accounts and network access. They then leverage these credentials to carry out secondary attacks – for example, using email logins for business email compromise, using RDP/VPN access to deploy ransomware, or using social media account creds for fraud and disinformation. The trend in the underground market is toward greater commoditization: credentials are being packaged as a product. As long as organizations continue to rely on passwords, and breaches continue to leak large credential sets, this underground supply chain will fuel many of the cyberattacks we see.
Detecting and Mitigating Credential-Based Threats
Given that stolen credentials are at the heart of so many breaches, it’s critical for organizations to both harden their logins and monitor for credential leaks. This is where our MDR service leverages features like Brand Protection and Data Leak detection to make a difference. By continuously scouring dark web marketplaces, paste sites, and other leak sources, these services can alert an organization when employee or customer credentials surface in dumps or are being offered for sale. Exfiltration of credentials and selling them happens fast. Even if there is not much room in a timeline, it still gives organizations adequate time to detect the stolen credentials and remediate the situation, if they have the capabilities to detect it in the first place.
Early detection means a company can rapidly reset those passwords / active sessions, disable accounts, or increase monitoring of the affected users before attackers use the data. For example, if a known set of employee logins is found in a breach dump, the security team can force password changes and preempt any unauthorized access attempts. We at NIL/Conscia SOC recognized this opportunity to disrupt adversaries in their attack chain, so as part of the MDR service we also offer to do Brand Protection and Data Leak Detection which includes a lot more capabilities besides credential leak detection, such as brand impersonation attempts, domain abuse detections, data leaks and more – for more comprehensive coverage, contact us.
When proactive leak detection is paired with 24/7 Managed Detection and Response (MDR), organizations gain full coverage against credential-based attacks. Conscia’s MDR service constantly monitors login activity and network behavior, which helps in catching the tell-tale signs of stolen credential use – such as anomalous login times/locations, multiple login failures followed by a success (indicative of credential stuffing), or logins to sensitive systems by accounts that normally wouldn’t access them. If an attacker does manage to use a stolen password, the MDR team can quickly detect and contain the intrusion (for instance, by spotting the attacker’s attempts to escalate privileges or install backdoors, as was done in the Cisco incident). Moreover, we can, in certain environments, automate remediation steps such as resetting passwords and sessions. This rapid response can neutralize a breach before it causes serious damage.
In conclusion, defending against credential-based threats requires both intelligence and vigilance. The intelligence comes from our brand protection and data leak detection, an optional feature of our MDR service, that shines a light on the underground markets – giving an early warning when your organization’s credentials are in criminals’ hands. The vigilance comes from robust authentication security (like MFA and password managers) and an active detection/response capability to spot illicit logins. With this one-two punch, companies can significantly reduce the risk that a stolen password will turn into the next major breach headline. As the evidence shows, credential theft may be the #1 attack vector today, but with the right safeguards in place, even this most common of threats can be mitigated before it spirals into a business catastrophe.