Research on Compromised Credentials

Osterman Research Exposes the Growing Risk  

The new Osterman Research report, Safeguarding Identity Security: We Need to Talk About MFA, surveyed 126 identity, IAM, and cybersecurity leaders from U.S. companies averaging 3,400 employees. The data shows a gap in security that attackers are actively exploiting:

• 85.7% say cybercriminals are more interested in stealing and abusing compromised credentials.
• 54.8% report a rise in account takeover attempts.
• 73.8% admit they can’t stop identity attacks in real time, and half of them say their confidence in protecting against these threats is dropping.

These numbers tell us one thing loud and clear: stolen credentials are an easy doorway into an organization’s systems, and standard password policies aren’t keeping attackers out.

Confidence is declining: 50% of security professionals report a drop in confidence in their ability to protect against identity attacks, with compromised credentials a key contributor.

Why Compromised Credentials Are So Dangerous

Cybercriminals know many people reuse passwords across multiple sites. So, if they get a single password, perhaps from a social media breach, they can use it to try logging into business applications. This tactic cybercriminals use is known as “credential stuffing,” where they systematically test large sets of stolen username-password combinations against different online services. Because so many people reuse their passwords across personal and corporate accounts, this technique exploits a single leaked password, like one from a social media platform, to potentially unlock other accounts.

It’s a volume game: automated tools can perform thousands of login attempts in minutes, making credential stuffing not only efficient but also alarmingly effective against organizations that aren’t actively checking for and remediating instances of compromised passwords in their environments. Even if users modify their passwords slightly (such as adding numbers, symbols, or other predictable variations) attackers can analyze these patterns, build a profile of how an individual creates passwords, and systematically test likely variations until they find a successful match. This means that even changes or additions to a compromised password provide little real protection against credential stuffing attacks.

Meanwhile, traditional password policies, like forcing regular resets and setting strict complexity rules, can backfire. Users often cope by recycling old passwords or writing them down, which can weaken security. These outdated password policies don’t match the ever-increasing risk level.

The longer compromised credentials remain undetected, the greater the risk. As Michael Sampson, Principal Analyst at Osterman Research, explains:

The longer that they (threat actors) have access to compromised credentials before they are remediated, the happier threat actors are at their ability to surreptitiously get into your environment, get access to data and applications they shouldn’t have access to, move laterally, plant ransomware, and do a whole lot of pernicious things in order to reap a financial reward as a result of that compromised credential.

– Michael Sampson, Principal Analyst at Osterman Research

How Enzoic Tackles These Challenges

The findings from the research on compromised credentials in the report are precisely what Enzoic was created to help organizations with. Here’s how:

1. Real-Time Screening of Passwords Against Breach Data
   • Enzoic constantly checks new and existing passwords against a continuously updated database of known compromised credentials.
   • If a match is found, the user is immediately prompted to replace that password, closing the door on potential attackers right away.
2. Automatic Remediation
   • When a password is flagged as unsafe, Enzoic automatically takes action. Users must create a secure replacement on the spot.
   • This quick response time prevents vulnerabilities from lingering unseen.
3. Meeting Key Compliance Requirements
   • Modern standards like NIST 800-63b, HITRUST, and CMMC all emphasize checking passwords against real breach data.
   • Enzoic automatically enforces compliance with these password guidelines, so organizations stay compliant without the operational overhead.
4. Reducing User Friction
   • Instead of forcing time-based resets, Enzoic allows organizations to only require a change if a password is truly compromised as recommended by NIST.
   • This reduces frustration, saves helpdesk time, and encourages people to use strong, memorable passwords.
5. Lowering Overall Costs
   • By automating the detection and replacement of weak or compromised passwords, Enzoic frees IT staff to focus on strategic security tasks.
   • Fewer repetitive resets also lead to fewer support tickets, lower costs, and saving resources.

Responding to the Research on Compromised Credentials: Why Now Is the Time to Act

The survey shows confidence in stopping real-time identity attacks is dropping. Organizations feel they’re on the defensive, and stolen credentials are a massive part of the problem. It’s no longer enough to rely on outdated rules; attackers have stepped up their game, and so should we.

Enzoic addresses these concerns directly. It reduces risk by reducing risk and preventing the most common attack method: the exploitation of compromised or reused passwords. It achieves this without adding friction for legitimate users.

“79% of the organizations we surveyed for this research have been compromised by one or more types of identity attacks in the past 12 months, and 86% say that cybercriminals are increasingly interested in stealing and abusing compromised credentials.”

– Osterman Research

Ready to Protect Your Organization Against Compromised Credentials?

• Download the Osterman Research Report for in-depth data and research on compromised credentials.
• Watch Our On-Demand Webinar to see how real-world organizations are preventing account takeover and staying a step ahead of attackers.
• Try Enzoic in your own environment to instantly gauge your current risk level and experience how real-time detection and automated remediation can transform your security posture.

Don’t wait for the next breach to strike. Take action now to secure your users, reduce administrative costs, and align with today’s leading cybersecurity standards.

FAQs

• What does the latest research on compromised credentials reveal about the threats organizations are facing?
  The Osterman Research findings highlighted in this blog post show a marked rise in the use of stolen passwords. According to the report, 85.7% of security professionals say cybercriminals are increasingly targeting credentials, and more than half (54.8%) report a surge in account takeover attempts. These statistics make it clear that compromised credentials are fueling many of the most damaging cyberattacks.
• Why aren’t traditional password policies enough to combat credential-based attacks?
  Standard approaches, like forced password resets and strict complexity rules, often create an endless cycle where users slightly modify old passwords or write them down, inadvertently weakening security. The research on compromised credentials demonstrates that modern attackers utilize automated tools and strategies (like credential stuffing) that can quickly identify predictable patterns in reused or slightly altered passwords. This makes reliance on outdated policies insufficient against current threat levels.
• How does Enzoic address the risks highlighted in the research on compromised credentials?
  Enzoic continuously screens both new and existing passwords against an ever-evolving database of known compromised credentials. If it detects a match, Enzoic automatically forces a password change, ensuring timely remediation of vulnerable accounts. By integrating seamlessly with existing authentication systems and aligning with compliance requirements (NIST 800-63b, HITRUST, CMMC), Enzoic helps organizations reduce user friction while significantly lowering the risk posed by stolen or reused credentials.