the most common sources of compromise are third-party breaches (SaaS services, professional networks, collaboration platforms), infostealer malware on personal devices, targeted phishing campaigns, and attacks against the supplier supply chain.
What is compromised credentials
Usernames, passwords, tokens, or access keys that have been stolen, leaked, or exposed outside the control of their rightful owner. They are one of the most heavily exploited attack vectors in modern cybercrime because they let the attacker operate as a legitimate user: perimeter defences do not trigger and, without fine-grained telemetry, the intruder can move unnoticed for weeks.
Why it matters
Public reporting from CISA, the Verizon DBIR, and leading MDR providers consistently attributes 50–75% of investigated enterprise incidents to compromised credentials. The reason is simple: a valid credential bypasses most defences. The attacker does not need to exploit a vulnerability, generates far less noise in the logs, and once inside can carry out lateral movement towards valuable data, escalate privileges to persist, and ultimately perform mass data exfiltration of intellectual property, financial records, or personal data. Add to that brand damage, regulatory exposure (ISO 27001, NIS2, and DORA require demonstrable detection and response to credential compromise) and the frequency with which a weak corporate credential becomes, weeks later, a multimillion-euro ransomware incident.
Key points
password reuse between personal and corporate services turns every external breach into your own breach; a single vulnerable third-party service is enough to expose the full chain of internal systems.
stolen credentials are often traded on underground markets months before being actively used; victims rarely notice the compromise until anomalous activity is detected or an external alert arrives.
a password reset is not sufficient once the attacker has established persistence via session tokens, mail-forwarding rules, SSH keys, or OAuth-consented applications.
even when the credential is compromised, phishing-resistant multi-factor authentication combined with conditional access blocks the vast majority of real-world attempts.
threat intelligence services continuously scan forums, leak sites, and marketplaces to alert organisations before an exposed credential is actually used against them.
How a credential compromise typically unfolds
A senior executive at a multinational signs up for an external platform using their corporate email from a personal laptop. Months later, that platform suffers a massive breach and hundreds of millions of credentials end up circulating on private forums. A variant of the same password is reused in the corporate productivity suite. An attacker obtains these lists, validates credentials against exposed access portals, and without MFA enabled, logs in as if they were the executive.
Once inside, the attacker reads the mailbox, locates financial documents in the cloud storage, pivots to internal servers using hash-reuse and Kerberos ticket techniques, and creates a hidden administrative account to retain access. Over several weeks, confidential correspondence is exfiltrated in small batches to evade DLP thresholds. The incident is finally surfaced through correlated alerts in the EDR and the SIEM. A rigorous investigation reconstructs the timeline from the leaked credential to the attacker's last action, scopes the real impact, and drives full eradication: credential rotation, token revocation, and closure of every persistence foothold.
Common mistakes
- mistaking "we haven't heard of a breach" for "we are not compromised": lack of detection is not lack of incident, it is lack of visibility.
- resetting the password without revoking active sessions, OAuth tokens, API keys, and forwarding rules: the attacker remains inside even though the secret has changed.
- allowing a standard user to access financial databases, critical directories, or administration consoles; with strong MFA but no least privilege, a user compromise becomes a whole-company compromise.
- keeping permissive password policies (short lengths, no checks against leaked-password dictionaries) makes brute force and password-spraying far easier.
- ignoring logins from suspicious IP addresses, unusual hours, or unexpected locations because "it's probably someone travelling": immediate investigation is cheap; a late reaction is extremely expensive.
- failing to include personal devices and unmanaged browsers in conditional access policy, leaving open the very door infostealers walk through.
Related services
This concept may be related to services such as:
Frequently asked questions
How do I know if my corporate credentials have been compromised?
The most common signals are password changes you did not initiate, logins from unfamiliar locations or devices, mail-forwarding rules you have not created, and alerts from your identity provider about repeated access attempts. Proactively, there are public and commercial leak-monitoring services that cross-check your corporate domain against known breaches; at enterprise scale, a threat intelligence service extends that coverage to underground markets and closed forums where credentials are traded before being used.
Is multi-factor authentication enough against compromised credentials?
It dramatically reduces the risk, but does not eliminate it. Attackers can run adversary-in-the-middle attacks that capture the session token in real time, wear down users with repeated push notifications until one is accepted by mistake (MFA fatigue), or compromise the device itself to steal the second factor. MFA is essential, but it must be complemented with phishing-resistant factors (passkeys, FIDO2 keys), conditional access based on device posture, and continuous monitoring of authentication anomalies.
What should I do in the first hours after detecting a leaked corporate credential?
The order matters: revoke all active sessions and associated OAuth tokens, rotate both the password and the second factor, audit mail rules and consented applications, review the last 90 days of access logs for anomalies, notify the security team and — if the account had elevated privileges — activate the incident response plan. If the exposure involves regulated data, the notification clock to data-protection authorities or customers also starts ticking.
How can an organisation detect compromised credentials in active use?
Through a combination of layers: SIEM correlating authentication events, EDR watching the endpoint where the session starts, user behaviour analytics (UEBA) over normal usage patterns, conditional access that asks for additional factors on risk signals, and threat intelligence services that flag credentials appearing for sale. Effective detection is not about one single tool, but about how fast you correlate these signals and act on them.