Credential Theft
Cybersecurity statistics about credential theft
Related Topics
Showing 1-19 of 19 results
43% of internal authentication traffic still relies on NTLM, a legacy protocol frequently abused for credential replay and privilege escalation attacks.
72% of organizations do not detect credential misuse in real time, often taking hours or sometimes days or weeks to identify unauthorized privileged access.
In the last six months, use of reverse proxies to steal Microsoft 365 credentials surged by 139%.
Credential-stealer infections were dominated by RedLine with 911,968 infections (50.80%), Lumma with 499,784 infections (27.84%), and Vidar with 236,778 infections (13.19%).
45% of MSPs who reported BYOD-related security incidents cite credential theft or account compromise as a cause
Listings of stolen credentials linked to LummaC2 increased by 72% on underground marketplaces.
SpyCloud identified 1.1 million password manager master passwords circulating in underground sources.
23.34% of the global ecosystem have corporate credentials circulating on the dark web via stealer logs.
There is an average of 50 exposed user credentials per infostealer malware infection.
Infostealer malware led to the exposure of over 300,000 ChatGPT credentials in 2025.
Credential theft is the leading attack technique against cloud management infrastructure, cited by 67% of organizations experiencing cloud attacks.
43.6% of organizations report the use of stolen credentials as an entry vector
One in four attacks involve stealing saved passwords from browsers to authenticate as valid users.
Credential phishing campaigns using .es domains increase 51 times year-over-year, with the .es top-level domain jumping from the 56th to the 3rd most-abused TLD.
Credentials for victims of the Play, Akira, and Rhysida ransomware groups were found on cybercrime marketplaces between 5 and 95 days prior to the reported attack.
Among the roles most vulnerable to credential theft, 28% were in Project Management, followed by Consulting (12%) and Software Development (10.7%).
The average time between credentials being found and the reported ransomware attack was 2.5 weeks
Credentials or data were stolen in nearly half of all cyberattacks.
Over 65% of missed phishing emails across SEGs are vendor scams and credential theft.