Relying on static credentials for AI systems correlates with a 20-percentage-point increase in incident rates.

67% of organizations rely on static credentials for AI systems.

Detected sensitive-data events are led by secrets and credentials (47.9%), followed by financial information (36.3%) and health-related data (15.8%).

44% of organizations use or plan to use static API keys and 43% use or plan to use username/password combinations for agents.

45% of Canadian IT & security professionals reported that employees using weak or compromised credentials is a top security concern

48% of organizations adopted AI-enhanced phishing detection.

33% of ransomware incidents involved compromised credentials

36% of insider incidents involved user credentials.

88% of open-source Model Context Protocol (MCP) server implementations require credentials.

28% of Gen Z parents admit to sharing passwords verbally or through text or email.

46% of developers worry about AI systems sharing or leaking API credentials.

16% of organizations identify AI agents operating with user credentials as a Shadow AI concern.

In 16% of large ransomware claims, attackers leveraged compromised or weak credentials to gain entry.

Over 1.8 billion credentials were stolen in the first half of 2025 alone. The 1.8 billion stolen credentials represent an 800% increase.

The theft of credentials via information-stealing malware has skyrocketed by 800% since the start of 2025.

Of organisations that experienced attacks, 38% of breaches stemmed from compromised employee credentials.

Among non-PAM users, 8% still store credentials in spreadsheets.

68% of users admitted to reusing passwords across multiple accounts.

36% of enterprises said data breaches due to weak and stolen credentials was one of the most common ways to lose data.

One in nine (11%) password reset attempts in 2024 was a fraud attack. This rate rose to over one in four (27%) reset attempts initiated on a desktop computer.