Identity security has become a real focus in our industry, and a new study by Check Point’s Cyberint research team underscores the trend.Cyberint’s researchers found a 160% increase in leaked credentials in 2025 from the previous year.The new study supported this year’s Verizon Data Breach Investigations Report, which found that leaked credentials accounted for 22% of breaches in 2024.According to Cybernint, automation has made credential theft much easier for cybercriminals. Infostealer malware sold as a service lets even low-skilled attackers harvest login data from browsers and memory. And, AI-generated phishing campaigns mimic tone, language, and branding.Finally, once credentials are gathered, they are either sold on underground marketplaces or offered in bundles on Telegram channels and illicit forums.The Cyberint report goes beyond the mere volume of credential leaks and delves into how attackers leverage them, as well as what security teams can do in response.“Leaked credentials are the attacker’s universal skeleton key, cheap to obtain, trivial to weaponize, and valid for months,” said Nic Adams, co-founder and CEO at 0rcus. “Once exposed, they allow stealth and persistent access without tripping intrusion alarms. Defense comes down to speed of discovery and response. Organizations need adversarial-grade exposure monitoring as a live operational feed rather than quarterly audits.” Shane Barney, chief information security officer at Keeper Security explains that there are three ways attackers exploit leaked credentials:“To reduce these risks, organizations must take a comprehensive approach that secures both human and non-human identities,” said Barney. “Strong password policies and password managers help prevent weak or reused passwords. Transitioning to passkeys and passwordless authentication also reduces reliance on passwords altogether.”
- Immediate exploitation via account takeover: Threat actors will log in to compromised accounts to steal data, siphon funds or perform malicious actions while pretending to be the victim. Often this initial access is just the beginning and cybercriminals will also try to escalate privileges and move laterally across networks to expand their reach.
- Launch automated attacks like credential stuffing and password spraying: Since password reuse is still widespread, cybercriminals run these credentials through bots to test logins across banking, social media, work accounts and more. One set of credentials can unlock far more than the original breach.
- Sell them on underground forums: These are often bundled with other personal information and used for identity theft. Paired with other stolen data, credentials enable criminals to open credit accounts, apply for loans or commit tax fraud.





