Identity, Cloud Security, IAM Technologies

Stolen credentials a leading cause of cloud security incidents

A cracked password field with warning triangles, illustrating the dangers of weak security practices

Compromised credentials are the second most common triggers of public cloud security incidents, according to an Amazon Web Services report released Monday.

The Building Cloud Trust report, commissioned by AWS and produced by UK researchers Vanson Bourne, found that 20% of public cloud security incidents were triggered by compromised credentials, right behind vulnerability exploitation, which came in at 24%.

According to the report, physical theft came in next at 19%, and misconfigurations caused 16% of cloud security incidents.

“Organizations are moving everything into cloud applications and services, signifying that a compromised identity can provide access to large amounts of data and systems,” said James Maude, Field CISO at BeyondTrust. “The identity security debt accumulated by many organizations represents a far greater risk than any other area as it only takes the attacker to login using the right identity and all is lost because of the paths to privilege that abound in their environment.”

This finding around stolen credentials underscores the critical necessity for teams to establish a foundational, identity-aware, microsegmentation program, said Agnidipta Sarkar, chief evangelist at ColorTokens. Sarkar said such a program is vital for limiting an attacker's ability to exploit valid accounts and for reducing the opportunities for lateral movement within compromised networks.

“The recent convergence of cloud persistence, token replay attacks, and traditional malware illustrates how adversaries infiltrate environments and navigate freely within breached networks,” said Sarkar. “Implementing microsegmentation can effectively restrict an attacker’s lateral movements following initial access, thus significantly mitigating the overall impact of security incidents.”

Peled Eldan, head of research at XM Cyber, said as cloud usage expands and the number of employees accessing cloud environments increases, the probability that attackers will find cloud access keys among user devices rises significantly. Eldan said criminals leverage stolen credentials to bypass traditional defenses, escalate privileges, and gain deep access to cloud resources, leading to data theft, account takeovers, and costly unauthorized usage, such as cryptojacking.

"Security teams should prioritize a multi-layered approach starting with enabling MFA across all cloud accounts, which significantly raises the barrier for unauthorized access even if passwords are compromised," said Eldan. "Implementing strict identity and access management policies that enforce least privilege principles and continuous monitoring of user and token activity is critical to detect anomalies early."

Elad Luz, head of research at Oasis Security, added that as the adoption of multi-factor authentication (MFA) continues to expand, human identities will become increasingly difficult for threat actors to target.

“Consequently, we anticipate that attackers will shift more of their focus to non-human identities (NHIs), which are often secured by only a single factor and therefore present an easier target for criminals to steal user’s credentials,” said Luz.

You can skip this ad in 5 seconds