The breach you read about next quarter probably won’t start with a zero-day. It’ll start with a working password.
For the second consecutive year, Verizon’s Data Breach Investigations Report names credential abuse the leading initial access vector, present in 22% of all breaches and 88% of attacks against basic web applications. CrowdStrike’s 2026 Global Threat Report puts a sharper edge on it: 82% of detections in 2025 were malware-free. And PwC’s 2026 Annual Threat Dynamics names the trend in the plainest possible language — adversaries are “logging in rather than breaking in.”
That phrase is doing a lot of work. It captures a structural shift in how intrusions happen. The exploit hasn’t gone away — edge-device CVE exploitation actually rose 34% in the latest DBIR — but it’s no longer where most attackers start. The center of gravity has moved from the perimeter to the login page, and most security stacks haven’t fully caught up.
Why Credentials Won
The shift is supply-side. Stolen credentials aren’t scarce, expensive, or hard to come by. They are an industry, with pricing, vendors, customer support, and roughly the same UX as any legitimate SaaS product.
Four supply lines feed the credential economy, and none of them require the attacker to be sophisticated.
Infostealer logs are the freshest source. Lumma, RedLine, StealC, and similar malware infect personal devices and exfiltrate every saved password, cookie, and session token. The 2025 DBIR found credentials for company resources sitting in infostealer logs from 30% of corporate-managed devices and 46% of unmanaged devices — meaning the BYOD laptop your contractor uses at home is now a corporate access vector. The link to ransomware is direct: 54% of ransomware victims had prior credential exposure in infostealer logs before the attack.
Initial access brokers (IABs) are the wholesalers. They specialize in breaking in once, then sell working access — VPN credentials, RDP sessions, domain admin tokens — to ransomware affiliates and other downstream operators. Listings on forums like XSS and Exploit include company name, revenue, employee count, and privilege level. The buyer doesn’t need to know how the access was obtained. They just need to wire the cryptocurrency.
Breach dumps are the long tail. Years of leaked credentials from third-party breaches keep working because password reuse keeps working. The DBIR’s credential-stuffing analysis found that, in the median case, only 49% of a user’s passwords across services were distinct. Yesterday’s leaked Adobe password is today’s working corporate login.
Phishing-as-a-Service (PhaaS) is the production line for fresh credentials and live sessions. Subscription kits like Tycoon 2FA, EvilProxy, Evilginx, Sneaky 2FA, and Mamba 2FA spin up Adversary-in-the-Middle (AiTM) reverse-proxy infrastructure that defeats push-based MFA in real time. Sekoia.io tracked eleven major AiTM kits in active use in early 2025. Barracuda reports 60–70% of phishing attacks observed since early 2025 originated from PhaaS kits.
Microsoft’s Digital Crimes Unit, working with Europol, disrupted Tycoon 2FA’s infrastructure in March 2026. By Barracuda’s analysis the takedown seized hundreds of domains but did not eliminate the underlying technique — affiliates simply migrated to Mamba 2FA, EvilProxy, Sneaky 2FA, and Whisper 2FA, which had already absorbed Tycoon’s code. PhaaS, like the credential economy more broadly, is structurally resilient.
What A Valid Login Defeats
The reason this shift matters operationally is that legacy security stacks were designed around an assumption that no longer holds: that the attacker is an intruder, recognizable as foreign to the environment. When the attacker arrives with a working credential, that recognition fails.
A successful login from an expected IP address looks like normal business. The packet was always going to pass the firewall. Signature-based EDR has nothing to match because there’s no malware — attackers use PowerShell, RDP, and the same admin tools the IT team uses every day. CrowdStrike’s 82% malware-free figure is, in part, a measurement of this. Push-based MFA is bypassed entirely by AiTM kits stealing the resulting session cookie; the user authenticates successfully and the attacker walks in behind them. Default SIEM rules generally don’t fire on a successful authentication followed by routine activity, because nothing about the sequence is technically anomalous.
This is why credential-based breaches have one of the longest lifecycles in IBM’s 2025 Cost of a Data Breach Report — 246 days from initial access to containment, at an average cost of $4.67 million. Eight months of operating with compromised credentials before detection is not a detection-tool failure. It’s an architecture failure.
What Actually Works Post-Login
The defenses that hold up against this threat model don’t try to keep attackers out. They assume valid credentials may already be in adversary hands, and shift the burden to detection layers that don’t depend on the perimeter.
Phishing-resistant MFA is the single highest-leverage change. FIDO2 and passkeys are bound to the device and the origin domain, which means an AiTM proxy presenting a spoofed login page cannot complete the authentication ceremony — there is no session cookie to steal, because there is no session. Okta’s FastPass, Microsoft’s Entra phishing-resistant authentication methods, and hardware keys like YubiKey all defeat the dominant PhaaS technique by construction, not by detection.
The remaining controls assume MFA can fail. Conditional access policies that re-evaluate risk on every sensitive action, short-lived tokens, just-in-time privilege elevation, and identity-anomaly detection (impossible travel, atypical user-agent strings, abnormal application access patterns) all operate after the login completes. They treat authentication as a continuous process rather than a one-time gate.
For SOC teams, the practical detection shift is from signature-based alerting to behavioral baselining. The DBIR’s note that credential stuffing accounts for 19% of all daily authentication attempts on a median basis is itself a data point: at that volume, “successful authentication” is meaningless on its own. What’s anomalous is the pattern — first login from a new ASN, immediately followed by inbox-rule creation and privileged group enumeration.
The Argument Going Forward
The “logging in, not breaking in” framing isn’t a slogan. It’s an accurate description of what 22% of breaches and 88% of web application attacks now look like, backed by a credential supply chain that is industrial in scale, structurally resilient to law enforcement disruption, and economically rational for attackers.
The defenders who handle this well stop investing incrementally in keeping attackers out, and start investing in detection and response that assume attackers are already authenticated. The ones who don’t keep paying $4.67 million per breach and detecting compromise eight months too late.
The lock isn’t the problem. The key economy is.
