Identity & Access The Credential Crisis: How Stolen Credentials Defeat Modern Security As AI accelerates phishing, session hijacking, and credential abuse, security teams are racing to close the gap between attacker speed and defensive response. By Kevin Townsend | May 27, 2026 (6:30 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Preventing credential compromise and surviving compromised credentials is not theoretically impossible but is difficult in practice and shows no sign of getting easier. Credentials The modern cyber use of the word ‘credentials’ stems from the Latin ‘creder’: to believe. As society evolved into the Middle Ages, the early notion of ‘Believe me. I am Socrates’ became, ‘Believe this physical letter that proves I am Socrates.’ Those physical letters became known as ‘credentialis’, or a paper that authenticated the bearer. In today’s cyber world, we call that paper ‘credentials. It is no longer physical, but virtual, and the meaning has expanded to ‘you can trust in the belief that I am who I say I am and you can treat me as such: I am Socrates.’ Socrates is the identity, and the credentials prove it. Cyber credentials In cyber today, credentials are largely categorized in two major groups: those for human identities, and those for machine and non-human identities. Human identity credentials can include passwords, passkeys, biometrics, soft and hardware tokens, and more. Non-human identities can include APIs, SSH keys, X.509 certificates, service accounts, session tokens and keys, and more. Session tokens require particular notice since a company may have 3,000 employees, but 300,000 active tokens; and session tokens are scraped by one of credentials’ common beta noirs – infostealers . Ran Geva, CEO and co-Founder at Webz.io. It is worth remembering there are two stages: the theft of credentials is ‘credential compromise’, while a consequent breach is by ‘compromised credentials’. “Compromise does not necessarily mean the credentials have already been used. It means they are no longer exclusively controlled by the legitimate user,” explains Ran Geva, CEO and co-Founder at Webz.io . But they could be used. And by the nature of what they are, if used, they are automatically trusted as the legitimate user. “The defining trait,” adds Erin Meyers, identity expert at Huntress , “is that the attacker isn’t ‘breaking in’ the traditional way; they’re logging in (or reusing an already-authenticated session) and inheriting the [legitimate] user’s permissions, making malicious activity blend into normal access patterns.” Advertisement. Scroll to continue reading. From the system’s perspective, agrees Ariel Parnes, co-founder and COO at Mitiga , “the resulting activity appears authorized, making detection uniquely challenging.” Dan Schiappa, president of technology and services at Arctic Wolf , adds “Credential compromise is one of, if not the most useful and widespread, tactics of threat actors, since it can be carried out with minimal technical skill to gain easy access to target environments.” Sometimes, perhaps too often, the only credentials required are a username and password. In such cases, warns Bob Long, president for the Americas at Daon, “A single simple successful compromise can create a cascade of risk across multiple accounts, especially if the same credentials are reused.” Reinhard Hochrieser, SVP of product and technology at Jumio, warns that social security numbers (SSNs) and government issued IDs are also credentials. “Fraudsters use this data to carry out sophisticated attacks, which include the manipulation of those IDs and the creation of AI-generated deepfakes to bypass biometric checks… making smaller targets like everyday individuals more worthwhile to fraudsters.” Credential compromise, summarizes Jan Bee, CISO at TeamViewer, “allows attackers to bypass perimeter controls, evade detection, and operate inside trusted workflows. As a result, protecting infrastructure alone is no longer sufficient. Protecting identity continuously is now foundational.” Theft of credentials Before a breach can be caused by a compromised credential, the credential must first be acquired (stolen) by an attacker. We can and should make this as difficult as possible, but it is unlikely we will ever be able to prevent the theft of credentials. The primary cause is the traditional agility gap – the time gap between threat actors’ adoption of new techniques and security’s ability to adapt defenses to the new threat. AI provides an excellent example. Phishing remains the primary attack against individual credentials, but AI can produce compelling deepfakes with realistic backstories. There is no technology that can guarantee detection and prevention of this – it largely depends upon the human target’s personal risk tolerance and intuition. Torsten George , CMO at ID Dataweb, comments, “I recently got an email from the CEO. It wasn’t his usual email address, and the tone was a bit off. So, I sent him separately, via Teams, a screenshot of the email and asked him if he had sent it. He hadn’t.” If in doubt, double check. Torsten George, CMO at ID Dataweb. But an attacker doesn’t need to use technology – as Scattered Spider has illustrated. “Pretend to be a high ranking VP, five minutes away from a customer meeting, and you can no longer access your files. Call the Help Desk,” continues George. “That sort of pressure from a superior is often sufficient for the Help Desk person to effectively hand over the keys to the kingdom. This allows the attackers to move laterally until they find the crown jewels and exfiltrate them.” Whether phishing or scamming, it’s all based on social engineering that exploits human weaknesses. Meyers suggests a partial solution can be found in Identity Security Posture Management. “ISPM answers which identities are most likely to be compromised next? It tells you which credentials attackers will target – and why.” It’s not just individual credentials that are under threat. Schiappa comments, “According to our latest threat report, phishing attacks accounted for 85% of all incident responses. However, credential theft attacks can also occur via data exfiltration, infostealer malware and man-in the-the-middle attacks.” Infostealers remain a major threat against credentials. Once on a victim’s system, they scrape passwords (and much more) and send them back to the attacker. The X-Force 2025 Threat Intelligence Index (published February 25, 2026) states that in 400,000 tracked vulnerabilities, 56% required no authentication prior to exploitation. “So, we have attackers exploiting systems through remote code execution without authentication,” comments Michelle Alvarez, manager at X-Force Threat Intelligence. “Maybe they upload a file to a server that does not require authentication, and then boom, they’re in. So, no credentials needed, no MFA to bypass.” And potentially more credentials stolen. Knowing credentials have been compromised If we cannot prevent the theft of credentials, can we at least discover if they have been stolen and are available to bad actors? A stolen credential is an indicator that you could be attacked at any time. As with liberty, the cost of protection is eternal vigilance and is usually elusive. “There are companies that monitor the dark web for breach data and notify individuals if their information appears in exposed datasets, and while that can provide useful insight, it’s not something people can rely on completely,” says Long. “For consumers,” says Renee Burton, VP of threat intel at Infoblox , “one of the easiest ways to check is by using public breach notification services such as haveibeenpwned , where you can enter your email address and see if it has appeared in known data breaches. That can provide some visibility, but it is not a complete picture.” Renee Burton, VP of threat intel at Infoblox. But Hochreiser warns, “Finding out if your credentials have been stolen is nearly impossible. If your email is compromised, you may get a notification, but when it comes to biometrics, there are no public services that can tell you whether or not that data got compromised in a breach.” Parnes suggests, “Use dedicated breach intelligence databases, including public repositories (such as ‘Have I Been Pwned’) and Dark Web Monitoring services (often offered by password managers and identity protection solutions that monitor ‘stealer logs’ – private marketplaces where hackers sell credentials before they ever hit public databases).” There is no simple, single solution. “Detection requires multiple approaches,” says Geva, noting breach dataset monitoring, dark web and marketplace monitoring, infostealer log intelligence, closed forum scraping, and Telegram channel monitoring. It was the complexity and time-consuming nature of monitoring all these sources for every credential loss that prompted Geva to launch the free to use lunarcyber.com (commonly known as Lunar ) in late 2025. It does all the monitoring for you (constantly checking signs of compromise). “Lunar gives organizations early visibility into exposed credentials and identity artifacts, so they can act before attackers do,” he explains. “Lunar also includes advanced intelligence focused specifically on infostealer malware, which can indicate when company endpoints have been breached and when attackers have extracted high-value artifacts like session cookies and real-time username/password captures. This matters because even if a user changes their password, stolen sessions and tokens can remain valid and continue to provide access.” From credential compromise to compromised credential breach The basic problem remains: absence of proof is not proof of absence. “Credentials may be misused long before breach information is identified and communicated back to the affected individual. By the time a notification arrives, the attacker may already have exploited the access,” says Long. The first indication of cred