The First Domino: How Credential Theft Leads to Bigger Breaches

In 2024, we collected 2.9 billion unique sets of compromised credentials—a jump from the 2.2 billion collected in 2023. While this rise can be explained by advancement in Bitsight’s credential collection capabilities, we assess that the precise number of credentials shared on the underground has also risen, fueled by increased data breaches and the spike in stealer logs. This significant increase in just one year highlights the growing threat landscape and the relentless activity of cybercriminals, all of which can be explored in more detail in our 2025 State of the Underground report. But what exactly are compromised credentials, and why should we care?

What is credential compromise?

Compromised credentials refer to login information—such as email addresses, usernames, passwords, and associated URL domains—that have been exposed or leaked across the deep, dark, or even on the publicly accessible clear web. Bitsight defines a compromised credential as “a unique credential set [which] includes a previously unseen combination of email, username, password, and URL domain.” This definition is important because it ensures that we only count truly new and unique credential leaks. Threat actors frequently repost or resell previously leaked or stolen data, meaning that many credential dumps on the dark web contain duplicates or outdated information.

Our methodology filters out these duplicates to avoid inflating the numbers and to give a more accurate picture of the threat. We scan for duplicates when logging exposed credentials, and if a credential, password, and domain have been seen together previously, we note that on our platform so users know exactly when credentials are first seen for sale on the dark web. 

How credentials get compromised

But how do these credentials get compromised in the first place? There are several common methods:

• Phishing attacks continue to be a major contributor—where attackers trick users into willingly handing over their credentials through fake login pages or deceptive emails.
• Large-scale data breaches also remain a primary source of exposed credentials, with organizations across industries falling victim to security lapses.
• Credential stuffing, in which attackers use automated tools to test large volumes of stolen username-password pairs against different websites, hoping for a match.
• Malware—specifically, the rise of stealer malware—which is particularly troublesome. These lightweight, often undetected pieces of malicious software are designed with a singular, focused goal: to silently steal credentials from infected systems.
• Logs and cookies can pose a security risk. If an attacker steals a valid session cookie — often issued after MFA — they can bypass authentication entirely and access the account without needing a password or second factor.

How compromised credentials lead to breaches

At this point, you might be thinking: “Okay, so some credentials were stolen—big deal.” But it is a big deal. Really big. When threat actors gain access to stolen login information, they can use it to infiltrate corporate systems, take over user accounts, and exfiltrate sensitive data. According to research from Silverfort, compromised credentials are among the most commonly used vectors in modern cyberattacks. They enable attackers to bypass traditional security measures, escalate privileges, and move laterally within a network, all while remaining undetected for extended periods. While attackers may target any credentials, those with administrative privileges are particularly valuable. These credentials enable threat actors to move freely throughout a victim’s system, giving them the ability to escalate their attack, access sensitive data, and potentially compromise the entire network.

In short, the spike in compromised credentials is more than just a number—it’s a reflection of how cyber threats are evolving. The volume, variety, and sophistication of credential-based attacks are growing, and every leaked set of credentials represents a potential breach waiting to happen.

Recent examples

RockYou2024 leak is one of the largest breaches of passwords in history. This occurred in July 2024, and was a compilation of breaches dating from 2021-2024 totaling 10 billion unique passwords from an estimated 4000 databases. This breach underscores the importance of unique passwords and MFA. 

In January 2025, a breach occurred in which over 60 million teachers and students were impacted. The attackers gained access to PowerSchool software by leveraging an exposed set of credentials. This highlights the domino effect of leaked credentials, just one username, password, and domain set can lead to massive breaches.

Mitigation strategies

So, with credential harvesting attacks on the rise, the question becomes: how do we effectively protect ourselves—both as individuals and organizations—from these increasingly sophisticated threats?

Multi-Factor Authentication (MFA)

One of the most effective defenses against credential-based attacks is Multi-Factor Authentication (MFA). MFA adds an extra layer of security by requiring users to verify their identity through two or more methods: something they know (like a password), something they have (like a smartphone or security token), or something they are (biometric data like a fingerprint or facial recognition). Even if an attacker manages to steal a password, MFA significantly reduces the likelihood that they’ll be able to gain access to the associated account.

Strong, unique passwords

Equally important is strong password hygiene. Users should always create complex, unique passwords for every account—ideally using a mix of uppercase and lowercase letters, numbers, and special characters. Avoid using easily guessed information like pet names, birthdates, or street addresses. Password reuse across multiple accounts is especially dangerous, as a breach of one service can lead to unauthorized access across many others. A reliable password manager can help users securely generate and store strong passwords without the need to memorize them all.

Regular security audits

On a broader scale, organizations must take a proactive approach to cybersecurity, starting with routine security hygiene practices. This includes regularly auditing user access privileges, monitoring for unusual login behavior, and scanning for exposed credentials on the dark web. Keeping software and systems fully up-to-date with the latest patches also helps close known vulnerabilities before they can be exploited.

Endpoint protection

Another essential layer of defense is endpoint protection. Comprehensive endpoint security solutions can detect, quarantine, and eliminate malware before it has a chance to steal credentials or spread across the network. This is especially critical given the rise of credential-stealing malware like info stealers and keyloggers, which often infiltrate systems silently and operate without triggering traditional antivirus alarms.

User education

In addition, employee training and awareness play a crucial role. Many credential harvesting attacks—such as phishing campaigns—rely on human error to succeed. Regular training helps users recognize suspicious emails, fake login pages, and social engineering tactics. The more informed users are, the harder it becomes for attackers to trick them into handing over sensitive information.

Stay ahead with credential monitoring

In summary, defending against credential harvesting requires a multi-layered approach. Strong authentication, robust password practices, continuous monitoring, effective endpoint protection, and user education all work together to create a resilient defense posture. While no single solution is foolproof, a combination of these strategies can significantly reduce the risk of credentials being stolen and exploited.

The dramatic rise in the number of compromised credentials is more than just a reflection of increased cybercriminal activity—it’s a fundamental shift in the threat landscape. Credentials are no longer just keys to accounts; they are keys to entire digital infrastructures. And with nearly 3 billion unique sets of credentials leaked in 2024 alone, it’s not a question of if a business or individual will be targeted, but when.

In response to the growing threat of credential theft, Bitsight has made significant advancements in its credential collection and monitoring capabilities. Using our Access Currently for Sale dashboard in the Identity Intelligence module, users get a streamlined view of their organization's exposure to underground compromised access markets, also known as Initial Access Broker (IAB) markets. This data is based on the assets (domains and IPs) that are listed in an organization’s attack surface, so you can prioritize remediation activities or instigate a dark web purchase to remove specific credentials from the underground. Bitsight customers receive exclusive access to our leaked credential tracking features, allowing them to quickly determine if a set of credentials has been exposed on the dark web. Additionally, customers can also customize alerts tailored to their needs, allowing them to effortlessly track dark web activity, exposed credentials, and emerging threats. Even better, Bitsight also monitors your third-party vendors and alerts you to any risks they may face — helping ensure you're protected on all fronts.

By combining intelligent automation with detailed threat intelligence, Bitsight helps organizations stay one step ahead of cybercriminals. Our proactive monitoring means that if your credentials are compromised, you'll know—before it becomes a breach. See for yourself in our interactive Identity Intelligence product tour.