Identity risk in 2025: credential reuse, token theft, and OAuth abuse in practice

Welcome reader to a 🔒 pro subscriber-only deep dive 🔒.

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Get lifetime access to our deep dives, weekly cyber intel podcast report, premium content, AI Resume Builder, and more — all for just $799. Corporate plans are now available too.

Executive Summary

Identity has decisively emerged as the primary attack surface in enterprise security. The 2024-2025 threat landscape demonstrates an unmistakable shift: attackers are no longer breaking in -- they are logging in. Credential theft surged 160 percent in 2025 alone,¹ while stolen credentials accounted for 22 percent of all data breaches in 2024.² This represents a fundamental evolution in threat actor methodology, from exploiting software vulnerabilities to systematically harvesting and weaponizing authentication artifacts.

The financial impact is quantifiable and severe. Organizations experienced 3,158 publicly reported data breaches in 2024, resulting in 1.35 billion victim notifications -- a 211 percent year-over-year increase.³ The average cost per breach reached 4.44 million dollars, with credential-based attacks requiring the longest time to identify and contain.⁴ Four of 2024's largest breaches -- affecting over 1.24 billion records -- could have been prevented through multifactor authentication (MFA) implementation alone.⁵

Three distinct threat vectors dominate the current landscape. First, sophisticated session hijacking operations now bypass MFA entirely by stealing authentication tokens rather than passwords, with 73 percent of such incidents targeting cloud-based enterprise platforms.⁶ Second, OAuth consent phishing has industrialized, with threat actors manipulating employees into authorizing malicious applications that provide persistent API-level access.⁷ Third, infostealer malware has proliferated dramatically, with 80 percent of the Snowflake breach accounts compromised through credentials extracted by these tools.⁸

Regulatory pressure is intensifying simultaneously. The European Union's Digital Operational Resilience Act (DORA) became enforceable January 17, 2025, mandating risk-based access controls and automated governance for financial entities.⁹ The Network and Information Security Directive (NIS2) requires member state compliance by October 2024, imposing fines up to 10 million euros or 2 percent of global revenue for noncompliance.¹⁰ These frameworks converge on identity as the foundational control plane, explicitly requiring phishing-resistant authentication and continuous access validation.

Organizations responding effectively are adopting three strategic priorities. First, transitioning to passwordless authentication through FIDO2 and passkeys, with Gartner forecasting that 50 percent of the workforce will be passwordless by year-end 2025.¹¹ Second, implementing identity threat detection and response (ITDR) capabilities to monitor authentication patterns in real-time. Third, redesigning governance models from periodic access reviews to continuous, policy-driven enforcement aligned with Zero Trust Architecture principles defined in NIST SP 800-207.¹²

The board-level imperative is clear: identity security is no longer an IT concern but an enterprise risk requiring C-suite attention and strategic investment. This report provides CISOs and risk executives with a framework for elevating identity resilience through evidence-based prioritization, architectural modernization, and measurable governance improvements.

Subscribe to CybersecurityHQ Newsletter to unlock the rest.