Leaked Credentials Become Top Cause of Data Breaches in 2025

As credential-based attacks surge to unprecedented levels, now driving more than one in five data breaches, IT leaders are confronting a pivotal moment in cybersecurity strategy. In 2025 alone, leaked credentials spiked by over 160%, with a single breach exposing 16 billion records from tech giants like Google and Facebook.

According to new research from Check Point, AI-powered phishing and malware-as-a-service have made credential theft more accessible to less experienced attackers. These tools automate the creation of convincing phishing lures and deploy infostealers that harvest login data from infected devices.

In 2024, stolen credentials were the root cause of 22% of data breaches, which surpassed other methods like phishing and vulnerability exploitation. These attacks are often highly effective, allowing threat actors to impersonate legitimate users without triggering security alerts.

Global hotspots: Countries hit hardest by leaked logins

The research found that the rate of credential theft is higher in Brazil and India, which is likely due to large populations and lower cybersecurity awareness. Compared to 2024, the U.S. saw a decline in credential leaks in 2025. The rest of the affected countries include Indonesia, Pakistan, Vietnam, Egypt, Türkiye, the Philippines, and Argentina.

The leaked credentials attacks affected popular domains such as Google, Facebook, Discord, Microsoft, and Roblox. Hackers commonly steal credentials through infostealers that extract saved passwords and cookies, phishing techniques, exploiting vulnerabilities in databases, and deploying malware to capture login information directly from the victim.

How do hackers exploit stolen credentials?

Hackers exploit stolen credentials in several ways. For instance, they use account takeovers for phishing, financial fraud, and impersonation of trusted employees or brands. Moreover, the attackers perform cross-account attacks by leveraging reused passwords across personal and work accounts. They also use compromised logins to spread spam or manipulate social media, as well as engage in ransomware-style extortion.

“Once threat actors obtain the credentials for a legitimate user – which they can do by breaking into databases or launching phishing attacks, among other methods – they can simply log in as if they were that user. In turn, they can access any resources available to that user,” the researchers explained. “And they can typically do so without being easily detected, since they are not bypassing security controls or disabling systems.”

Mitigation strategies for organizations

Check Point researchers advise that organizations can mitigate credential-based attacks through a multi-layered approach that combines preventive controls, early detection, and automated response. Administrators must enforce strong password policies and multi-factor authentication (MFA), limit login attempts, and apply the Principle of Least Privilege (PoLP) to minimize exposure.

Additionally, companies should invest in threat intelligence tools that monitor the deep and dark web for leaked credentials. It helps to quickly identify and revoke compromised accounts before attackers exploit them. It’s also important to educate employees about phishing, secure third-party access, and integrate detection systems with SIEM/SOAR platforms.