min read

Top Data Breach Attack Methods: Credentials and Identities

Data breach attack methods

Most companies understand the potentially catastrophic impact of a data breach. Having your business’ systems or sensitive data accessed by an external actor is a nightmare scenario, hence the plethora of SaaS security solutions now on the market. 

But it’s critical to note that one of the most popular methods used by attackers to obtain your company’s sensitive data isn’t traditional “hacking” into your system. Instead, according to the Verizon 2024 Data Breach Investigations Report, one of the most-used ways that bad actors stole data was via nefariously obtained credentials. 

Attacks using real credentials, either through credential-stuffing attacks or buying credentials, was the method behind 37% of the data breaches in 2024 analyzed by Verizon.

The report notes that this is not a new phenomenon. Verizon notes that in the last decade, stolen credentials have been the source of nearly one-third (31%) of breaches.

So why are credentials such a popular tool for data breaches? We’ll discuss where attackers obtain these credentials, and the best practices for protecting your organization from a data breach in 2024.

Identity and credential-based data breaches: Methods used by attackers

Bad actors use four main attack strategies to obtain credential and identity information, which they then use to access your organization’s internal data and systems.

Phishing and other social engineering stratagems

In these types of attacks, bad actors reach out to employees at your organization under false pretenses. 

This may be in the form of a spoofed message that appears to come from a senior executive at your organization, or an email that purports to be from a vendor or a client.

They may ask directly for credentials or contain a link that sends the email recipient to an official-looking page to “login” or “verify.” These persuasive-looking communications convince the victim to hand over their credentials, with the target believing that they are interacting with a legitimate entity or person.

Brute force

A more traditional strategy, brute force attacks see cybercriminals use a simple method - trial and error - to obtain credentials. 

This looks like a bad actor trying combinations of usernames and passwords at scale, often using automated technology to speed up the process.

Once the cybercriminal finds a combination that works, they can successfully gain access to your company’s systems and data.

Credential stuffing

This cyber attack sees attackers leverage lists of already-compromised credentials to breach a system. The bad actors assume that users often utilize the same usernames and passwords across multiple SaaS solutions - and unfortunately, this is often the case.

For example, a cybercriminal could use a leaked list of Salesforce credentials to attempt to breach a company’s HubSpot. 

The bad actor assumes (often correctly) that there will likely be overlap between the login information on the two apps.

Password-stealing malware

Password stealers are a type of malware that logs a user’s credentials and transmits that information back to a cybercriminal, often with the victim completely unaware that anything is amiss.

This Trojan horse-style malware may be unintentionally installed by the victim, as when the code which records and sends the critical data is embedded in an application or solution that they chose to download.

Why are stolen credentials such a common method of data breach?

There are two main reasons why stolen credentials are frequently the source of data breaches.

Very simple

Brute forcing passwords or buying lists of stolen credentials is something that does not take much effort or ingenuity by a bad actor.

The attack methodology used for brute-forcing credentials is relatively straightforward, and does not require significant experience or skills on the part of the attacker. And when it comes to lists of nefariously obtained credentials available for sale on the dark web, all cybercriminals need to do is pay for the information.

Human fallibility

The truth is that people make mistakes, and social engineering attacks are designed to take advantage of our natural sense of trust - especially when we believe we are talking to a vendor or colleague.

Bad actors are growing more sophisticated with their methodology for attacks aimed at obtaining credentials, even using AI to craft especially persuasive emails and messages.

When people genuinely believe that they are interacting with a trusted vendor, solution, or colleague, they’re far more likely to let their guard down.

This is yet another reason why your SaaS data security strategy should account for the threat posed by users inside your business, who are acting in good faith but may be fooled by a particularly convincing phishing or social engineering attack.

How can you protect your organization from credential-based data breaches?

The good news is that there are steps you can take to protect your business from the threat of credential and identity-focused cyber attacks and resulting data breaches.

End-user education

Your people are one of your strongest assets when it comes to preventing a data breach in 2024. Providing training, along with real-life data breach examples and consequences, can help your teams recognize the common warning signs of phishing and social engineering attacks.

It’s critical that the education you provide your users emphasizes how quickly attacks can happen. With just a few clicks, a user can go from reading a phishing email to unintentionally revealing their critical credential information.

Your education strategy for employees should stress the importance of slowing down and taking a second to breathe before they enter their login data. 

They should know that emails aimed at creating a sense of urgency may be designed for to trigger their anxiety and shut off their rational thinking

Implementing a SaaS security solution that informs employees, in real-time, that they are performing a risky action is key to helping users understand that they’re potentially falling into a trap, before it’s too late.

Credential protection best practices


Implementing Multi-Factor Authentication (MFA) safeguards your organization by adding another layer of protection. Having an MFA in place, such as a verification code being sent to a user’s phone, should be required for your critical corporate SaaS systems. 

Even if a cybercriminal obtains a user’s credentials, an MFA prevents them from being able to access your internal systems and data.

Strong passwords

Requiring users to maintain strong passwords, which incorporate uppercase and lowercase letters, special characters, and numbers, helps reduce the risk that a bad actor can obtain their credentials in a brute force attack.

Password rotation

Requiring that users periodically change their passwords helps ensure that your organization remains one step ahead of the cybercriminals. 

For example, there could be a data leak in which usernames and passwords are put up for sale to the highest bidder online. But that information will soon become useless to bad actors if users change their passwords on a regular basis.

Identity security

You should continuously monitor actions related to user identities with identity threat detection and response (ITDR) tools. These automated solutions can help you take action in real-time, so you can stop a potential data breach before it happens.

An ITDR tool will notify you regarding suspicious user actions, such as:

  • Unusual logins, such as a strange number of attempts, or a login request made from an atypical location.
  • Unusual data asset access or interaction patterns, like a user attempting to access files or systems which they don’t normally view or are irrelevant for their role.

With a strong ITDR in place, you can take action upon receiving alerts regarding unusual login activity. You can even set up automated workflows to provide real-time mitigation, automatically securing your identities and data assets.

Why data breach protection matters now more than ever

With identity and credential-based attacks only growing in popularity, it’s crucial to have a plan in place to safeguard your company’s sensitive data and internal systems. 

Your SaaS security solution should specifically include remediation for credential-based data breach attempts, and you should roll out educational programs for your staff to inform them about the risks of phishing and social engineering attacks.

With a robust ITDR solution and strategy in place, you can safeguard your organization from the serious damage caused by a credential-based data breach.

Get updates to your inbox

Our latest tips, insights, and news