Verizon's Data Breach Investigations Report is the closest thing the security industry has to a canonical scoreboard. The 2024 edition analyzed 30,458 real-world security incidents and 10,626 confirmed breaches across 94 countries, drawn from 94 contributing organizations. Three numbers from that dataset are worth committing to memory.
The three doors attackers walk through
The 2024 report frames intrusions as three top initial-access pathways: phishing, vulnerability exploitation, and stolen credentials. Vulnerability exploitation as an initial vector almost tripled year over year — driven primarily by the MOVEit campaign and the broader trend of zero-day exploitation of edge devices. But credentials remain the consistent through-line across a full decade of DBIR data.
Why credentials are so durable for attackers
Stolen credentials work because they look legitimate to every detection control you have. Endpoint detection sees a normal login. The SIEM sees the user's usual VPN range if the attacker uses a residential proxy. MFA is bypassed via session-token theft from infostealer logs sold on Telegram and dark-web markets for as little as $10. The shortest path between a leaked secret and an enterprise breach is rarely longer than a week.
The ransomware connection
Ransomware and extortion accounted for roughly 32% of all breaches in the 2024 DBIR. The supply chain for those attacks frequently starts with credentials harvested from infostealer logs or leaked from a public repository — sold to an initial access broker, then resold to an affiliate of a ransomware group. The leak that ends up in your incident report this quarter probably happened months ago, on a system you do not even own.
What this changes about defense
- Treat every credential — human or machine — as a leakable asset, not a stable identity.
- Shrink credential lifetimes. Long-lived API keys are the easiest way to convert a five-year-old leak into a present-day breach.
- Hunt for your credentials outside your perimeter: in public GitHub, in paste sites, in dark-web combo lists, in infostealer dumps.
- Measure time-to-revoke, not just time-to-detect. Detection without revocation does nothing to the attacker.
The DBIR's value is that it strips away vendor narratives and shows you what actually breaks enterprises in the field. The 2024 edition's verdict on credentials is unambiguous: this is the pathway. Building external exposure detection into your security program is no longer optional — it is the control that closes the most common door.
“Roughly one-third of all breaches over the past 10 years have involved the use of stolen credentials.”