You know that sinking feeling when you realize you’ve reused a password from a long-forgotten forum on your work email account? Multiply that moment by thousands of employees, automated attack scripts, and a ticking clock, and you start to see why today’s most devastating breaches rarely involve some exotic zero-day. They begin with a single, cracked password.
In fact, stolen credentials were the #1 action type in confirmed breaches in 2024, appearing as the initial action in 24% of cases and showing up in nearly a third (31%) of all breaches over the past decade (Verizon’s DBIR). Credential theft is so dominant that it accounted for 38% of all data breach initial access vectors — outpacing phishing (15%) and vulnerability exploitation (14%) combined.
The financial toll is staggering: the global average cost of a data breach hit $4.88 million in 2024, while credential stuffing attacks alone averaged $4.81 million per incident. That’s a lot of damage from a string of characters someone typed five years ago and promptly forgot.
Let’s walk through exactly how that domino effect plays out — from the first cracked password all the way to a fully exfiltrated database — so you can see where the chain is weakest and what it actually takes to break it.
Stage 1: The Initial Crack — Credential Stuffing and Phishing
Attackers don’t sit around guessing passwords one at a time anymore. They start with massive dumps of already compromised credentials. In 2024 alone, passwords were posted for sale on criminal forums and darknet markets — and only 3% of those met even basic complexity requirements, per Descope’s look at the Verizon 2025 DBIR. That’s billions of low-hanging fruit, ready for automated exploitation.
Once they have those lists, attackers unleash credential stuffing bots that test combos across services at scale. New data from Cloudflare shows that 41% of successful human authentication attempts on their protected sites involve leaked passwords, and when you add bot traffic, a staggering 41% of all detected login requests contain compromised credentials.
It gets worse: 95% of those leaked-password login attempts are bot-driven. Phishing delivers credentials even more directly. SpyCloud highlights that users click malicious links within a median of 21 seconds of opening a phishing email and type in their credentials just 28 seconds later — less than a minute from inbox to compromise.
And nearly 30% of reported phishing emails now contain credential harvesters, laying the foundation for larger business email compromise schemes. It’s no wonder human error factored into 28% of the record 10,626 confirmed breaches in the 2024 DBIR.
The Snowflake breach from 2024 shows how this works in the real world. Threat actor UNC5537 used infostealer-derived credentials — some stolen as far back as November 2020 — to compromise more than 165 organizations (BlackFog).
Every impacted account lacked multi-factor authentication. Mandiant’s investigation, published by Google Cloud, confirmed that at least 79.7% of those accounts had prior credential exposure. One reused password that sat in an infostealer log for years — still valid, still lethal.
And weak passwords? A JumpCloud analysis notes that 70% can be cracked in less than one second. Upgrading to a 12‑character strong password, on the other hand, makes it 62 trillion times harder to crack.
That’s the difference between a lockpick and a bank vault door, and yet most people still use the digital equivalent of “123456.”
Stage 2: Credential Harvesting and Reuse — The Compounding Problem
Once attackers get inside, they don’t stop at that first account. They immediately start collecting more credentials — from memory dumps, browser caches, and network shares — to build a library of valid logins. That’s disturbingly easy because password reuse isn’t just rampant; it’s the norm.
The same JumpCloud research found that about half of all employees reuse the same passwords for work and personal accounts, and up to 30% of data breaches are caused by individual users sharing passwords.
So when Brenda from accounting uses her Netflix password to log into the CRM, an attacker who cracks her personal streaming credentials now has the keys to the corporate kingdom.
The scale of the problem is hard to overstate. SpyCloud’s recaptured breach database reveals that 70% of passwords found were already reused — compromised in two or more breaches — and over 1,000 credentials were posted to criminal markets daily in samples analyzed by the 2024 Verizon DBIR.
Meanwhile, Descope’s breakdown of the 2025 DBIR shows that 88% of attacks against basic web applications now involve stolen credentials, and brute‑force attacks against those apps nearly tripled year‑over‑year. When testing enterprise environments, the Picus Blue Report 2025 found that valid credentials succeeded 98% of the time in attack simulations. Attackers aren’t breaking in; they’re just logging in.
This compounding effect means that once an initial foothold is seized, the attacker rapidly gains multiple paths to pivot, escalate, and blend in with legitimate traffic. You don’t have one compromised account; you have a web of them, and unraveling that web takes defenders far longer than it takes to weave.
Stage 3: Lateral Movement — The 27‑Minute Sprint
With a stash of valid credentials, attackers don’t waste time. The ReliaQuest report reveals that lateral movement can occur in as little as 27 minutes, with an average of 48 minutes from initial access to hopping across the network. Compare that to the defender’s timeline: Elisity notes that detection of lateral movement averages 95 days. Attackers sprint while security teams jog, often through the wrong streets.
Brute force attacks against basic web apps nearly tripled year-over-year (from ~20% to ~60%). That means nearly half of tested organizations had an internal account whose password could be broken with basic cracking tools. Once an attacker moves laterally to a machine with higher privileges, they’re a few hashes away from total control.
Consider the Snowflake incident again: an unauthorized session ran for 40 days undetected. And the volume of attacks defenders face is relentless. Microsoft blocked more than 600 million identity attacks on its customers daily in its 2024 fiscal year, averaging over 7,000 password attacks per second.
Waiting 95 days to spot lateral movement in that kind of noise is a recipe for disaster.
Stage 4: Privilege Escalation and Persistence
Lateral movement is rarely the endgame — it’s the path to the crown jewels. Attackers target high‑privilege accounts to install backdoors, disable logging, and establish persistence that survives reboots and remediation efforts. The ReliaQuest report points out that brute‑force attacks against web applications nearly tripled year‑over‑year, and exposed admin panels and remote access services are getting hammered.
Once administrative access is achieved, the attacker can manipulate the environment at will: creating new accounts, modifying security policies, and siphoning credentials on an industrial scale. The fallout is brutal in terms of response time.
According to Zscaler’s analysis of the IBM Cost of a Data Breach report, credential‑based attacks take the longest of any breach type to identify and contain — a median of 292 days.
That’s nearly 10 months where an attacker can operate with near‑impunity, all because a single password gave them the initial ticket.
Stage 5: Data Exfiltration — The Silent Exit
Here’s the chilling part: we’re getting worse at catching the final stage. The Picus Blue Report found that only 3% of data exfiltration attempts were blocked in 2025, down from 9% the year before — a three‑fold decline.
Attackers have learned to blend stolen data into legitimate traffic, making egress look like routine cloud syncing or backup transfers, and they’re slipping away unnoticed.
The Snowflake campaign demonstrated what that looks like at scale: the Mandiant report from Google Cloud confirmed the exposure of 560 million Ticketmaster records, 109 million AT&T customers, and 30 million Santander Bank files. One credential — likely reused, maybe scraped by infostealer malware — opened a path that ended with entire customer bases laid bare.
This isn’t just a large‑enterprise problem, either. Small and mid‑size businesses are increasingly targeted. All Tech Magazine reported that 94% of SMBs have experienced at least one cyberattack, up from 64% in 2019, and 78% fear an attack could shut them down entirely.
For these organizations, the exfiltration stage can mean game over — no recovery fund, no incident response team, just a blinking cursor on a ransomed server.
The Human Element: Why We Keep Handing Over the Keys
If one password can cause all this, why don’t we just use better ones? Because human behavior, systemically, resists friction. The Cloudflare data reminds us that even when people are trying to log in legitimately, 41% of successful human authentication attempts involve leaked passwords.
Password complexity is equally dismal: only 3% of the billions of credentials sold on criminal markets met basic requirements. The median user falls for a phishing lure in less than 60 seconds — specifically, users click a malicious link within a median of 21 seconds of opening a phishing email.
Up to 30% of data breaches at organizations are caused by individual users sharing passwords, reusing passwords, or falling for phishing scams. Human error contributes to 28% of all breaches.
We can’t just label this a “stupid user” problem and call it a day. People are overloaded with login screens. They can’t remember 200 unique, complex passwords, so they cheat. The system fails them when we expect superhuman memory and vigilance without providing tools that make secure behavior the easy default.
The attack chain doesn’t start with malicious intent; it starts with a reasonable human trying to get through their workday without a dozen password resets.
Breaking the Chain: Prioritising Controls That Actually Work
If we stop treating passwords as a personal discipline problem and start treating them as a hygiene and infrastructure challenge, the attack chain starts to crack. Start by enforcing strong, unique credentials: at least 12 characters, random, and never reused. A 12‑character password is 62 trillion times harder to crack — a stat worth tattooing on every IT admin’s forearm.
This is where tools that remove the human burden are essential. A password generator like the one built into Proton Pass creates long, unpredictable passwords and passphrases instantly and stores them inside an end‑to‑end encrypted vault.
You need to remember only one master password, and you can generate unique, complex credentials for every account without breaking a mental sweat. That’s the kind of security‑by‑design approach that makes password reuse a choice people don’t have to make.
Of course, even the best password can’t stand alone. The affected Snowflake accounts had no MFA requirement, turning a credential leak into a catastrophe. Mandate phishing‑resistant multi‑factor authentication everywhere, deploy dark‑web monitoring to catch exposed employee credentials early, and layer in identity‑focused detection that spots anomalous lateral movement before it becomes a 95‑day chase.
Caveats and Counterpoints
No single layer makes you bulletproof. MFA can be bypassed with SIM‑swapping, push fatigue, or adversary‑in‑the‑middle attacks. Password managers introduce a single point of failure if someone gets your master password.
Passkeys and passwordless authentication are gaining traction but aren’t everywhere yet, and infostealer malware still harvests credentials and session tokens regardless of password strength. Industry breach statistics often over‑represent large organizations, so smaller incidents fly under the radar.
And the attack chain is rarely a neat linear flow — initial access might skip credential stuffing entirely via an unpatched VPN or RDP service. Security is a web, not a checklist.
From One Weak Link to a Chain of Defences
The entire credential attack chain — from an automated stuff of a cracked password to lateral movement, privilege escalation, and silent exfiltration — often begins with a single moment of human fallibility that the system failed to absorb. Attackers move in minutes; defenders still measure response in months.
That asymmetry isn’t going away, but it can be tilted back in our favor. By treating credential hygiene as a fundamental infrastructure layer — with tools like Proton Pass’s password generator that eliminate reuse, MFA that blocks automated access, and monitoring that catches exposed credentials early — security leaders can starve attackers at each link of the chain.
One weak password can burn down the enterprise; a chain of consistent, human‑friendly controls can keep the fire out.
Note: The content on this article is for informational purposes only and does not constitute professional advice. We are not responsible for any actions taken based on the information provided here.


