2017 DBIR: Misuse of Stolen Credentials Unchecked, Out of Control

Back to Blog
May 13, 2017
Stephen Cox


Verizon’s Data Breach Investigations Report (DBIR) has once again hit the streets with much fanfare. The 2017 report is Verizon’s tenth DBIR and details findings from over 42,000 security incidents analyzed by the company in 2016. As expected, the report is packed with information absolutely critical to the success of information security industry.

A major data point stands out in the 2017 DBIR report: the percentage of hacking related breaches involving the misuse of stolen or weak credentials has reached 81%, effectively putting it front and center in terms of tactics being leveraged by attackers. That is four out of five breaches. No other attacker technique detailed by Verizon comes close to this number. To add some perspective: last year Verizon reported that 63% of breaches involved credential misuse. These numbers only serve to solidify what experts in identity security know to be true – credential misuse is an epidemic and is rapidly getting worse. The technique is particularly damaging to the finance and healthcare industries.

As in the 2016 DBIR report, the 2017 DBIR report makes a point to recommend two-factor authentication as a mitigation that organizations can implement to limit the impact and effectiveness of attackers. Verizon’s recommendations are spot on and organizations should take this advice even further. We know that vanilla forms of two-factor authentication are being circumvented, as detailed in the recent hacks exploiting weaknesses in the SS7 network. Verizon also details breaches that involved the use of key-loggers to capture both the base credentials as well as the second factor one time password, and then replaying those credentials to gain access. The National Institute of Standards and Technology (NIST) has gone so far as to recommend the deprecation of SMS as an out-of-band form of authentication.

It’s also important to note that Verizon’s prescient commentary on reducing the effectiveness of stolen credentials can also be taken further – we can completely nullify the impact of stolen credentials by eliminating the use of passwords altogether, i.e. going “passwordless.”  A passwordless authentication involves the use of a device (something you have) and a biometric (something you are), along with the analysis of multiple risk factors around the transaction.

Verizon also recommends, when discussing attackers undertaking cyber-espionage, that organizations focus on reducing the impact of these attackers once they are in. This means limiting privilege escalation and lateral movement. Verizon makes a direct claim here that username and password is not enough and that multi-factor authentication should be applied. This also brings to the forefront the idea of identity based threat detection. Identity is a plane of security that spans network and endpoint, and should be a first class citizen. It is the third pillar of security.

A final note of interest in the report comes during the discussion of Distributed Denial of Service (DDoS) attacks, which have seen a resurgence in recent years. Again, this issue touches on the tactic of credential misuse. Evidence presented by multiple sources in the past year show that many of the botnets used in massive scale DDoS attacks are comprised of Internet-of-Things (IoT) devices that have been compromised. This is often because they have weak default credentials. One could make an argument that eliminating the password and implementing stronger authentications schemes for IoT devices is vital to the survival of the Internet.

If you can take one thing away from this report, it’s that identity security is key to today’s security lifecycle. Organizations must move towards the deployment of adaptive authentication techniques and adopt identity based threat detection into their security operations. The risk analysis provided by adaptive authentication can prevent the misuse of stolen credentials with little burden to the end user. I hope that the fantastic research provided by Verizon will further convince organizations re-evaluate their security posture before they become the next breach.

Contact us to see how SecureAuth prevents the misuse of stolen credentials 

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities


Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy


Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources


Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution



Financial Services


Energy and Utilities

Public Sector


White Papers


Recorded Webinars

Analyst Reports

Innovation Labs


Support Portal

Events & Webinars



Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth