Verizon DBIR: Threat Actors Continue to Leverage Compromised Credentials to Steal Corporate Data
How are threat actors gaining access to your organization’s systems? Probably by using your credentials.
Nearly 38 percent of analyzed breaches in Verizon’s annual Data Breach Investigations Report (DBIR) 2024, released this week, used compromised credentials—more than double the breaches that used phishing and exploitation.
Verizon researchers reviewed 30,458 incidents and 10,626 breaches from between 1 November 2022 and 31 October 2023 for this latest report—the most assessed in a single DBIR, now in its 17th year. As a note, the DBIR defines incidents and breaches thus:
- Incident: A security event that compromises the integrity, confidentiality, or availability of an information asset.
- Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
The data in the DBIR was collected from 94 countries and includes a robust data set from Europe due to new cybersecurity incident disclosure requirements, said Dave Hylender, associate director, threat intelligence, and Verizon DBIR author, in a presentation on Wednesday.
When breaking the data down by geographic region, North America led the way with 16,619 incidents, followed by EMEA with 8,302 incidents, and APAC with 2,130 incidents. The public administration sector led the way with the highest number of incidents assessed in the 2024 DBIR, due in part to the new mandatory reporting measures.
- Public Administration: 12,217 incidents; 1,085 with confirmed data disclosure
- Financial and Insurance: 3,348 incidents; 1,115 with confirmed data disclosure
- Professional, Scientific, and Technical Services: 2,599 incidents; 1,314 with confirmed data disclosure
- Manufacturing: 2,305 incidents; 849 with confirmed data disclosure
- Educational Services: 1,780 incidents; 1,537 with confirmed data disclosure
- Healthcare: 1,378 incidents; 2,220 with confirmed data disclosure
- Information: 1,367 incidents; 602 with confirmed data disclosure
- Retail: 725 incidents; 369 with confirmed data disclosure
- Accommodation and Food Services: 220 incidents; 106 with confirmed data disclosure
Credential abuse and phishing continue to be strong tactics for breaching an organization. During the past 10 years, the use of stolen credentials has been present in about one-third of all breaches, Hylender said.
“That’s a large chunk of breaches,” Hylender added. “We’ve been beating the drum of properly protecting credentials for years, and this finding really underlines the importance of doing that. Literally, credentials are the keys to the kingdom and as such, criminals are quite fond of obtaining them any way they can.”
For instance, DBIR researchers looked at marketplaces selling credentials and cookies gathered from password stealers. In just two days, more than 1,000 credentials per day were posted for an average price of $10.
“After examining these postings, we found that 65 percent of these credentials were posted for sale less than one day from when they were collected,” the DBIR explained. “They are often purchased by attackers who leverage them as a beachhead for other attacks, against either individuals or their employers.”
How are malicious actors getting access to your credentials? Probably through phishing (14 percent of breaches involving credentials). In a simulation Verizon ran with a partner, it took threat actors “less than 60 seconds to be successful” after sending a phishing message to a target—a stat that Hylender said is “somewhat abysmal.”
One bright spot, however, is that more people are reporting phishing attempts. Roughly 20 percent of users in the simulations identified and then reported phishing emails to their organization, as well as 11 percent of users who clicked on the phishing email also reporting it.
Hylender said this highlights the importance of having an easy way for employees to report suspicious messages and instances where they may have mistakenly engaged with phishing content.
How else are intruders gaining access to corporate data? A record number of breaches involved exploitation of vulnerabilities—more than 15 percent, and a growth of 180 percent compared to the 2023 DBIR. Hylender credited this to the MOVEit vulnerability and other zero-day exploits.
This is an area to watch moving forward because it takes organizations approximately 55 days on average to remediate 50 percent of critical vulnerabilities once a patch is available. Additionally, the median time for an organization to detect a vulnerability published in the U.S. Cybersecurity Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog is five days.
“We’re not sure a patch harder or more aggressively approach is the answer to this issue,” said Hylender, adding that instead maybe the answer is to look at how to have less vulnerabilities in our systems to begin with.
Another trend to note is that of the breaches analyzed in the DBIR, roughly one-third involved ransomware or an extortion technique. Pure extortion attacks—where a threat actor steals corporate data, makes copies of it, and threatens to release it to the public without first encrypting it—now represent 9 percent of all breaches.
“The shift of traditional ransomware actors toward these newer techniques resulted in a bit of a decline in ransomware to 23 percent,” the DBIR explained. “However, when combined, given that they share threat actors, they represent a strong growth to 32 percent of breaches. Ransomware was a top threat across 92 percent of industries.”
A new introduction into the DBIR data set was assessing breaches that involve a third-party, such as partner infrastructure or a software supply chain issue. Fifteen percent of breaches in the 2024 DBIR fell into this category, a 68 percent increase from 2023, which researchers attributed to the use of zero-day exploits, ransomware, and extortion attacks.
“We do need to make wise decisions on who we do business with based on their overall security stance,” Hylender said.
External actors still account for being involved in the most breaches—65 percent—but internal actors were the catalyst for 35 percent of breaches in the 2024 report, an increase from 2023’s 20 percent. This comes with a caveat, however: “73 percent of those internal actor breaches were in the miscellaneous errors pattern, and we shouldn’t really be holding their feet to the fire,” the DBIR explained.
Threat actors continue to be financially motivated when looking to target organizations. But there was a slight increase in those with espionage motivations, 7 percent in 2024 compared to 5 percent in 2023. Espionage was also more prevalent in incidents in the APAC region—25 percent of breaches involved an espionage motive.
Secrets accounted for less than 10 percent of the data compromised in breaches reviewed for the 2024 DBIR, while personal data held the top spot (nearly 60 percent).
“This continuous prevalence of personal data in the top spot is in a way a self-fulfilling curse because the breaches that get more frequently disclosed will be the ones involving customer data where regulation requires the affected victims to be notified,” the DBIR explained. “Furthermore, customer data is so prevalent and hoarded without need or proper care that it will often be collateral damage in any sort of attack that might not even be specifically targeting it.”
Organized crime amounted for the highest percentage of threat actors targeting corporate data (more than 60 percent), followed by end users (more than 20 percent), and state-sponsored actors (less than 10 percent).
“State-sponsored actors are unusually resourceful and capable of adapting their tactics,” the DBIR explained. “Luckily for the average organization, they are less likely to target run-of-the-mill enterprises as often as your everyday, garden-variety criminal.”
The DBIR researchers did look to see if there were indications of threat actors using generative artificial intelligence (GenAI) to breach organizations. They found interest on criminal forums in attack methods leveraging this, but most mentions “involved selling of accounts to commercial GenAI offerings or tools for AI generation of non-consensual pornography,” according to the DBIR.
Threat actors could be “experimenting” to create GenAI solutions, but the researchers assessed that it does not appear “like a breakthrough is imminent or that any attack-side optimization this might bring would even register on the incident response side of things” outside of deepfake technology.
Attackers are always going to go with the method that is easiest to accomplish while providing the highest return on investment, Hylender says.
“They’re like everyone else in that way: ‘What can I do the least amount of work with the biggest pay out for?’”
For more analysis on the DBIR, check out our coverage of the 2023 report, “Verizon DBIR: Threat Actors Leveraged the Human Element to Steal Corporate Data in 2022,” and the 2022 report, “Verizon 2022 DBIR Reveals Rise in Ransomware Attacks and Organized Crime Activity.”
