For executives and board members, credentials of a company are not only an IT issue; credential security is also a governance and risk management priority. If your credentials are "locked" (secure and not publicly viewed), then your company can conduct business with confidence. If your credentials become "leaked", then the landscape for your business will change quickly.
This article will highlight actual incidents that occurred in 2025 and early 2026 to demonstrate the differences between locked and leaked credentials and will provide you with easy-to-understand steps you can take to improve your odds of having locked credentials.
Locked credentials mean that your usernames and passwords, API keys, and Tokens are not publicly available or known by an unauthorized third party, and you control them. In this way, your company is protected from unauthorized access to your daily operations through a "silent" (less likely to be detected) entry point:
1. Employees use unique and strong credentials; there is no duplication of credentials across different services.
2. Employees are granted only those rights that they require to perform their job (least privilege). No one has more access rights than they need to have.
3. The monitoring or logging of log-in events will allow for early detection of unusual log-in attempts.
Real-world stability comes from an organization being able to maintain a "locked" credential status. Organizations that maintain a high level of credential-hygiene usually are not reported on in the news for any type of breach involving credentials. Organizations that maintain a high level of credential hygiene also typically keep their risk exposure to a low level, have lower insurance premiums due to having better internal controls, and the members of the organization's board usually are able to sleep better knowing that their organization does not have an "open front door."
Some industries, such as financial services and healthcare, have regulatory requirements for organization to maintain high levels of credential-hygiene; locked credentials allow these organizations to meet regulatory requirements and to minimize the likelihood of receiving fines or losing the trust of their stakeholders.
The Credentials Leak Moment
A leak means that the credentials are placed in danger of being seen by other people through an organization that did not have a reason to have those credentials; this could happen through a third-party breach, their device being infected with malware (e.g., an infostealer log), through a misconfigured application (e.g., their cloud storage), or they accidentally shared their credentials with someone who did not have a reason to have them.
Once exposed, they are sold or traded almost immediately in criminal forums or dark web marketplaces (usually within hours or days) of being exposed.
When a credential leak occurs, the shift is brutal and immediate
1. Attackers begin testing the leaked credentials on your systems (as credential stuffing) or on your corresponding accounts.
2. Attackers begin to move laterally, escalate their privilege, or gather up data quickly.
3. Detection and response lags for a long time from the time of breach to when they are discovered—most breaches that occur as a result of stolen credentials go undetected for months.
In the middle of 2025, researchers revealed that they had obtained a set called "Mega Leak"(a compilation of about 16 billion credentials from about thirty different data sets) that consisted mainly of logins from infostealer malware logs and previously compromised credentials from breaches. This was not a fresh hack but the result of the aggregation of previously compromised data making credential stuffing on a massive scale easier.
Attackers were using this compilation as a means for addicting to compromised accounts of those who reused passwords (typically in multiple online accounts) which led to other accounts being compromised as well.
In early 2026, another unsecured database was exposed that contained 149 million usernames and passwords, including 48 million Gmail accounts, 17 million Facebook accounts, and many others from different types of financial and social service sites. Security researcher Jeremiah Fowler discovered it was still being updated with information, which indicated continuing activity from infostealing programs. The data was organized in a way that made it easy to index, and thus available for use in continuing credential stuffing attacks.
According to Verizon's 2025 report, compromised credentials accounted for 22% of breaches as an initial access vector, and infostealers stole a staggering 1.8 billion in credentials from hundreds of thousands of devices that year, a considerable increase.
For example, hackers used leaked OAuth tokens from SaaS integrations as a means to perform pivot attacks across environments and steal additional secrets. Everything was routine business prior to these attacks; after the attacks, however, organizations had to now revoke OAuth tokens, conduct forensic investigations, notify customers, and possibly face regulatory action.
Business and Governance Have Affected By Using Logins As Entry Points For An Attacker, Costs Include:
1. Financial Cost: Average Total Cost Of A Breach Due To Credentials, Lost Revenue From The Breach, And The Cost To Fix The Breach Is Millions.
2. Loss of Trust: When A Customer Or Partner's Login Becomes An Entry Point For An Attacker, They Will Lose Trust.
3. There Are There Many Regulatory Laws That Require You To Report A Breach/Disclose A Breach (GDPR, CCPA, SEC, Etc...) And Those Breaches Are Also Being Tested By Regulating Bodies.
4. Lack of Operational Efficiency: After A Breach Occurs, Teams Are Reactively Forensics, Resetting Passwords, Or Escalated Monitoring Instead of Focusing On Business Growth.
Companies Who Treat Their Credentials as Crown Jewels (Locked) Will Avoid the Firefighting, Companies Who Do Not Will Learn the Hard Way with Multiple Experiences Because When They Have an Aggregated Leak, They Can Reuse That Credential.
How to Stay Locked
You don't need to be a high-level cryptanalyst to be successful. The key is to create an overall foundational governance strategy that is practical and useful over time:
1. Encourage all employees across the organization to use a password manager so no employee reuses any credential.
2. Enforce the use of multi-factor authentication (MFA) in all situations. If possible, the best choice for MFA will be something that does not involve phishing (e.g., hardware tokens or passkeys).
3. Run periodic checks with breach databases (the free tool Have I Been Pwned allows you to add your corporate domains and you can sign up to be notified if that domain is identified in a breach).
4. Continuously monitor for exposed credentials on the dark web and in stealer logs. Many security vendors offer this as part of their threat intelligence offerings.
5. Review all third-party integrations from a security perspective and require all third parties to use short-lived tokens or use workload identity federation rather than long-lived secrets.
6. Have a rapid response playbook, if an exposure occurs, know who can revoke access and when to notify regulatory authorities or customers.
Start with low-hanging fruit, secure one or more high-risk areas (executive accounts and administrative accounts for Software as a Service (SaaS) applications) to the fullest extent possible. Track your progress by applying metrics (MFA adoption rate, alert count for credential exposure) on a quarterly basis.
If you work to be diligent in the gap between being exposed and being secure, you will always have control, the only way to keep control is to keep your credentials private.
