Most enterprise security architectures rest on a foundational assumption: the person presenting a valid credential is who they claim to be. When that assumption fails, the consequences can be severe. Some of the most disruptive breaches in recent years began with nothing more than a compromised credential.
In 2023, attackers gathered publicly available information about an employee of MGM Resorts International from LinkedIn. They called the help desk and convinced an agent to reset the employee’s credentials. From that foothold, the attackers escalated privileges through Okta and Microsoft Entra ID, encrypted critical hospitality systems, and claimed to have exfiltrated six terabytes of data. The breach ultimately cost MGM $100 million in direct damages and an additional $45 million in a class-action settlement payout.
In 2021, attackers obtained a password for a VPN account belonging to Colonial Pipeline from a Dark Web dump. The account did not have multi-factor authentication (MFA). Attackers used it to access internal systems and forced a shutdown that disrupted fuel deliveries across the U.S. East Coast.
In neither case did attackers exploit a zero-day vulnerability. They used valid credentials.
The ecosystem supporting credential theft is mature. Infostealer malware, which extracts saved passwords and session cookies from infected devices, is widely sold in criminal marketplaces. A 2025 analysis by SpyCloud found that each infostealer infection exposes an average of 44 credentials and 1,861 session cookies. Attackers used those cookies to access between 10 and 25 business applications per infection. This allowed them to bypass MFA by hijacking active sessions.
Organizations that continue to focus primarily on perimeter controls and point-in-time identity verification are defending against an outdated threat model. Credential compromise is now the dominant initial access vector in enterprise cybersecurity.
How credential compromise spreads across channels
Traditional defenses often fail because attackers do not limit themselves to a single channel. They target whichever path has the weakest verification.
On the Web, credential stuffing tools allow attackers to test stolen credentials at scale. In the 2023 breach of 23andMe, attackers used recycled credentials from prior breaches to access user accounts. Because many users reuse passwords, attackers were able to access one account and then use the DNA Relatives feature to retrieve genetic information from thousands of connected profiles. The attack persisted for months without detection.
Help desks and call centers are also frequent targets. The MGM breach demonstrated how social engineering can bypass strong technical controls. Help desk agents often rely on knowledge-based verification such as date of birth or partial Social Security numbers. This information is widely available through public records or prior breaches.
Identity providers themselves can become attack victims. In 2023, attackers compromised a support account associated with Okta and accessed customer support data. Even when most customers have strong authentication enabled, attackers will target accounts with weaker protections. In interconnected identity ecosystems, a single compromised account can expose downstream organizations.
The role of identity threat detection and risk mitigation
These failures highlight the need to move beyond point-in-time identity verification toward continuous identity threat detection and risk mitigation. Instead of assuming trust after authentication, organizations must continuously assess risk throughout the session lifecycle.
Identity threat detection and risk mitigation maintains a dynamic risk profile by correlating signals across devices, networks, telecom infrastructure, and user behavior. This enables organizations to detect compromised identities even when attackers use valid credentials.
Gather signals, then correlate them
No single risk signal provides sufficient certainty on its own. The value comes from correlating multiple signals in real time.
Effective identity threat detection incorporates:
- Device signals such as browser fingerprints, device identifiers, and device reputation
- Network signals such as IP reputation, impossible travel detection, and VPN or proxy usage
- Telecom signals such as SIM swap status and phone number tenure
- Behavioral signals such as unusual login timing, abnormal transaction velocity, or atypical access patterns
When analyzed together, these risk signals provide a comprehensive view of identity risk.
Enforce proportionally based on risk
Security teams must balance protection with usability. Challenging every login creates unnecessary friction and increases support costs.
A risk-based approach allows proportional enforcement:
- Known devices in expected locations proceed without interruption
- Moderate anomalies trigger step-up verification
- High-risk scenarios, such as access from anonymized networks or recently compromised devices, result in access denial or out-of-band verification
This approach minimizes friction for legitimate users while increasing barriers for attackers.
Measure what matters
According to the 2025 Cost of a Data Breach Report from IBM, breaches involving stolen credentials take an average of 246 days to detect and contain. This represents approximately eight months of unauthorized access.
IBM also found that breaches contained within 200 days cost approximately $1.1 million less than those detected later. Organizations that extensively deployed automation and AI reduced breach costs to $3.62 million on average, compared to $5.52 million for organizations without these capabilities.
The key metric is not whether compromise occurs, but how quickly it is detected and contained.
How ID Dataweb addresses these requirements
The principles described above depend on the ability to collect, correlate, normalize, and act on identity risk signals in real time. Most enterprises lack the integrations required to unify telecom, device, network, and behavioral intelligence into a single decision layer.
Building this infrastructure internally requires negotiating contracts with multiple authoritative identity data source and risk signal providers, normalizing signal formats, and maintaining a real-time orchestration engine. This complexity often prevents organizations from fully implementing identity threat detection.
The ID Dataweb SaaS platform combines adaptive identity verification methods, behavioral analytics, device and credential intelligence, and risk scoring. Backed by AI and expert insights, these capabilities proactively stop identity-based attacks, protect revenue, strengthen compliance, and accelerate Zero Trust adoption.
Unlike static legacy identity tools, ID Dataweb delivers dynamic, multi-layered risk orchestration that adapts to evolving threats. Its low-code, cloud-native services deploy quickly, integrate seamlessly with existing IAM systems, and align with each customer’s policies.
Key capabilities include:
- Multi-channel signal correlation: The ID Dataweb platform evaluates authentication and identity events across Web, mobile, and call center channels using a unified risk model. This prevents attackers from bypassing controls by switching channels.
- Adaptive authentication orchestration: The ID Dataweb platform triggers additional identity verification only when risk thresholds are exceeded. This preserves usability while strengthening protection against suspicious activity.
- Cross-channel intelligence sharing: Risk signals detected in one channel influence decision-making across all channels. For example, a SIM swap event increases scrutiny for related authentication attempts, reducing the likelihood of account takeover.
No solution can eliminate credential risk entirely. Attackers continuously adapt their methods. However, effective identity threat detection and risk mitigation reduces attacker success rates, accelerates detection, and limits breach impact.
Building a mature defense
Credential compromise is now the primary entry point for enterprise attacks. Attackers can purchase stolen credentials, exploit weak help desk verification, and move across channels to escalate access.
Credential-only authentication and point-in-time identity verification are no longer sufficient. Organizations must treat identity as a continuous risk surface rather than a binary trust decision.
A mature defense correlates risk signals across devices, networks, telecom infrastructure, and behavioral activity. Organizations should begin by identifying where authentication relies on static or easily compromised factors. They should then implement continuous risk assessment at key access and recovery points.
For organizations seeking to strengthen identity security beyond one-time verification, ID Dataweb provides a framework for continuous identity threat detection and risk mitigation.
