“Attackers don’t hack in… they log in.”
While defending Air Force networks, we were constantly tested by Department of Defense (DoD) groups mandated to evaluate our cybersecurity posture. They didn’t rely on exotic zero-days or malware. Instead, they harvested credentials—sometimes from an Airman at an entirely different base—used them to log in, and breached our systems without triggering a single alarm.
Why?
Because they could.
Because it’s easier.
Because our security investments were blind to credential-based attacks.
Millions were spent on malware detection, endpoint protection, threat indicators, vulnerability scanning, proxies, and firewalls—but none of these were useful against attacks launched with compromised credentials.
When we raised the issue, excuses abounded:
“That’s a training issue.”
“That’s an IT problem, not ops.”
“You want me to make the Colonel change his password?”
“No. That’ll kill real operations.”
Worse still, we carved out special exceptions for senior leaders—our most valuable targets.
The Password Pandemic
Credential sprawl is everywhere, and the damage is real.
- 81% of hacking-related breaches involved brute force or compromised credentials (Verizon DBIR).
- 41% of cyberattacks in the financial sector were credential stuffing incidents (FBI).
- 51% of observed attacks in 2020 were malware-free, often using valid credentials (Crowdstrike).
- 99% of cloud security failures by 2025 will stem from exposed credentials via misconfigurations (Gartner).
Other alarming stats:
- 61% of companies have 500+ accounts with non-expiring passwords (Varonis)
- Only 1/3 of users change passwords after a breach (Carnegie Mellon)
- Over 10 billion account records and 600 million passwords have been leaked (Have I Been Pwned)
- 300 billion+ passwords are in use globally (as of 2020)
A $10 Billion Price Tag
Credential attacks bypass scanners, EDR, SIEM, SOAR, and most penetration testing tools. Yet they’ve caused over $10 billion in damages over five years:
- NotPetya ransomware used credential theft to self-propagate without user interaction.
- Marriott breach: attacker used two employee credentials to steal 5.2M customer records.
- Zoom credentials were stolen and sold en masse during the COVID-19 shift to remote work.
When credentials are used, attackers appear as legitimate users. Without malware signatures, they’re nearly invisible—making ZeroTrust and BeyondCorp more essential than ever.
Why This Matters
- 51% reuse the same password across work and personal accounts.
- 39% of accounts use passwords that never expire.
- Some Zoom credentials used in attacks dated back to 2013.
Attackers aren’t always targeting high-budget enterprises. They’re increasingly going after soft targets—schools and hospitals—where password policies and hygiene are weakest.
At Horizon3.ai, we’ve used the same tactics to help these organizations fix what really matters.
Horizon3.ai’s 2020 Results
In hundreds of offensive operations across industries, Horizon3.ai uncovered:
- Weak/default credentials were the number one issue across all engagements.
- On average, 100 exploitable credentials per operation were discovered.
- 1 in 8 hosts had a weak or default credential.
- 80% of those led to critical resources or data.
- 65% of all weaknesses were misconfigurations—many credential-related.
- 1/3 of credential compromises were due to factory defaults (some with anonymous logins).
Top Credential-Related Weaknesses Discovered:
- Weak/Default Credentials
- Insecure Protocols
- Anonymous Printer Access
- Anonymous FTP
… and more.
Why We Win
Being vulnerable doesn’t mean you’re exploitable. Horizon3.ai looks at your environment through an attacker’s lens. We identify how credentials, misconfigurations, and context chain together to expose your real risk.
We prove it:
- We exploit guest access and insecure protocols to show how MFA can be bypassed.
- We demonstrate how attackers harvest usernames from LinkedIn, then use password sprays or credential stuffing to break in.
- We emulate real-world attack chains using the same tools and techniques adversaries use.
Example:
In just 2 hours, our AI-driven platform Node Zero uncovered two default SQL credentials in a FinTech environment—leading to exposure of 13B+ sensitive records.
Real-World Timeline (Medical Company Red Team):
- 4:40 PM — Harvested 800 names from LinkedIn
- 4:45 PM — Verified 500 domain usernames
- 4:50 PM — 2 failed password sprays
- 5:50 PM — 1 spray → 8 accounts compromised
- 5:55 PM — Discovered no domain lockout policy
- 6:00 PM — 20 more sprays → 6 additional accounts compromised
Administrator access followed. So did access to IP, PII, PHI, and the company’s “crown jewels.”
Final Word
Every CEO, CISO, and MSSP should ask:
“Are we vulnerable to credential-based attacks?”
Then prove it. Horizon3.ai can help.
Because if an attacker appears legitimate, why would your defenses stop them?