Learn more about Photolok | Click Here

Learn more about Photolok | Click Here

Kasey Cromer, Netlok | October 6, 2025

Executive Summary

2025 is setting new records for cyberattacks, with over 16 billion passwords exposed and more than half of data breaches involving personally identifiable information (PII). Given increased regulatory scrutiny, increasing penalties, customer-facing risks, combined with new methods to protect yourself, every digital service user should take proactive steps to protect themselves.[1][2][3]

1. Data Breach by the Numbers

Defining Personally identifiable information (PII): PII is any type of data that can be used to distinguish or trace an individual’s identity by itself or when combined with other information. This includes direct identifiers—like full names, Social Security numbers, passport information, or biometric data (e.g., fingerprints, facial scans), and indirect ones—such as date of birth, race, gender, or place of birth that when combined with other data, can reveal the identity of a person.[4][5][6]  Sensitive PII includes information like financial details, medical records, driver license numbers, phone numbers and email addresses, making this data highly valuable to cybercriminals. Protecting PII is crucial to prevent identity theft and unauthorized use.

2. Who Gets Hurt—and How?

Victims of recent breaches recount losing retirement savings, having mortgage applications denied, and enduring relentless phishing and fraud attacks. A Connecticut bank customer saw their information used to open credit cards. Another family faced insurance fraud after health data was leaked. The takeaway, even when attackers don’t steal money immediately, is that exposed personal information often causes financial, emotional, and reputational turmoil for years.[9][10]

“The shift we’re seeing in 2025 is from passive acceptance of breaches to active customer empowerment. New regulations, better insurance options, and innovative authentication technologies are giving consumers real tools to protect themselves—but only if they use them.”
— Industry perspective from leading cybersecurity analysts[2][3]

3. Salesforce as Case Study—But Risks Are Everywhere

The high-profile Salesforce breach, in 2025, impacted thousands of organizations, exposing credentials and customer data through a third-party integration. Yet these methods—phishing, stolen PII, exploiting software integrations—also enable attacks on hospitals, insurers, banks, universities, and government offices across the globe. Every digital user is potentially a target.[11][12][13]

4. Regulation & Insurance: What Changed in 2025

• State Law Updates: States like Oklahoma and New York now mandate breach notices within 48 hours and cover more types of PII and sensitive data.[14]
• Healthcare: Enhanced HIPAA protections mean mandatory encryption/MFA for medical providers, with bigger penalties for mishandling PII. [15] Fines, class actions, and settlements continue to rise; 32% of breached organizations paid fines above $100,000. [8]
• Cyber Insurance: Most modern policies cover breach cleanup, incident costs, and notification, but new exclusions (e.g., for AI-driven fraud) require careful annual review. [16][17] At a minimum, the individual must comply with all policy requirements. Failure to do so will result in claim denial.

Regulatory Breach Notice Deadlines—At a Glance

5. Emotional & Financial Toll: Human Stories Matter

Exposed PII allows cybercriminals to send customized scam emails, create socially engineered support lines, and commit medical or financial fraud in victims’ names. Victims often spend months, sometimes years, repairing records, refuting fraudulent activity, and regaining lost access. For most simple cases, recovery is possible within weeks to a few months, but for a substantial minority, especially those involving government fraud or major financial harm, the process can extend for 1-2 years or longer. [18]  

6. What Every Customer Should Do

Within 24 hours of breach notice:

• Change all passwords for affected accounts. Enable multi-factor authentication for critical logins[3]

Within 48 hours:

• Monitor statements, freeze credit, and notify financial institutions of possible fraud[17]

Week 1:

• Stay alert for phishing, false “support” calls, or scam messages using your compromised PII[9]

First month:

• Review cyber insurance policy and consider legal support for substantial damage[16]
• Request updates and clear action plans from the affected company

Ongoing:

• Use unique passwords for every account. Limit what PII is shared publicly (e.g., on social media)[5]
• Demand honest, timely notifications and advocate for strong customer protections

7. Why Passwords Are the Problem—and Photolok Is the Solution

Traditional passwords remain the weakest link in cybersecurity, with 88% of web application attacks exploiting stolen credentials.[3] That’s why at Netlok, we’ve developed Photolok—a revolutionary visual authentication system that eliminates passwords entirely.

How Photolok Protects You:

Visual Authentication
Instead of typing passwords that can be stolen, you select encrypted photos from Photolok’s proprietary library and log in to your private account. Hackers can’t use what they can’t steal.

One-Time Use Photos
Each photo can be set for single use, expiring after login. Even if someone sees you authenticate, they can’t reuse that image.

Duress Protection
Select a special “duress photo” to silently alert authorities or trusted contacts if you’re forced to log in under threat—a feature no password can offer.

Easy Setup & Management

• Add or replace photos in seconds
• Organize with custom labels that can be changed with a click of a button.
• Works alongside existing MFA for layered security
• No complex passwords to remember or lose

Built for Everyone
From tech-savvy professionals to seniors who struggle with passwords, Photolok’s intuitive design makes strong security accessible to all users.

Real-World Impact:

When the recent Salesforce breaches exposed consumer passwords, Photolok users remained protected. You can’t phish a photo that changes with each login.   

Ready to move beyond passwords? Learn more about Photolok or Request a Demo to see how visual authentication can protect your accounts today.

8. The Path Forward

Data breaches aren’t slowing down—they’re accelerating. But customers don’t have to be victims. Through vigilance, advocacy, and adoption of advanced authentication solutions like Photolok, every user can take control of their digital security.

Author & Credentials

Kasey Cromer is Director of Customer Experience at Netlok, focused on authentication, incident response, and SaaS security for over a decade.

Resources

1. Cybernews: 16 Billion Passwords Exposed Through Infostealers
2. IBM Cost of a Data Breach Report 2025
3. StrongDM: Data Breach Statistics 2025
4. Proofpoint: What Is PII?
5. Keeper Security: Examples of PII
6. SecurityScorecard: How to Protect PII
7. Baker Donelson: Key Insights from IBM’s 2025 Report
8. Kiteworks: IBM 2025 Data Breach Report AI Risks
9. Bright Defense: Recent Data Breaches
10. Bluefin: Data Breaches Soar Q1 2025
11. Google Cloud: Data Theft from Salesforce Instances
12. Cybersecurity Dive: Salesforce Data Theft
13. HIPAA Journal: Healthcare Data Breach Statistics
14. Inside Privacy: Oklahoma Data Breach Law Update
15. DeepStrike: Healthcare Data Breaches 2025
16. Munich Re: Cyber Insurance Trends 2025
17. Woodruff Sawyer: Cyber Looking Ahead Guide
18. How Long Does It Take to Recover From Identity Theft?

Published September 2025. Content reviewed quarterly for accuracy and compliance. Netlok’s Photolok solution is featured as an innovative approach to password-free authentication in the evolving cybersecurity landscape.

K. Cromer, Netlok 9/8/2025

This analysis builds on Netlok’s ongoing research into wrench attack vulnerabilities. For additional context, visit our blog resources.

The darkest prediction in cryptocurrency security has come true: As of August 2025, wrench attacks against crypto holders are averaging more than one incident per week worldwide, with 30+ documented cases in less than half a year¹. Bitcoin trades near $122,000—over 50% higher than a year ago—fueling a shift from sophisticated hacking to old-fashioned violence².

As crypto values hit historic highs and identities are exposed via massive data breaches, security experts warn of “a brutal convergence of the speed of cybercrime with the violence of street crime”³. Recent statistics confirm this threat has evolved from isolated events to systematic targeting, making distress resistant authentication more critical than ever.

The Numbers Tell a Chilling Story

Why Paris Became Ground Zero

France, particularly Paris, has emerged as the epicenter of crypto violence. In one prominent case, a crypto executive was kidnapped from his home, while others saw family members targeted in broad daylight⁷. Cases aren’t limited to continental Europe: the U.S., UK, Canada, and Asia have all reported wrench attacks in 2025⁴.

What began as isolated cases is now a global issue, with organized crime groups and opportunistic actors exploiting public profiles and personal data⁸.

Where Traditional Security Fails

“The brutal reality is that seemingly cryptographically perfect systems fail completely when someone puts a gun to your head”⁹.

Traditional multi-factor authentication, hardware wallets, and encryption offer no real protection against physical coercion.

Victims report beatings, electric shocks, and even prolonged captivity until attackers achieved transfers under force¹⁰. Research now shows that even highly security-conscious holders are not immune—meaning the threat transcends technical skill or digital hygiene¹¹.

This widening gap between digital protections and physical coercion is precisely where an alternative approach is needed.

The Photolok Advantage

Unlike traditional MFA methods that collapse under physical threats, Photolok introduces adaptive, attack response visual authentication designed to transform wrench attacks from complete vulnerability into opportunities for silent resistance¹².

Duress Signaling in Action

Consider a scenario: a user pre-selects a specific photo as a “duress” photo. If forced to authenticate, selecting this photo triggers a silent alarm to security contacts and law enforcement, while granting access to the attacker. This ensures that, even during a threat, victims can discreetly signal for help without escalating the situation¹³.

One-Time Use

Each photo is cryptographically unique. By selecting a one-time use photo, you avoid photo disclosure as a one-time photo expires after it is used one time. Even if attackers gain access, this specific photo cannot be reused—significantly limiting the attacker’s ability to login in the future¹³.

Cognitive Confusion

Photolok’s visual, point-and-click system is unfamiliar to most criminals who expect passwords or PINs. Attackers may struggle to articulate demands (“click on your photos” is less intuitive than “enter your password”), creating crucial delays and confusion¹².

Risk Reduction Tools

There are a number of actions that can be taken to reduce the risk of attack and minimize harmful outcomes.

1. Eliminate Wealth Signaling
   Remove physical addresses from public records and make social media private. Avoid conference photos or portfolio screenshots².
2. Implement Geographic Distribution
   Multi-signature security ensures transactions require multiple approvals from trusted parties in different locations—making coercion far more difficult¹¹.
3. Deploy Duress-Resistant Authentication
   Traditional MFA fails under physical threat. Duress-resistant systems like Photolok allow apparent compliance while secretly signaling for help¹³.
4. Create Decoy Holdings
   Set up smaller crypto “sacrifice wallets” with modest amounts for attackers, while larger holdings are secured in hardened, separate storage.
5. Establish Emergency Protocols
   Create silent alert systems with trusted contacts. Integrate tools (including Photolok) that notify authorities or partners during high-risk logins¹³.

From Vulnerability to Empowerment

2025’s weekly attack frequency marks a turning point in crypto security. For the first time, tools exist that change the outcomes of physical coercion, enabling individuals to silently signal for help and limit attackers’ ability to access their personal information under duress. With Photolok’s duress photo login, if someone forces a user to unlock crypto, selecting a special “duress photo” quietly alerts help without tipping off the attacker. Instead of feeling powerless, users get a way to protect their assets and ask for help, even in dangerous situations. The $5 wrench and threat of physical harm will always defeat pure encryption, but it doesn’t have to defeat human ingenuity.

Ready to enhance your security? Learn more about how Photolok can protect your assets at Netlok.com and explore our blog resources for deeper insights into duress-resistant authentication and the future of crypto security.

Sources

1. LiveBitcoinNews – Wrench attacks: at least one bitcoiner kidnapped every week
2. FintechNews – Crypto crime surges in 2025 set to break records
3. Chainalysis – 2025 Crypto Crime Mid-Year Update
4. QAZInform – Global wave of crypto-related kidnappings
5. TRM Labs – The rise of wrench attacks and crypto-related violent crime
6. Fortune – Lloyd’s of London offering crypto attack insurance
7. The Week – ‘Wrench attacks’ are targeting wealthy crypto moguls
8. Sherwood News – The alarming surge of “wrench attacks” in crypto
9. NPR – New York kidnapping underscores rise in crypto ‘wrench attacks’
10. CBS News – Crypto kidnappings on the rise as criminals resort to “wrench attacks”
11. Cambridge Repository – Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users
12. Netlok – How Photolok works
13. Netlok – Photos Not Passwords for Secure Login Authentication

A.R. Perez, Netlok. 7/8/2025

Multi-factor authentication (MFA) was once hailed as a near-perfect shield, yet recent headline breaches prove attackers are not only slipping past it—they are doing so at an accelerating pace. This report ranks today’s most common MFA combinations from weakest to strongest and quantifies the sharp rise in MFA-related attacks between 2023 and 2025. It should be noted that Photolok^Ò (a passwordless MFA factor that uses proprietary-coded photos) is not included in this analysis.

Why MFA Strength Varies

Every MFA scheme marries at least two factors—knowledge (password/PIN), possession (token/phone), or inherence (biometric). Security depends on:

• Transport security (Is any secret sent over a channel that can be intercepted?)
• Phishing resistance (Can the user’s factor be replayed to a fake site?)
• Device binding (Is the factor cryptographically locked to a specific device?)
• User behavior (Can social engineering or “MFA fatigue” trick users into approving?)

Ranking MFA Combinations

Key Takeaways

• SMS and voice codes are now the attacker’s easiest door. SIM-swapping and SS7 attacks routinely hijack these one-time codes 12, 13.
• Push bombing moved classic push to “low trust.” Repeated prompts trick users into approvals; number-matching mitigates but doesn’t eliminate risk 10, 9.
• TOTP is safer than SMS but still phishable. Transparent reverse-proxy kits like EvilProxy harvest codes in real time 9.
• Phishing-resistant authentication begins with FIDO2/WebAuthn. Hardware-backed keys or passkeys neutralize man-in-the-middle attacks by binding credentials to the correct origin 12.

The Surge in MFA-Focused Attacks (2023-2025)

Visualizing the Climb

*Rates come from different datasets (CIAM traffic, IR engagements, BEC breaches). While scopes vary, all show the same climbing trajectory.

Why the Rate Keeps Rising

Commodity Phishing-as-a-Service (PhaaS)

• Kits like Tycoon 2FA and EvilProxy package adversary-in-the-middle techniques for <$300 20, 21.
• No elite skills required; proxy auto-captures TOTP, push, and even session cookies.

Token Theft & Session Hijacking

• Malware or browser extensions steal stored cookies, rendering second factors moot 9, 19.
• Stolen session tokens sell in criminal markets for as little as $10 per corporate user 20.

MFA Fatigue & Social Engineering

• Push-bombing remains effective: Uber, Microsoft, and EA all fell to approval spamming 11, 9.
• Help-desk impersonation convinces IT staff to reset credentials or enroll attacker devices 16.

Weak Factor Mix

• SMS remains the default in consumer apps—96% of Coinbase account-takeover victims relied on SMS OTP 13.
• Many enterprises lack Conditional Access or token-binding, letting hijacked sessions roam free 22.

Hardening the Human-Machine Perimeter

1. Phase Out Legacy Factors

• Block SMS/voice codes for privileged accounts; require authenticator apps or keys instead12, 2.

2. Enforce Phishing-Resistant MFA

• Deploy FIDO2/WebAuthn passkeys or security keys for all admins and high-risk roles 12.
• Use token-binding or Microsoft Entra ID’s token protection to neutralize session-theft attacks 22.

3. Strengthen Push Workflows

• Mandate number-matching or challenge-response for any push-based approvals 9.
• Limit consecutive push requests and alert security operations on excessive prompts 11.

4. Layer Conditional Access & Risk-Based Controls

• Require device compliance, geolocation heuristics, and continuous session monitoring to catch hijacked tokens in flight 22.

5. Educate to Eradicate MFA Fatigue

• Simulate AiTM phishing and push-bomb drills so users recognize and report anomalies 23, 16.
• Reinforce “never approve unexpected prompts” in monthly training cycles.

Conclusion

Attackers’ ability to sidestep MFA has grown from isolated exploits in 2023 to industrial-scale commodity services in 2025. Organizations that cling to password-plus-SMS or push-only MFA now occupy the bottom rung of the strength ladder and face a sharply rising threat curve. Yet the solution is within reach: broad adoption of phishing-resistant, device-bound authentication—coupled with risk-aware access controls—flips the cost curve back onto the attacker. Upgrade the factors, shrink the attack surface, and keep users from approving the next rogue prompt. One novel method of upgrading factors is to use Photolok – a passwordless factor that uses steganographic coded photos that also protects against AI/ML attacks as well as provides lateral movement penetrations due to its unique architecture.

1. https://fidoalliance.org/fido2/
2. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
3. https://www.trout.software/resources/tech-blog/fido2-and-passkeys-the-future-of-mfa-for-critical-infrastructure
4. https://www.security.com/blogs/expert-perspectives/secret-phishing-resistant-authentication
5. https://hideez.com/blogs/news/fido2-explained
6. https://tjdeed.com/combating-phishing-attacks-with-passwordless-fido2-authentication/
7. https://stytch.com/blog/totp-vs-sms/
8. https://rublon.com/blog/sms-vs-totp/
9. https://www.menlosecurity.com/blog/the-art-of-mfa-bypass-how-attackers-regularly-beat-two-factor-authentication
10. https://www.cybersecuritydive.com/news/mfa-multi-factor-authentication-cisco-talos-cyber/719254/
11. https://www.sapphire.net/blogs-press-releases/the-rise-of-mfa-fatigue-attacks/
12. https://cyberhoot.com/blog/top-five-risks-from-sms-based-mfa/
13. https://www.authsignal.com/blog/articles/why-sms-based-authentication-is-no-longer-enough-for-secure-account-protection
14. https://community.ring.com/en_GB/conversations/general-topics/multifactor-authentication-using-sms-is-the-least-secure/6580381451f6e6fe78d31ec5
15. https://www.okta.com/newsroom/articles/key-findings-from-our-2023-state-of-secure-identity-report/
16. https://www.kroll.com/en/insights/publications/cyber/mfa-bypass-leads-to-account-compromise
17. https://www.descope.com/learn/post/mfa-bypass
18. https://www.infosecurity-magazine.com/news/orgs-inected-ransomware-2023/
19. https://frsecure.com/blog/token-theft-attacks-mfa-defeat/
20. https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
21. https://blog.talosintelligence.com/state-of-the-art-phishing-mfa-bypass/
22. https://www.egroup-us.com/news/microsoft-entra-id-security-2025/
23. https://www.waterisac.org/portal/ransomware-resilience-%E2%80%93-mfa-bypass-seen-largest-attack-vector-ransomware-attacks
24. https://www.rsa.com/wp-content/uploads/rsa-top-trends-in-identity-2025.pdf
25. https://jumpcloud.com/blog/multi-factor-authentication-statistics
26. https://www.enzoic.com/blog/microsoft-digital-defense-report-mfa-vulnerabilities/
27. https://netrixglobal.com/blog/cybersecurity/navigating-the-new-wave-of-mfa-bypass-attacks-in-2025/?category=office+365%2Co365%2Coffice+365+pnp
28. https://expertinsights.com/user-auth/multi-factor-authentication-statistics
29. https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass
30. https://emudhra.com/en-us/blog/mfa-solutions-trends-to-watch-out-for-in-2025
31. https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023
32. https://www.greystoneprograms.org/post/cyber-security-trends-in-2025
33. https://www.rapid7.com/blog/post/2025/04/10/password-spray-attacks-taking-advantage-of-lax-mfa/
34. https://www.forbes.com/sites/daveywinder/2024/12/25/google-and-microsoft-users-warned-as-new-2fa-bypass-attacks-reported/
35. https://www.rsa.com/resources/blog/multi-factor-authentication/the-future-of-mfa-adaptive-authentication-and-other-trends/
36. https://keepnetlabs.com/blog/understanding-mfa-phishing-protection-measures-and-key-statistics
37. https://www.cisa.gov/resources-tools/resources/phishing-resistant-multi-factor-authentication-mfa-success-story-usdas-fast-identity-online-fido
38. https://www.creative-n.com/blog/mfa-fatigue-attacks-what-are-they-and-how-can-your-business-combat-them/
39. https://vanishid.com/2023/09/07/kroll-august-2023-sim-swap-attack/
40. https://explodingtopics.com/blog/multi-factor-authentication-stats
41. https://www.f5.com/labs/articles/threat-intelligence/2023-identity-threat-report-the-unpatchables
42. https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q2-2023-threat-landscape-report-supply-chain-infiltrations
43. https://www.statista.com/statistics/1458607/mfa-account-takeover-global/
44. https://www.reddit.com/r/cybersecurity/comments/13pu8ds/the_problem_with_smsbased_mfa_in_2023_and/
45. https://www.kroll.com/-/media/kroll/pdfs/publications/q2-2023-threat-landscape-report-supply-chain-infiltrations.pdf
46. https://cyberwyoming.org/insights-from-the-itrc-2024-data-breach-report-mfa/
47. https://www.army.mil/article/280598/secure_our_world_cecom_recommends_enabling_multifactor_authentication_to_enhance_cybersecurity
48. https://www.prove.com/blog/prove-identity-2023-state-of-mfa-report-consumer-attitudes-multi-factor-authentication
49. https://www.swidch.com/resources/blogs/2fa-mfa-the-good-the-bad-the-ugly
50. https://www.menlosecurity.com/press-releases/browser-based-phishing-attacks-increased-198-in-2023-as-threat-actors-grow-more-evasive-menlo-security-research-finds
51. https://hub.wpi.edu/spread/148/secure-it-october-2023
52. https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2023-threat-landscape-report-threat-actors-breach-outer-limits
53. https://www.infosecurity-magazine.com/news/majority-compromises-stolen/
54. https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index
55. https://www.reddit.com/r/msp/comments/1jr46aw/365_account_comprise_bypassing_mfa_and_sending/
56. https://hoxhunt.com/blog/business-email-compromise-statistics
57. https://www.isaca.org/resources/news-and-trends/industry-news/2025/will-mfa-redefine-cyberdefense-in-the-21st-century
58. https://www.indusface.com/blog/key-cybersecurity-statistics/
59. https://blog.lastpass.com/posts/business-email-compromise
60. https://blueprint.asd.gov.au/configuration/entra-id/protection/risky-activities/multifactor-authentication/account-lockout/
61. https://www.scworld.com/feature/how-attackers-outsmart-mfa-in-2025
62. https://hoxhunt.com/guide/phishing-trends-report
63. https://learn.microsoft.com/en-us/partner-center/security/security-at-your-organization
64. https://arcticwolf.com/resources/blog/defending-against-business-email-compromise/
65. https://www.cobalt.io/blog/top-cybersecurity-statistics-2025
66. https://www.huntress.com/blog/cybersecurity-statistics
67. https://www.linkedin.com/pulse/business-email-compromise-bec-most-expensive-youll-xutwc
68. https://www.intrust-it.com/understanding-mfa-bypass-attacks/
69. https://www.reddit.com/r/privacy/comments/rf0xno/is_2fa_with_authenticator_apps_really_more_secure/
70. https://rokibulroni.com/blog/fido2-passkeys-modern-authentication-2025/
71. https://www.corbado.com/blog/best-fido2-hardware-security-keys
72. https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/phishing-resistant-auth.htm
73. https://www.cyberseclabs.org/best-fido2-hardware-security-token/
74. https://www.pcmag.com/picks/best-hardware-security-keys
75. https://www.idmanagement.gov/playbooks/altauthn/
76. https://jumpcloud.com/blog/totp-mfa
77. https://www.nytimes.com/wirecutter/reviews/best-security-keys/
78. https://cybersecurityventures.com/multi-factor-authentication-is-not-99-percent-effective/
79. https://nordlayer.com/blog/cybersecurity-statistics-of-2024/

A.R. Perez, Netlok, July 1,2025

Understanding the Threat Landscape

The emergence of sophisticated deepfake technologies and synthetic identity creation tools represents one of the most significant challenges facing biometric authentication systems today. Deepfakes are highly realistic, artificially generated media that can convincingly replicate human faces, voices, and behaviors using advanced deep learning techniques 1, 2. These technologies have rapidly evolved from entertainment applications to become serious security threats, with attackers now capable of bypassing traditional biometric systems that once seemed unbreachable.

Recent data reveals the scale of this challenge: in 2024, 50% of surveyed businesses reported experiencing deepfake-related attacks, with 57% of cryptocurrency organizations facing audio deepfake fraud 3. The accessibility of AI tools has democratized deepfake creation, allowing even non-technical attackers to generate convincing synthetic media with minimal coding skills 4. Reports indicate a staggering 704% increase in face swap attacks across 2023, demonstrating the exponential growth of this threat vector 4.

Vulnerabilities in Current Biometric Systems

Traditional biometric authentication systems face significant vulnerabilities when confronted with sophisticated synthetic attacks. Research conducted at Penn State found that four of the most common facial liveness verification methods currently in use could be easily bypassed using deepfakes 5. The study developed a framework called “LiveBugger” which demonstrated that facial liveness verification features on various apps could be fooled by deepfake images and videos.

The fundamental challenge lies in the fact that conventional biometric systems were designed to distinguish between live humans and simple presentation attacks (like printed photos or basic recordings), but they struggle against AI-generated content that can mimic the subtle characteristics of live biometric samples 6, 7. Facial recognition systems, which rely on static features and patterns, are particularly vulnerable to sophisticated deepfake attacks that can replicate facial landmarks, expressions, and even micro-movements 8.

Voice biometric systems face similar challenges, with AI voice synthesis now capable of replicating vocal patterns, pitch, and tone with unsettling accuracy 8. Attackers can create voice clones using just a few seconds of recorded audio, enabling them to bypass voice-based authentication systems that were previously considered secure.

Impact on Authentication Confidence

The proliferation of deepfakes has begun to erode confidence in biometric authentication systems. Gartner analysts predict that by 2026, 30% of companies will lose confidence in facial biometric authentication due to the sophistication of AI deepfakes 1. This loss of confidence is not unfounded – traditional verification methods, including basic selfie comparisons and document-based biometric checks, are increasingly ineffective against realistic fake images, videos, and voices generated by accessible AI tools 3.

The problem extends beyond simple spoofing attacks. Fraudsters can now create entirely new synthetic identities that appear legitimate, utilizing generative AI models to produce hyper-realistic identification documents and deepfake videos capable of evading traditional liveness detection mechanisms 3. This capability allows attackers to circumvent Know Your Customer (KYC) checks employed by financial services, creating fraudulent accounts and executing unauthorized transactions.

Emerging Countermeasures and Technologies

The biometric industry is responding to these challenges through several innovative approaches designed to detect and prevent deepfake attacks:

Advanced Liveness Detection

Modern liveness detection technologies have evolved far beyond simple movement or challenge-response mechanisms. Companies like Mitek have developed sophisticated systems that can detect deepfakes and synthetic attacks through consistency analysis between different biometric modalities  9. Their IDLive^® Face product has achieved recognition as a top performer in NIST facial presentation attack detection evaluations and demonstrates effectiveness against sophisticated fraud attempts 9.

Next-generation liveness detection systems incorporate passive analysis that can identify subtle artifacts and inconsistencies inherent in AI-generated content without requiring active user participation 10. These systems analyze factors such as texture inconsistencies, temporal anomalies, and physiological impossibilities that are difficult for current deepfake generation technologies to replicate perfectly.

Multimodal Biometric Fusion

One of the most promising defenses against deepfake attacks is the implementation of multimodal biometric systems that combine multiple authentication factors. Research shows that while attackers might successfully spoof one biometric modality, creating convincing fakes across multiple modalities simultaneously becomes exponentially more difficult 11, 12.

Companies are developing systems that integrate facial recognition, voice authentication, and behavioral biometrics into unified platforms. For example, Mitek’s MiPass^® solution combines advanced facial and voice biometrics with passive liveness detection specifically to safeguard against deepfakes, synthetic identities, and identity theft  9.

AI-Powered Detection Systems

The fight against AI-generated attacks increasingly requires AI-powered defense systems. Researchers have developed sophisticated detection frameworks that can identify deepfakes by analyzing high-level audio-visual biometric features and semantic patterns 13. These systems focus on detecting characteristics that current deepfake generation technologies struggle to replicate, such as individual mannerisms and unique biometric patterns that persist across different contexts.

Advanced detection systems employ ensemble learning approaches and transformer-based architectures to improve accuracy in identifying synthetic content 11. These systems can achieve authentication accuracy rates exceeding 99.5% while maintaining spoof detection rates above 99.3% 11.

Tokenization and Privacy-Preserving Solutions

A fundamental shift in biometric security involves moving away from storing raw biometric templates to using irreversibly transformed tokens. Companies like Trust Stamp have developed technologies that replace biometric templates with cryptographic hashes that can never be rebuilt into original data 14, 15. These Irreversibly Transformed Identity Tokens (IT2) maintain matching capability while eliminating the risk of biometric data theft and misuse.

This approach addresses both deepfake vulnerabilities and privacy concerns by ensuring that even if systems are compromised, the stolen data cannot be used to recreate biometric information or generate convincing synthetic reproductions 14, 15.

Behavioral and Continuous Authentication

The future of biometric security increasingly relies on behavioral analysis and continuous authentication rather than single-point verification. Systems are being developed that monitor keystroke dynamics, mouse movements, and other behavioral patterns to create unique user profiles that are extremely difficult to replicate through synthetic means 16, 17.

Zero-trust architectures that implement continuous authentication represent a significant advancement in combating deepfake threats 18, 19. These systems continuously verify user identity throughout a session, making it much more challenging for attackers to maintain unauthorized access even if they successfully bypass initial authentication.

Industry Response and Future Outlook

The biometric industry has recognized the severity of the deepfake threat and is investing heavily in countermeasures. Companies are developing specialized solutions for different attack vectors, including injection attack detection that protects against virtual cameras and software-based spoofing attempts 10. These systems can detect when fraudsters use emulators, cloning apps, or other software tools to inject synthetic content into authentication processes.

The integration of artificial intelligence into biometric systems is driving improvements in both accuracy and security. AI-driven algorithms are enhancing biometric processing speeds and fraud detection capabilities while continuously learning and adapting to new attack methods 20. Modern facial recognition systems now achieve accuracy levels exceeding 99.5% under optimal conditions while incorporating sophisticated anti-spoofing measures 20.

Recommendations for Organizations

Organizations implementing or upgrading biometric authentication systems should consider several key strategies:

Adopt Multimodal Approaches: Implement systems that combine multiple biometric factors rather than relying on single-modality authentication. This significantly increases the difficulty for attackers to create convincing synthetic reproductions across all required modalities 12.

Implement Advanced Liveness Detection: Deploy passive liveness detection systems that can identify synthetic content without requiring user interaction. These systems should be regularly updated to address new deepfake generation techniques 21.

Consider Tokenization Technologies: Evaluate privacy-preserving biometric solutions that use irreversible tokenization to eliminate the risk of biometric data theft and reduce the potential for synthetic identity creation 14, 15.

Plan for Continuous Authentication: Develop zero-trust architectures that continuously verify user identity throughout sessions rather than relying solely on initial authentication 18, 19.

Stay Current with Threat Intelligence: Maintain awareness of evolving deepfake technologies and attack methods to ensure defensive measures remain effective against emerging threats 4.

Investigate Photolok^Ò :  It is a passwordless IAM solution that uses photos – not passwords. Photolok can be used as a second factor behind a biometric to prevent access and authentication. Its unique architecture protects against AI attacks as well as lateral movements. To learn more, go to www.netlok.com .

The rise of deepfakes and synthetic IDs represents a paradigm shift in cybersecurity threats, but the biometric industry is actively developing sophisticated countermeasures. Success in this evolving landscape will require organizations to adopt comprehensive, multi-layered approaches that combine advanced detection technologies, continuous authentication, and privacy-preserving architectures. While the challenges are significant, the continued advancement of defensive technologies provides hope for maintaining the security and integrity of biometric authentication systems in the face of increasingly sophisticated synthetic attacks.

1. https://www.bairesdev.com/blog/ai-deepfakes-biometric-authentication/
2. https://recordia.net/en/deepfakes-the-new-challenge-of-biometric-authentications/
3. https://nquiringminds.com/cybernews/aigenerated-synthetic-identities-challenge-biometric-security/
4. https://www.iproov.com/deepfake-protection-liveness
5. https://insights.globalspec.com/article/19166/study-deepfakes-can-trick-some-facial-recognition-systems
6. https://ieeexplore.ieee.org/document/10744460/
7. https://www.techtarget.com/searchsecurity/tip/How-deepfakes-threaten-biometric-security-controls
8. https://www.realitydefender.com/insights/traditional-biometrics-are-vulnerable-to-deepfakes
9. https://www.sec.gov/Archives/edgar/data/807863/000080786324000142/mitk-20240930.htm
10. https://www.idrnd.ai/idlive-face-plus-injection-attack-detection-deepfake-protection/
11. https://internationalpubls.com/index.php/cana/article/view/4547
12. https://www.jumio.com/biometrics-multimodal-approach/
13. https://www.biometricupdate.com/202204/researchers-claim-biometric-deepfake-detection-method-improves-state-of-the-art
14. https://www.sec.gov/Archives/edgar/data/1718939/000141057823001411/idai-20230331xs1.htm
15. https://www.sec.gov/Archives/edgar/data/1718939/000141057825000078/idai-20250930x424b4.htm
16. https://ieeexplore.ieee.org/document/10986481/
17. https://ieeexplore.ieee.org/document/10937066/
18. https://ijaem.net/issue_dcp/Zero%20Trust%20Architecture%20%20Beyond%20Perimeter%20Security%20Implementing%20Continuous%20Authentication%20and%20Least%20Privilege%20Access.pdf
19. https://www.swidch.com/resources/blogs/why-should-continuous-authentication-be-at-the-heart-of-your-zero-trust-architecture
20. https://www.identity.com/the-intersection-of-artificial-intelligence-ai-and-biometrics/
21. https://veridas.com/en/liveness-detection/
22. https://www.sec.gov/Archives/edgar/data/1534154/000121390023078358/ea185564-424b4_authidinc.htm
23. https://www.sec.gov/Archives/edgar/data/1718939/000110465925007699/idai-20250930xs1a.htm
24. https://www.sec.gov/Archives/edgar/data/1718939/000110465925006360/idai-20250930xs1.htm
25. https://www.sec.gov/Archives/edgar/data/894158/000141057822002238/syn-20220630x10q.htm
26. https://www.sec.gov/Archives/edgar/data/1824036/000119312522133568/d270117d20f.htm
27. https://www.sec.gov/Archives/edgar/data/1718939/000171893924000043/idai-20231231.htm
28. https://www.sec.gov/Archives/edgar/data/1718939/000141057823001949/idai-20230331x424b4.htm
29. https://www.sec.gov/Archives/edgar/data/1718939/000141057823002078/idai-20230630x424b4.htm
30. https://journal.ph-noe.ac.at/index.php/resource/article/view/1389
31. https://fcc08321-8158-469b-b54d-f591e0bd3df4.filesusr.com/ugd/185b0a_8b00f6cfb36d43258341f6fc7bc35beb.pdf
32. https://arxiv.org/abs/2410.07888
33. https://www.nature.com/articles/s41598-023-28162-6
34. https://www.tandfonline.com/doi/full/10.1080/19393555.2024.2347240
35. https://ieeexplore.ieee.org/document/9499970/
36. https://www.isaca.org/resources/white-papers/2024/examining-authentication-in-the-deepfake-era
37. https://www.fime.com/ko_KP/blog/beulrogeu-15/post/q-a-improving-biometric-systems-using-ai-based-spoofing-396
38. https://idtechwire.com/researchers-detail-synthetic-face-generation-via-arcface-embedding/
39. https://www.sec.gov/Archives/edgar/data/1477960/000147793225002922/cbbb_10k.htm
40. https://www.sec.gov/Archives/edgar/data/1477960/000147793225000414/cbbb_424b4.htm
41. https://www.sec.gov/Archives/edgar/data/1477960/000147793225000304/cbbb_s1a.htm
42. https://www.sec.gov/Archives/edgar/data/1477960/000147793225000119/cbbb_s1.htm
43. https://www.sec.gov/Archives/edgar/data/6951/000000695125000024/amat-20250427.htm
44. https://www.sec.gov/Archives/edgar/data/866273/000086627324000092/mtrx-20240630.htm
45. https://ieeexplore.ieee.org/document/10440513/
46. https://vfast.org/journals/index.php/VTSE/article/view/1842
47. https://www.semanticscholar.org/paper/fe2c53467f61889a0b499cc9ed274f91d19545b9
48. http://jurnal.polinema.ac.id/index.php/jip/article/view/3977
49. https://irojournals.com/iroiip/article/view/5/2/8
50. https://ieeexplore.ieee.org/document/10850831/
51. https://arxiv.org/abs/2404.15854
52. https://www.semanticscholar.org/paper/7b9475866b8f88898bfe2dde4912d99527d21087
53. https://ieeexplore.ieee.org/document/9953623/
54. https://www.jumio.com/deepfake-detection-guide/
55. https://arxiv.org/pdf/2202.10673.pdf
56. https://www.idrnd.ai/anti-spoofing-for-authentication/
57. https://pubmed.ncbi.nlm.nih.gov/40218678/
58. https://www.sec.gov/Archives/edgar/data/1015739/000095017025038714/awre-20241231.htm
59. https://www.sec.gov/Archives/edgar/data/1019034/000143774924019357/bkyi20231231_10k.htm
60. https://ieeexplore.ieee.org/document/10571244/
61. https://ieeexplore.ieee.org/document/10437443/
62. https://ieeexplore.ieee.org/document/9861234/
63. https://ieeexplore.ieee.org/document/10000958/
64. https://ieeexplore.ieee.org/document/10870196/
65. https://www.hindawi.com/journals/wcmc/2022/6367579/
66. https://ieeexplore.ieee.org/document/9860313/
67. https://www.entrust.com/blog/2023/09/user-authentication-zero-trust
68. https://www.beyondidentity.com/resource/zero-trust-and-continuous-authentication-a-partnership-for-network-security
69. https://www.servicenow.com/community/platform-privacy-security-blog/announcing-zero-trust-continuous-authentication/ba-p/3210909
70. https://www.portnox.com/blog/zero-trust/continuous-authentication-a-game-changer-for-zero-trust/
71. https://faceonlive.com/biometric-authentication-trends-and-predictions-for-2025/
72. http://www.enggjournals.com/ijcse/doc/IJCSE17-09-08-001.pdf
73. https://www.atera.com/blog/best-biometric-security-device/
74. https://journal.esrgroups.org/jes/article/download/6643/4609/12253
75. https://link.springer.com/10.1007/s12198-024-00272-w
76. https://www.iproov.com/blog/deepfakes-threaten-remote-identity-verification-systems
77. https://sumsub.com/liveness/
78. https://link.springer.com/10.1007/978-3-031-37120-2_22
79. https://www.crowdstrike.com/en-us/cybersecurity-101/zero-trust-security/

A.R. Perez, Netlok, June 2025

To enhance their performance, bad actors favor methods that increase the breath of their attacks at the fastest speed possible. As a result, password theft has emerged as the preferred attack vector for cybercriminals, enabling them to compromise systems with unprecedented speed and scale. Unlike traditional hacking methods that require exploiting technical vulnerabilities, credential theft provides attackers with legitimate access that appears normal to security systems, creating a path of least resistance for rapid and extensive exploitation 1, 2. This analysis examines how stolen passwords accelerate and expand attack capabilities across multiple dimensions.

Accelerated Initial Compromise and Lateral Movement

Rapid Breakout Times

The speed at which attackers can move from initial access to broader network exploitation has dramatically increased due to credential theft. Recent research shows that the average “breakout time” – the period between initial compromise and lateral movement – has decreased to just 62 minutes in 2024, down from 84 minutes the previous year 3. In extreme cases, attackers achieved lateral movement in as little as 2 minutes and 7 seconds, with initial discovery tools being deployed within 31 seconds of gaining access 3.

Bypassing Technical Barriers

Password theft eliminates the need for complex technical exploits, allowing attackers to simply “log in” rather than “hack in” 2. This approach bypasses many traditional security controls, as the activity appears legitimate to monitoring systems 2, 4. When attackers use valid credentials, they can blend with normal traffic patterns, making detection extremely difficult and enabling faster movement throughout the network 4, 5.

Streamlined Lateral Movement

Stolen credentials enable several efficient lateral movement techniques:

1. Pass-the-Hash Attacks: Attackers steal password hashes and use them to authenticate to other systems without knowing the actual password, accelerating movement across the network 4, 6.
2. Pass-the-Ticket Attacks: Threat actors steal Kerberos tickets to authenticate to multiple systems, enabling rapid expansion of access without triggering security alerts 4, 7.
3. Credential Stuffing Automation: Automated tools test stolen credentials across multiple systems simultaneously, allowing attackers to quickly identify valid access points throughout the organization 8, 9.

These techniques enable attackers to move laterally through networks within minutes rather than hours or days, dramatically reducing the time from initial breach to full compromise 1, 2.

Automated Exploitation at Scale

Mass Credential Testing

Password theft enables attackers to automate exploitation at unprecedented scale through credential stuffing attacks. Using specialized tools, cybercriminals can test thousands or millions of stolen username/password combinations across multiple services simultaneously 8, 10. This automation allows a single attacker to target vast numbers of accounts across different organizations with minimal effort 8, 5.

Rapid Exploitation of Stolen Credentials

Research shows that stolen credentials are exploited with alarming speed. According to security researchers, approximately 20% of compromised accounts are accessed within one hour of credentials being exposed, 40% within six hours, and about half within 12 hours 11. This rapid exploitation timeline means organizations have very little time to respond once credentials are compromised 11.

Distributed Attack Infrastructure

Modern credential theft operations leverage sophisticated infrastructure to maximize speed and scale:

1. Proxy Networks: Attackers use rotating IP addresses and residential proxies to distribute authentication attempts across thousands of source addresses 8, 9.
2. Specialized Automation Tools: Purpose-built software like Sentry MBA, Snipr, and custom scripts enable high-volume credential testing while evading detection mechanisms 8, 10.
3. Browser Automation: Integration with frameworks like Puppeteer and Playwright allows attackers to simulate human behavior post-login, making detection even more difficult 8.

This infrastructure enables attackers to compromise thousands of accounts across multiple organizations in a matter of hours, far faster than would be possible with traditional exploitation methods 8, 5.

Multi-System Compromise Through Password Reuse

Exploiting Password Reuse Patterns

Password theft is particularly effective because of widespread password reuse. Recent studies of over 16 billion exposed passwords reveal that 94% are reused or duplicated across multiple accounts, with only 6% being unique 12. This behavior creates a multiplier effect where a single stolen password can provide access to numerous systems 13, 12.

Predictable Password Modifications

Even when users attempt to create variations of their passwords across different services, they typically follow predictable modification patterns that attackers can easily anticipate 9. Research shows that among users who modify their passwords, there is only a small set of common rules applied, making these variations highly predictable to attackers 9.

Cross-Domain Exploitation

Password reuse enables attackers to rapidly expand their reach across different security domains:

1. Personal to Professional: Credentials stolen from personal accounts can provide access to work systems when employees reuse passwords 13, 10.
2. Service to Service: Passwords reused across multiple cloud services enable rapid compromise of an organization’s entire cloud ecosystem 8, 10.
3. Organization to Organization: Credentials stolen from one company can provide access to partner organizations, enabling supply chain attacks 14.

This cross-domain exploitation dramatically increases the speed and breadth of attacks, allowing cybercriminals to quickly pivot from a single compromised account to dozens or hundreds of systems across multiple organizations 13, 10.

Bypassing Multi-Factor Authentication

Session Token Theft

Modern credential theft has evolved beyond simple password stealing to include techniques that bypass multi-factor authentication (MFA). Attackers now target session tokens and cookies, which allow them to hijack active authenticated sessions without needing to re-authenticate or trigger MFA challenges 15, 16.

Pass-the-Cookie Attacks

In these attacks, cybercriminals steal browser cookies that store authentication information and use them to impersonate legitimate users in separate browser sessions 15. This technique is particularly effective because it completely circumvents MFA, allowing attackers to access protected systems without triggering additional authentication steps 15, 17.

MFA Fatigue and Prompt Bombing

When direct MFA bypass isn’t possible, attackers use techniques like MFA fatigue, where they repeatedly trigger authentication prompts until frustrated users approve the request just to stop the notifications 17, 18. This social engineering approach accelerates compromise by exploiting human behavior rather than technical vulnerabilities 17, 19.

These MFA bypass techniques significantly accelerate attacks by eliminating what would otherwise be a major barrier to rapid exploitation, allowing attackers to move through protected systems at nearly the same speed as unprotected ones 17, 18.

Privilege Escalation and Administrative Access

Targeting Privileged Accounts

Password theft enables attackers to specifically target high-value accounts with administrative privileges. By compromising these accounts, attackers can rapidly gain control over entire systems or domains rather than having to gradually escalate privileges through technical exploits 20, 21.

Service Account Exploitation

Service accounts are particularly valuable targets because they often have extensive privileges across numerous systems but may not be subject to the same security controls as user accounts 20. By compromising these accounts, attackers can impersonate critical system functions and quickly gain broad access across the organization 20, 21.

Accelerated Administrative Control

The compromise of privileged credentials dramatically accelerates attacks by providing immediate high-level access. Instead of spending days or weeks gradually escalating privileges through technical vulnerabilities, attackers can gain administrative control within minutes by simply authenticating with stolen administrator credentials 20, 21.

This rapid privilege escalation enables attackers to quickly take control of critical systems, deploy malware across the organization, and establish persistent access before defenders can respond 20, 4.

Enabling Advanced Attack Techniques

Business Email Compromise

Password theft enables sophisticated Business Email Compromise (BEC) attacks, where attackers use compromised email accounts to impersonate executives or trusted partners 22. These attacks are particularly effective because they leverage the trust associated with legitimate email accounts, allowing attackers to quickly convince victims to transfer funds or sensitive information 22.

Supply Chain Attacks

Stolen credentials enable attackers to compromise software supply chains, as demonstrated by recent trojanized supply chain attacks that used GitHub and NPM repositories to distribute malicious code 14. By using legitimate credentials to access development environments, attackers can insert backdoors into software that is then distributed to thousands or millions of downstream users 14.

Ransomware Deployment

Password theft has become a critical enabler for ransomware attacks. With valid credentials, attackers can quickly move through networks, disable security controls, and deploy ransomware across multiple systems simultaneously 23. This accelerated deployment significantly reduces the time between initial compromise and complete encryption of an organization’s data 23.

These advanced techniques demonstrate how password theft enables attackers to not only move faster within individual systems but also to rapidly expand the scope and impact of their attacks across entire supply chains and business ecosystems 14, 22.

The Credential Theft Ecosystem

Specialized Attack Infrastructure

The credential theft ecosystem has evolved into a sophisticated supply chain with specialized roles that increase both speed and scale:

1. Malware developers create credential-stealing tools like information stealers 9, 23.
2. Distributors deploy the malware through phishing and other methods 9.
3. Data aggregators collect and organize the stolen credentials 9.
4. Initial access brokers sell verified credentials to other attackers 9, 23.

This specialization has increased the efficiency and effectiveness of credential theft operations, allowing cybercriminals to focus on their specific expertise while participating in the broader ecosystem 9, 23.

Infostealer Malware Proliferation

The dramatic rise of infostealer malware specifically targeting credentials has created a self-reinforcing cycle of compromise. Research indicates a 266% year-on-year increase in the deployment of information-stealing malware designed to extract passwords from browsers, password managers, and system files 23, 9.

Dark Web Marketplaces

The dark web marketplace for stolen credentials has reached unprecedented scale, with over 16 billion usernames and passwords from data breaches currently available 12, 10. This abundant supply enables attackers to quickly obtain valid credentials for almost any target organization, eliminating the need for time-consuming reconnaissance and vulnerability discovery 12, 10.

This ecosystem dramatically accelerates attacks by providing immediate access to valid credentials, allowing attackers to skip the most time-consuming phases of traditional attacks and move directly to exploitation 9, 10.

Conclusion: The Speed and Scale Advantage

Password theft has fundamentally changed the cybersecurity landscape by enabling attacks that are both faster and broader than traditional exploitation methods. By leveraging legitimate credentials, attackers can bypass security controls, move laterally through networks, and compromise multiple systems at unprecedented speed and scale 12.

The combination of automated tools, widespread password reuse, and sophisticated bypass techniques has created an environment where a single compromised password can lead to enterprise-wide compromise in a matter of hours rather than days or weeks 3, 11. This acceleration presents significant challenges for defenders, as the window for detection and response continues to shrink 32.

Organizations must recognize that traditional security models focused on perimeter defense are insufficient against credential-based attacks. Instead, a more comprehensive approach is needed that addresses both the technical and human aspects of security, including stronger authentication mechanisms, improved monitoring of user behavior, and enhanced security awareness training 5, 22.

As attackers continue to refine their credential theft techniques, the gap between the effort required to compromise systems through password theft versus technical exploits will likely widen further, making credential protection an increasingly critical component of effective cybersecurity strategies 5, 9.

One solution that prevents password exploitation is Netlok’s Photolok^Ò because it replaces passwords with photos and uses randomization to protect against AL/ML attacks. For users, it is simple to use, ultrasecure, and cost effective when compared to passwords.

1. https://zeronetworks.com/blog/how-to-prevent-lateral-movement-cybersecurity-risks-strategies
2. https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/lateral-movement/
3. https://www.helpnetsecurity.com/2024/02/22/stolen-credentials-exploit/
4. https://www.sentinelone.com/cybersecurity-101/threat-intelligence/lateral-movement/
5. https://www.fortinet.com/resources/articles/credential-compromise-attacks
6. https://www.cybersecuritytribe.com/insider-threat
7. https://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths
8. https://www.paloaltonetworks.com/cyberpedia/credential-stuffing
9. https://www.exabeam.com/explainers/insider-threats/how-credential-attacks-work-and-5-defensive-measures/
10. https://datadome.co/guides/credential/compromised-attacks/
11. https://www.uzado.com/blog/how-fast-can-a-leaked-password-be-exploited-by-hackers/
12. https://cybernews.com/security/password-leak-study-unveils-2025-trends-reused-and-lazy/
13. https://tdx.maine.edu/TDClient/2624/Portal/KB/ArticleDet?ID=173096
14. https://areteir.com/article/trojanized-supply-chain-attack/
15. https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/
16. https://www.descope.com/learn/post/session-hijacking
17. https://www.menlosecurity.com/blog/the-art-of-mfa-bypass-how-attackers-regularly-beat-two-factor-authentication
18. https://www.tarlogic.com/blog/bypass-multi-factor-authentication-mfa/
19. https://abnormal.ai/glossary/mfa-bypass
20. https://www.ibm.com/think/topics/privilege-escalation
21. https://www.rapid7.com/fundamentals/lateral-movement/
22. https://spycloud.com/solutions/business-email-compromise/
23. https://www.picussecurity.com/resource/blog/understanding-katz-stealer-malware-and-its-credential-theft-capabilities
24. https://blog.lastpass.com/posts/lateral-movement
25. https://www.infosecinstitute.com/resources/hacking/popular-tools-for-brute-force-attacks/
26. https://spectralops.io/blog/top-10-security-automation-tools/
27. https://www.paloaltonetworks.com/blog/security-operations/automating-response-to-credential-dumping-attacks/
28. https://www.religroupinc.com/news-insights/password-automation-enhancing-security-in-government-contracting/
29. https://www.blinkops.com/blog/security-automation-tools
30. https://www.softwaresecured.com/post/top-10-credential-based-attacks
31. https://www.cisa.gov/MFA
32. https://www.fortinet.com/resources/cyberglossary/insider-threats
33. https://www.avatier.com/blog/the-role-of-password-management-in-preventing-insider-threats-in-gaming/
34. https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/credential-theft/
35. https://www.proofpoint.com/us/threat-reference/insider-threat
36. https://www.okta.com/identity-101/data-exfiltration/
37. https://www.beyondtrust.com/resources/webinars/stopping-lateral-movement-why-privileged-password-management-should-be-the-center-of-your-it-security-strategy
38. https://www.puppet.com/blog/security-automation-tools
39. https://www.beyondidentity.com/resource/cybersecurity-mythbusters-does-mfa-stop-credential-theft
40. https://www.exabeam.com/explainers/insider-threats/insider-threats/

A.R. Perez, Netlok, June 24, 2025

Like most people and organizations, cybercriminals value their time and cost of doing business. As a result, they have increasingly shifted their tactics from complex technical exploits to credential theft to increase their ROI. This preference for “logging in” rather than “hacking in” represents a fundamental change in attack methodology that has profound implications for organizations and individuals alike 1, 2. The reasons behind this strategic shift are multifaceted, combining economic incentives, technical advantages, and human vulnerabilities.

The Path of Least Resistance

Cybercriminals, like most rational actors, seek the most efficient route to their objectives 3. Password theft has emerged as the definitive path of least resistance in the cybercrime ecosystem for several compelling reasons:

Lower Technical Barriers

Traditional hacking methods often require specialized technical knowledge, including understanding of software vulnerabilities, network protocols, and custom exploit development 4. In contrast, credential theft can be executed with minimal technical expertise using widely available tools 5. This accessibility has democratized cybercrime, allowing a broader range of threat actors to participate regardless of their technical background 6.

The commoditization of the underground economy has created multiple paths of lower resistance, with suppliers providing different services for various aspects of fraud operations6. These services significantly lower the cost of attacks and reduce the barrier to entry for aspiring cybercriminals 6, 7.

Higher Success Rates

IBM’s X-Force threat intelligence team reported a staggering 71% increase in attacks relying on valid login credentials in 2023 compared to the previous year 1, 8. This dramatic shift reflects the effectiveness of credential-based approaches compared to technical exploits 5. Charles Henderson, global head of IBM’s X-Force team, described this as “an aha moment on the part of threat actors in shifting to something that works” 5.

The success of credential theft is further amplified by human behavior patterns, particularly password reuse across multiple services 9. Research shows that 52% of users reuse or modify their passwords across different online services, creating a cascading vulnerability effect where a single breach can compromise multiple accounts 10.

Economic Advantages

Cost-Effectiveness

From a purely economic perspective, password theft offers cybercriminals an exceptional return on investment compared to technical hacking methods 5:

1. Lower operational costs: Credential theft requires minimal resources and can be executed using free or low-cost tools 5.
2. Reduced development expenses: Zero-day exploits have become increasingly expensive, with prices for iOS zero-days reaching $5-7 million and Android zero-days costing up to $5 million 11. This price inflation reflects the growing difficulty of finding and exploiting technical vulnerabilities as companies improve their security postures 11.
3. Scalability through automation: Password theft operations can be easily automated and scaled, allowing attackers to target thousands or even millions of accounts simultaneously 12. Credential stuffing attacks, which automatically try stolen username/password combinations across multiple services, have a success rate of 0.2-2.0%—seemingly low but highly profitable at scale 12.

Abundant Supply of Credentials

The dark web marketplace for stolen credentials has reached unprecedented scale, creating a self-sustaining ecosystem that fuels further attacks 13. Over 15 billion usernames and passwords from 100,000 data breaches are currently available on underground marketplaces 13. This number represents a 300% increase since 2018, equivalent to more than two compromised accounts for every person on Earth 13.

More recently, cybersecurity researchers confirmed that nearly 16 billion passwords were leaked and exposed in data breaches between 2024 and 2025, providing attackers with an enormous arsenal for conducting further attacks 9, 7.

Stealth and Detection Evasion

Blending with Legitimate Traffic

One of the most significant advantages of credential-based attacks is their ability to evade detection by security systems 5. When attackers use valid credentials, they can blend in with normal traffic patterns, making it extremely difficult for security tools to distinguish malicious activity from legitimate user behavior 25.

Traditional security measures such as firewalls and intrusion detection systems are designed to identify anomalous network activity or malicious code execution 2. However, when an attacker simply logs in with valid credentials, these systems often fail to detect the intrusion because the activity appears legitimate from a technical perspective 28.

Extended Dwell Time

The stealthy nature of credential-based attacks allows cybercriminals to maintain a persistent presence within compromised systems 5. According to IBM’s Cost of a Data Breach Report, breaches involving compromised credentials take significantly longer to detect and contain, averaging 292 days—the longest of any attack vector studied 14.

This extended dwell time provides attackers with ample opportunity to move laterally within networks, escalate privileges, and exfiltrate sensitive data without triggering security alerts 25. By the time the breach is discovered, the damage has often already been done 14.

Human Vulnerability Exploitation

Predictable Password Behaviors

Cybercriminals exploit fundamental human tendencies in password creation and management 9. Despite decades of cybersecurity education, password practices remain fundamentally flawed 9. Analysis of exposed passwords revealed that 94% were reused or duplicated across multiple accounts, with only 6% being unique 9.

The most commonly used passwords continue to be predictably weak, with “123456,” “admin,” “12345678,” “password,” and “Password” topping the list 9. Additionally, 42% of users rely on passwords with only 8-10 characters, with eight characters being the most popular length 9. These predictable patterns make password guessing attacks highly effective 9 15.

Password Modification Patterns

Even when users attempt to create variations of their passwords across different services, they typically follow predictable modification patterns that can be easily anticipated by attackers 10. Research shows that among a large user population, there is only a small set of rules that users often apply to modify their passwords 10. This “low variance” makes modified passwords highly predictable, with algorithms able to guess 30% of modified passwords within just 10 attempts 10.

The Cybercriminal Ecosystem

Specialized Roles and Services

The credential theft ecosystem has evolved into a sophisticated supply chain with specialized roles 16:

1. Malware developers who create credential-stealing tools
2. Distributors who deploy the malware through phishing and other methods
3. Data aggregators who collect and organize the stolen credentials
4. Initial access brokers who sell verified credentials to other attackers

This specialization has increased the efficiency and effectiveness of credential theft operations, allowing cybercriminals to focus on their specific expertise while participating in the broader ecosystem16.

Infostealer Malware Proliferation

A significant development in recent years is the dramatic rise of infostealer malware specifically targeting credentials 1. The X-Force team observed a 266% year-on-year uptick in the deployment of infostealing malware 8. These specialized tools extract passwords from browsers, password managers, and system files, then transmit them to command-and-control servers operated by cybercriminals 16, 8.

The proliferation of infostealers has created a self-reinforcing cycle where compromised credentials fuel further attacks 1. More than 23 million devices have been affected by infostealers, creating vast repositories of stolen login data that criminals can exploit 1.

Conclusion: The Shifting Cybersecurity Paradigm

The preference for password theft over direct hacking methods represents a fundamental shift in the cybersecurity landscape 2. As Charles Henderson of IBM noted, “What this establishes is that the criminals have figured out that valid credentials are the path of least resistance, and the easiest way in” 5.

This shift requires a corresponding evolution in defensive strategies 2. Organizations must recognize that traditional perimeter-based security models are insufficient against credential-based attacks 2. Instead, a more comprehensive approach is needed that addresses both the technical and human aspects of security, including stronger authentication mechanisms, improved monitoring of user behavior, and enhanced security awareness training 25.

One viable passwordless solution is Netlok’s Photolok^Ò MFA login because it replaces passwords with photos and uses randomization to protect against AL/ML attacks. For users, it is simple to use, ultrasecure, and cost effective when compared to passwords.

As attackers continue to refine their credential theft techniques, the gap between the effort required to compromise systems through password theft versus technical exploits will likely widen further 5 11. Understanding this dynamic is essential for developing effective security strategies that can adapt to the evolving threat landscape 5.

1. https://www.axios.com/2024/03/05/passwords-data-breaches-malware
2. https://www.linkedin.com/pulse/attackers-log-dont-hack-can-we-stop-them-hasmaath-k-parkar-6s1xf
3. https://www.cycognito.com/glossary/path-of-least-resistance.php
4. https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/gaining-access-techniques-implications-safeguards/
5. https://specopssoft.com/blog/credential-based-attacks-guide/
6. https://www.securityweek.com/path-least-resistance-beats-road-less-travelled/
7. https://www.forbes.com/sites/daveywinder/2025/05/16/millions-of-stolen-passwords-available-to-hackers-for-just-81-a-week/
8. https://www.techmonitor.ai/technology/cybersecurity/valid-user-credentials-ibm
9. https://www.linkedin.com/pulse/cracking-code-weaknesses-traditional-password-based-systems-mwema-lyuzf
10. https://people.cs.vt.edu/gangwang/pass.pdf
11. https://techcrunch.com/2024/04/06/price-of-zero-day-exploits-rises-as-companies-harden-products-against-hackers/
12. https://www.wiz.io/academy/credential-stuffing
13. https://hackread.com/dark-web-15-billion-credentials-100000-data-breaches/
14. https://www.varonis.com/blog/data-breach-statistics
15. https://www.eurecom.fr/en/publication/2910/download/rs-publi-2910_1.pdf
16. https://thrivenextgen.com/social-engineering-the-path-of-least-resistance/
17. https://www.darkreading.com/threat-intelligence/credential-theft-cybercriminals-favorite-target
18. https://elm.umaryland.edu/elm-stories/2025/Unveiling-the-Shadows-How-Cyber-Criminals-Steal-Your-Passwords.php
19. https://www.enzoic.com/blog/hackers-steal-passwords/
20. https://www.onsip.com/voip-resources/voip-fundamentals/cybersecurity-101-why-hackers-want-your-data-what-happens-to-it
21. https://www.paloaltonetworks.com/cyberpedia/what-is-a-credential-based-attack
22. https://www.memcyco.com/attack-vectors-in-2025/
23. https://www.beyondidentity.com/resource/cost-of-passwords-resets-breaches-and-more
24. https://www.beyondtrust.com/blog/entry/the-cyberattackers-path-of-least-resistance-is-shifting-heres-how-you-must-adapt
25. https://www.financierworldwide.com/cyber-crime-and-fs-blocking-the-path-of-least-resistance
26. https://news.sd.gov/news?id=news_kb_article_view&sysparm_article=KB0031629
27. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3514411
28. https://arcticwolf.com/resources/blog/four-ways-to-prevent-credential-theft-and-credential-based-attacks/
29. https://www.darkreading.com/cyber-risk/cybercriminals-swap-phishing-for-credential-abuse-vuln-exploits
30. https://users.ece.cmu.edu/~vsekar/Teaching/Spring25/18731/reading/Credentials.pdf
31. https://www.balbix.com/insights/attack-vectors-and-breach-methods/
32. https://aag-it.com/the-latest-cyber-crime-statistics/
33. https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-statistics/
34. https://securityboulevard.com/2022/01/how-to-automate-response-to-credential-compromises/
35. https://www.youtube.com/watch?v=vKPGZHoHX8k
36. https://logmeonce.com/resources/password-appearing-in-a-data-leak/
37. https://www.dashlane.com/blog/common-ways-hackers-steal-passwords
38. https://reliaquest.com/blog/the-credential-abuse-cycle-theft-trade-and-exploitation

• Photolok Home
• How It Works
• About Us
• Blog
• Contact Support
• Contact Sales & Marketing

Member – Insider GovTech

FOLLOW US ON SOCIAL MEDIA

Linkedin-in Youtube Facebook-f

©2015-2025 Netlok. All rights reserved.

Privacy Policy

Terms of Service