DEV Community: Zack Pediay

AI and the new era of credentials theft

Zack Pediay — Thu, 08 May 2025 17:23:31 +0000

Summary

Most breaches start with stolen credentials—not advanced hacking—and 80% involve compromised passwords.
AI is making account takeover attacks faster, smarter, and harder to detect, even bypassing MFA.
Traditional identity-based security isn’t enough; organizations need data-centric, zero-trust defenses.
Human risk management tools like Polymer detect and contain compromised accounts before damage spreads.

Despite what Hollywood might suggest, most data breaches don’t involve elite hackers cracking firewalls with lines of code. In reality, all it often takes is one stolen password. Just look at the Samsung breach last month—hackers used compromised credentials to access the personal data of over 270,000 customers.

This kind of incident isn’t rare. In fact, 80% of all hacking-related breaches involve stolen or misused credentials.

And it’s only getting worse.

So, what can you do to safeguard your organization before it’s too late? Let’s take a look.

Account takeover attacks: Why they’re so prevalent

Account takeover attacks are a go-to method for cybercriminals, and it’s easy to see why. On the dark web, millions of stolen passwords are up for grabs, often coming from past data breaches or hacking attempts. The problem? Password reuse. Around 64% of people use the same password across multiple accounts. And even if they don’t reuse the exact same password, it’s often a variation—like tweaking a letter to uppercase or adding an exclamation mark—making it all too easy for attackers to crack.

Even those who take password security seriously aren’t immune. Phishing tactics and the sheer volume of data breaches each year mean that a “unique” password doesn’t stay safe for long. Once one account is compromised, it’s just a matter of time before hackers use those credentials to break into other accounts, especially if users are repeating variations of the same passwords across platforms.

And while multi-factor authentication (MFA) has become a widely adopted security measure to prevent attacks involving stolen credentials, it’s far from foolproof. Cybercriminals have already figured out ways to bypass MFA using social engineering tactics—just look at the Twilio and Uber incidents. In these cases, attackers exploited human vulnerabilities—tricking employees into revealing access to MFA codes.

But this is just the beginning. With the rise of artificial intelligence, the scale and sophistication of these attacks are set to increase dramatically.

A new threat: AI-enabled credentials compromise

AI is making account takeover attacks faster, smarter, and more dangerous than ever before. Cybercriminals are no longer relying on simple password guessing or basic social engineering. They’ve got a powerful new tool in their arsenal.

Here’s how attackers are leveraging AI to facilitate almost undetectable account takeover attacks:

Credentials theft: Hackers can buy stolen usernames and passwords from the dark web or exploit old breaches. Once they have these, they turn to AI to test them across multiple platforms. AI agents automate the process, checking stolen credentials against hundreds, even thousands, of sites and apps in seconds.
Password cracking: If passwords are weak, AI can accelerate the brute-force attack process. Machine learning models can predict common password patterns with frightening precision, cracking weak passwords far faster than traditional methods.
Targeted phishing scams: Cybercriminals can use AI to launch large-scale, hyper-targeted phishing campaigns—creating emails that are eerily convincing and personalized. These emails often lead to sophisticated phishing websites designed to steal MFA codes as easily as usernames and passwords. Even with MFA in place, employees can be tricked into entering their second-factor codes, allowing attackers to bypass that extra layer of security.
Business email compromise: Once an attacker has compromised an account, AI helps them continue their deception. By using natural language processing (NLP), AI can analyze an individual’s unique communication style. Armed with a convincing digital impersonation, attackers can escalate the attack—sending eerily convincing fraudulent emails and messages to other employees, requesting data, money, or access to other secure systems.

From identity-centric security to data-centric security

As AI enhances the effectiveness of account takeover attacks, organizations must transition from relying on identity-based security to adopting a data-centric approach. This shift means moving away from the assumption that users granted network access can be trusted by default. Instead, companies must fully embrace a zero-trust mindset, continuously verifying and monitoring user behavior and data access to detect and prevent risky actions.

It may sound bleak to acknowledge that account takeover attacks are inevitable, but that’s the reality we face. Even before AI, attackers have consistently found ways to bypass multi-factor authentication and infiltrate user accounts. The key is to accept that these attacks will happen and ensure you have the right tools in place to stop compromised accounts from causing serious damage.

Enter: Human risk management

This is where human risk management (HRM) solutions come into play. HRM tools are designed to identify, measure, and mitigate insider threats—including compromised accounts. They achieve this by constantly monitoring user interactions with sensitive data across platforms, looking for risky behaviors like unusual download attempts or deviations from normal access patterns.

The best HRM tools go beyond detection and move into action, integrating data security posture management controls to enforce security when a compromised account is detected. These tools apply zero-trust principles to redact sensitive data, restrict access, and immediately flag the security team for investigation.

The bottom line

AI is changing the security landscape—and not in organizations’ favor. Credential-based attacks are getting faster, smarter, and more convincing by the day. Traditional identity and perimeter controls aren’t enough.

To protect against the next wave of breaches, organizations need to assume that account compromise is inevitable—and focus on mitigating the damage when it happens.

Human risk management and data-centric security are your best defense—and Polymer has both. Request a demo to see how Polymer can protect your organization from the next-generation of account takeover attacks.

Security training is failing. Here’s what really works.

Zack Pediay — Wed, 07 May 2025 23:12:48 +0000

Summary

Traditional security training isn’t working—60% of breaches still involve human error.
One-size-fits-all programs fail to engage, adapt, or reflect how people actually work.
Human risk management replaces static training with real-time behavior tracking and smart nudges.
HRM helps build lasting security habits—reducing risk and empowering users in the workflow.
Companies are pouring more money than ever into training their people to spot and stop cyber threats. But despite the investment, one stubborn issue won’t go away: humans are still behind the vast majority of data breaches.

Even with security awareness training becoming the norm, the numbers show they’re having little impact—60% of breaches still involve human error.

So what gives?

The truth is, traditional training isn’t cutting it. Clicking through a few slides or watching a bi-monthly phishing video won’t rewire risky behavior. Organizations need a new strategy—one that reduces human error once and for all.

The problem with traditional security training
Despite best intentions, most employee training programs fall short—leaving employees unprepared and businesses exposed.

Here’s why.

Not built for retention. Learning new behaviors takes repetition, but many programs are delivered infrequently or as a one-time event. As Harvard Business Review notes, employees retain just 10% of what they learn in a single session. Without consistent reinforcement, the message fades fast.

Fails to engage. Long, outdated, and often irrelevant—security training is too often seen as a checkbox exercise. It’s no surprise that one in five employees choose to skip it. If the experience doesn’t feel relevant or useful, it simply won’t stick.

Treats everyone the same. A one-size-fits-all approach doesn’t reflect how people work. Different roles carry different levels of access and risk. When training isn’t tailored to an employee’s responsibilities, it creates confusion, fatigue, and critical knowledge gaps.

Places the burden on users. Modern threats are more advanced than ever. Phishing emails are nearly indistinguishable from the real thing. AI-generated content can mimic human behavior with alarming accuracy. All of this means expecting users to detect and stop threats without better tools or context is simply unfair.

Overlooks compromised credentials: We can’t forget that the insider threat takes into account hijacked accounts. But most training programs do nothing to monitor for instances of compromised credentials.

Human risk management: the solution for the AI era

Traditional security training no longer meets the demands of today’s threat landscape. One-off workshops and compliance checklists can’t keep pace with the speed of AI-generated attacks, the complexity of modern SaaS environments, and the everyday realities of how people work.

Organizations need a more adaptive, intelligence-driven approach—one that moves beyond awareness and toward actionable behavior change. That’s where human risk management (HRM) comes in.

HRM redefines how we think about user risk. It replaces static, compliance-focused programs with a dynamic model built on real-time behavioral insights and timely nudges to guide users toward safer decisions as they go about their work.

Here’s how HRM works in practice:

Establish user baselines The first step in managing human risk is understanding what normal looks like. HRM establishes behavioral baselines for every user—tracking patterns in how they access data, which systems they use, and how they interact with sensitive information.

This allows organizations to detect subtle anomalies that may indicate risk—such as an employee suddenly downloading large volumes of data or accessing tools at unusual hours. These deviations are then flagged automatically, enabling early intervention before a potential incident escalates.

Nudge users towards secure decisions HRM goes beyond just identifying risky behavior—it actively guides users toward safer actions in real time. Instead of relying on blanket training or generic warnings, HRM delivers contextual nudges—short, relevant prompts that help employees make better choices without interrupting their workflow.

For example, if a user is about to share a sensitive file with an external party, HRM can deliver a discreet, well-timed message encouraging them to pause and reconsider. Or if someone changes access permissions on a shared folder, HRM can redact the data, notify the user, and deliver targeted, in-the-moment guidance to prevent future mistakes.

Make security a habit
Security training doesn’t stick when it’s delivered once. What works is continuous, contextual learning—the kind that meets employees in the moment. That’s exactly what HRM delivers. It brings training to life through micro-learning moments that are relevant to what users are actually doing. If someone mishandles a sensitive document or breaches compliance, HRM doesn’t just log it—it turns it into a learning moment and reinforces the right habits over time.
Equip security teams with data-driven insights
Most training programs are designed to satisfy regulators. But HRM is built to reduce actual risk. That means going beyond completion rates and quizzes to look at real human behavior, analyzing whether:

Users follow data protection protocols more reliably
The number of risky actions drops over time
Nudges translate into long-term habits
HRM then assigns individual risk scores to users based on AI analysis, helping security teams see who’s improving and who might need more support.

Build a culture of security Employees aren’t the weakest link—they’re your frontline. HRM treats them as such, giving them the tools, confidence, and context to make secure decisions. Positive actions are recognized, reinforcing the idea that security is everyone’s job—and that it’s something they’re empowered to do well.

This is your nudge to level up your security awareness program. Request a demo to see how Polymer’s human risk management solution can help you transform employees from your biggest risk to your first line of defence.