The 2022 Verizon Data Breach Investigations Report (DBIR), the fifteenth such report in as many years, leads off with a startling statistic: Credentials are the number one overall attack vector hackers use in data breaches. Use of stolen credentials accounts for nearly half the breaches studied by Verizon, far ahead of phishing and exploit vulnerabilities, which account for 19% and 8% of attacks, respectively. Botnets, the fourth most common entry path for hackers, represent a mere 1% of attacks.

Credentials are the number one attack vector in several categories of attack covered in the report. In cases of web application attacks, for example, Verizon research attributes over 80% of attacks attributed to stolen credentials—surpassing exploited vulnerabilities and brute force attacks, which occur in fewer than 20% of cases. Forty three percent of Business email compromise (BEC) involve the use of stolen credentials as the way into the target organization.