67% of Breaches Start With a Stolen Login — Not a Hacked System: What Your Business Can Do Today
TL;DR
- Two-thirds of all cyberattacks in 2025 started with a stolen or compromised login — not a software vulnerability [1].
- Once attackers have one login, they reach your core identity systems in under 4 hours on average [1].
- 88% of ransomware is deployed after hours — while your team is offline [1].
- 59% of breached organisations had no working MFA — a fix that costs almost nothing [1].
- The good news: these attacks are predictable and preventable with three specific controls.
The narrative around cyberattacks is stuck in the wrong decade. We picture sophisticated hackers exploiting secret software flaws, but the Sophos 2026 Active Adversary Report tells a different story. Analysing 661 real incident response cases across 70 countries, Sophos found that 67% of all attacks in 2025 began with identity compromise — stolen passwords, brute-forced credentials, and phishing [1]. Not zero-days. Not nation-state malware. Just someone else's login.
This is not a technical problem. It's a process problem. And that means it's solvable.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Why Are Attackers Going After Logins Instead of Software?
The shift makes perfect economic sense for attackers. Exploiting a software vulnerability requires finding one, developing a working exploit, and bypassing patch controls. Buying a stolen password from a dark-web marketplace costs as little as $5 [3]. The Darktrace Annual Threat Report 2026 confirms this trend: across the Americas, nearly 70% of incidents began with stolen or misused accounts, as cloud and SaaS adoption have expanded the number of login-based entry points into every organisation [2].
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →"Traditional perimeter defenses were built for a world where attackers had to break in," Nathaniel Jones, VP of Security and AI Strategy at Darktrace, explained in the report. "Today they simply log in." [2]
This is why your firewall can't fully protect you. It is designed to block unauthorised traffic — not authorised users behaving maliciously. When an attacker logs in with real credentials, they look like a legitimate employee.
How Fast Can an Attack Unfold?
The Sophos data reveals a timeline that should inform how every SMB structures its monitoring. After gaining initial access, attackers reached Active Directory — the core of most Windows business environments, controlling every account, permission, and login policy — in a median of 3.4 hours [1]. Total dwell time before detection averaged three days [1].
Three days is enough time to map your network, steal your data, and position ransomware. Three hours is not enough time for most small businesses to notice anything unusual.
The timing of attacks is also deliberate. 88% of ransomware payloads are deployed outside standard business hours [1]. Friday evenings, public holidays, the early hours of Sunday morning — when your team isn't watching. This is not coincidence. It's strategy. Attackers know that response times stretch out after hours, giving them more operational space.
Similarly, 79% of data exfiltration — the actual theft of files and records — also happens off hours [1].
Related: How to Build a Business Continuity Plan for Ransomware Attacks
The MFA Gap That's Leaving the Door Open
Here's the statistic that keeps security professionals up at night: 59% of breached organisations had no MFA, or had MFA that was so poorly configured it provided no real protection [1].
Multi-factor authentication requires a second form of identity verification — typically a code from an app on your phone — whenever someone logs in. It is the single most effective control against credential-based attacks, because even if an attacker has your password, they cannot log in without your phone.
It is also one of the cheapest security controls available. Microsoft Authenticator, Google Authenticator, and Duo Security all offer free or low-cost tiers that work with most business systems. Microsoft's own research suggests MFA blocks more than 99% of automated credential attacks [4].
Yet more than half of businesses that suffered a breach in 2025 had not deployed it.
What About All Those Software Vulnerabilities?
The Forum of Incident Response and Security Teams (FIRST) forecasts that 2026 will see more than 50,000 new CVEs (Common Vulnerabilities and Exposures) published — potentially the first year to break that record [5]. That sounds alarming. But the Sophos data puts it in context: brute-force attacks (15.6%) are now nearly as common as vulnerability exploitation (16%) as the method of initial access [1].
This does not mean patching doesn't matter — it absolutely does, especially for critical vulnerabilities like the recently disclosed CVE-2026-20127, a CVSS 10.0 flaw in Cisco Catalyst SD-WAN that has been actively exploited since 2023 [6]. But it means that identity security is now equally important as patch management, and many businesses focus almost exclusively on the latter.
The most effective posture addresses both: keep systems patched and lock down your identities.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →The Ransomware Picture in 2026: Fewer Payments, More Attacks
The Chainalysis 2026 Crypto Crime Report adds important context. Ransomware payments fell to approximately $820 million in 2025 — down 8% year-on-year — as fewer victims chose to pay [7]. The share of victims who paid a ransom hit an all-time low of 28% [7]. That is genuinely encouraging.
But the number of attacks did not fall. It grew. Claimed ransomware victims on dark-web leak sites increased by 50% year-on-year in 2025, with more than 8,000 organisations publicly named [7][8]. The median ransom demand jumped from $12,738 in 2024 to $59,556 in 2025 [7].
More attacks, higher demands, fewer payments. Attackers are compensating for reduced payouts by attacking more targets — and smaller, less-defended businesses are increasingly in the crosshairs. Professional services, manufacturing, and financial services are among the most targeted sectors [7].
Related: Stop Patching Everything — The 1% Rule That Keeps SMBs Secure
The Three Controls That Stop Identity Attacks
The Sophos report is unambiguous: these attacks exploit known, preventable weaknesses. Here are the three controls that address the majority of what the data shows:
1. Deploy MFA on every external-facing login. This means your email (Microsoft 365, Google Workspace), VPN, remote desktop, and any cloud application your team uses. If a system supports MFA and you haven't turned it on, it is your highest-priority action. According to Microsoft, MFA prevents more than 99.9% of account compromise attacks [4].
2. Implement identity monitoring for after-hours activity. Since 88% of ransomware deploys outside business hours, alerting on logins and changes that occur during off-hours dramatically shortens your detection window. Modern security tools — including Microsoft Sentinel, Sophos MDR, and Darktrace — can do this automatically. For SMBs without a dedicated security team, a managed detection and response (MDR) provider covers this monitoring continuously [2].
3. Audit and limit privileged access. Attackers race to Active Directory because it holds the keys to everything. Applying the principle of least privilege — ensuring every user account has only the access it needs — limits how much damage a single compromised credential can do. Review who has admin rights in your organisation today. Most businesses find accounts with admin access that were never meant to have it.
How Does This Affect Your Business Specifically?
If your business uses Microsoft 365, Google Workspace, Xero, Salesforce, or any cloud software — and most SMBs do — your login credentials are a viable attack path. You do not need to be running a data centre or an enterprise network to be at risk. The Darktrace report specifically notes that the expansion of cloud and SaaS has moved the frontline from network to identity [2].
This is not about fear. It's about understanding that the game has shifted, and adjusting accordingly. Businesses that implement MFA, monitor their identity systems, and limit privileged access are actively removing themselves from the pool of easy targets — because attackers, like any rational actor, choose the path of least resistance.
FAQ
An identity-based attack is one where the attacker gains access using legitimate, stolen, or guessed credentials rather than exploiting a software vulnerability. This includes phishing for passwords, buying stolen credentials from dark-web marketplaces, or using brute-force tools to guess weak passwords. In 2025, 67% of all investigated incidents fell into this category, according to Sophos [1].
The most common methods are phishing emails (fake login pages that capture your real password), data breaches at other services where you reused a password, brute-force attacks against accounts with weak passwords, and purchasing pre-stolen credentials from criminal marketplaces. In 2025, more than 8.2 million phishing emails targeted senior executives alone [2].
Yes, significantly. Microsoft's research shows MFA prevents more than 99% of automated credential attacks [4]. However, it needs to be properly configured — the Sophos report found that 59% of breached organisations had missing or misconfigured MFA [1]. Enabling it is step one; making sure it covers every external-facing system is step two.
Attackers deliberately time ransomware deployment for when your team is least likely to notice and respond. The Sophos 2026 data shows 88% of ransomware payloads deploy outside business hours [1]. A breach that would be caught within 30 minutes during business hours might go undetected for 8 hours overnight — giving attackers time to encrypt more systems before anyone responds.
Immediately isolate the affected system from your network (unplug it if necessary), change passwords for all accounts that may have been compromised — starting with admin accounts — and contact a cybersecurity professional. The faster you act in the first 3-4 hours, the less access attackers have to your core identity infrastructure. Do not pay a ransom without professional advice; it does not guarantee data recovery and may attract follow-up attacks.
References
[1] J. Shier et al., "2026 Sophos Active Adversary Report," Sophos, Feb. 24, 2026. [Online]. Available: https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report
[2] N. Jones, "Darktrace Annual Threat Report 2026," Darktrace, Feb. 2026. [Online]. Available: https://www.darktrace.com/news/darktrace-annual-threat-report-finds-identity-is-now-primary-target-as-global-vulnerabilities-rise-20
[3] Privacy Affairs, "Dark Web Price Index 2025," Privacy Affairs, 2025. [Online]. Available: https://www.privacyaffairs.com/dark-web-price-index/
[4] A. Weinert, "Your Pa$$word doesn't matter," Microsoft Tech Community, Aug. 9, 2019, updated 2025. [Online]. Available: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984
[5] É. Leverett, "Vulnerability Forecast 2026," FIRST (Forum of Incident Response and Security Teams), Feb. 11, 2026. [Online]. Available: https://www.first.org/blog/20260211-vulnerability-forecast-2026
[6] Cisco Security Advisory, "Cisco Catalyst SD-WAN Controller and Manager Unauthenticated Access Vulnerability CVE-2026-20127," Cisco, Feb. 2026. [Online]. Available: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
[7] Chainalysis, "Crypto Crime Report 2026 — Ransomware," Chainalysis, Feb. 27, 2026. [Online]. Available: https://www.chainalysis.com/blog/crypto-ransomware-2026/
[8] B. Toulas, "Ransomware 2025: Record Year for Victim Count," The Register, Jan. 8, 2026. [Online]. Available: https://www.theregister.com/2026/01/08/ransomware_2025_emsisoft/
[9] Help Net Security, "Ransomware activity peaks outside business hours," Help Net Security, Feb. 27, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/02/27/sophos-identity-driven-breaches-report/
[10] Infosecurity Magazine, "FIRST Forecasts Record-Breaking 50,000+ CVEs in 2026," Infosecurity Magazine, Feb. 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/first-forecasts-record-50000-cve/
Your logins are now the front door of your business. If you're not sure whether your accounts are properly secured, lilMONSTER can audit your identity controls and close the gaps attackers are looking for — before they find them. Book a free consultation →
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →Why Hackers Don't Break Your Lock — They Borrow Your Key
TL;DR
- Most cyberattacks in 2025 didn't involve fancy hacking — attackers just used stolen passwords.
- 67% of all business breaches started with someone else's login [1].
- 59% of those businesses had no extra lock (called MFA) on their accounts [1].
- Adding MFA is like putting a second lock on your front door — and it's mostly free.
- Hackers strike at night on purpose. Your business needs overnight monitoring to catch them.
Imagine your business is a shop. You have a lock on the front door, security cameras, maybe even an alarm. Pretty safe, right?
Now imagine someone steals your key.
They don't need to pick the lock, cut the alarm wire, or sneak through the window. They just walk in the front door — looking exactly like you.
That's what's happening to thousands of businesses right now. And according to a study of 661 real cyberattacks by security firm Sophos, two out of every three attacks in 2025 started this way — with a stolen key, not a broken lock [1].
How Do Keys Get Stolen?
There are a few common ways:
Fake login pages (phishing). Someone sends you an email that looks like it's from Microsoft, Google, or your bank. You click, enter your password, and hand it straight to an attacker. In 2025, more than 8 million of these fake emails specifically targeted business owners and managers [2].
Leaked passwords from other websites. Have you ever reused a password? If a different website you use gets hacked, that same password might work on your business accounts too.
Guessing. Automated programs can try thousands of common passwords per second. If your password is "Summer2024!" you are not as safe as you think.
Buying stolen passwords. Criminals sell lists of stolen logins online for as little as $5 each [3].
What Happens Once They're In?
Here's where it gets serious. Once an attacker has one login for your business, they move fast. The Sophos study found that in under 4 hours, attackers can reach the master control system that manages every account in your organisation [1].
Think of it like getting a copy of the key to your shop and then finding the master key cabinet — the one that opens everything, including the safe.
They also pick their timing deliberately. 88% of the time, the nastiest part of the attack — locking up your files and demanding money — happens at night or on weekends [1]. While you're asleep. While nobody's watching. That gives them hours to cause damage before anyone notices.
The Simple Fix Most Businesses Skip
Here's the part that's frustrating: 59% of the businesses that got hacked this way didn't have a basic protection called MFA [1].
MFA stands for Multi-Factor Authentication. It's a second lock.
Even if someone has your password, they still need your phone — because every time you log in, an app on your phone shows a short code you also have to type. No phone, no entry. It stops more than 99% of automated attacks cold [4].
You almost certainly already have it available. Microsoft 365, Google Workspace, and most business tools include it for free. It takes about 10 minutes to turn on.
Action 1: Turn on MFA for your email and every business tool today. This is the single highest-impact thing you can do.
Action 2: Check who has admin access in your business. Admin accounts are the master keys. Every person who has one is a target. If someone doesn't need admin access, remove it.
Action 3: Consider after-hours monitoring. If attackers strike at 2am on Saturday, who's going to notice? Security monitoring tools and services can watch your accounts 24/7 and alert you the moment something unusual happens — like a login from an unfamiliar country at 3am.
Why This Is Good News
It might sound scary, but here's the flip side: these attacks are predictable and preventable.
Attackers aren't using secret techniques that nobody knows about. They're exploiting boring, fixable gaps — missing MFA, weak passwords, accounts with too much access. That means you have real control over your risk, in a way you wouldn't if it were about secret malware or government-level hacking.
The businesses that get hit are, in most cases, the ones that haven't done the basics yet. And the businesses that have? They're actively pushing themselves out of the target pool — because attackers move to easier options.
Your 3-Step Action Plan
- Turn on MFA for email, cloud storage, accounting software, and any remote access tool. Do this before anything else.
- Audit your admin accounts. Open your business software settings and look at who has admin or owner-level access. Remove it from anyone who doesn't need it.
- Tell your team what phishing looks like. A 15-minute walkthrough of how fake login emails work can prevent the most common form of key theft.
If you're not sure where to start, or you want someone to check your current setup and find the gaps, that's exactly what lilMONSTER does.
FAQ
Q: What is the main security concern covered in this post? A:
Q: Who is affected by this? A:
Q: What should I do right now? A:
Q: Is there a workaround if I can't patch immediately? A:
Q: Where can I learn more? A:
References
[1] J. Shier et al., "2026 Sophos Active Adversary Report," Sophos, Feb. 24, 2026. [Online]. Available: https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report
[2] N. Jones, "Darktrace Annual Threat Report 2026," Darktrace, Feb. 2026. [Online]. Available: https://www.darktrace.com/news/darktrace-annual-threat-report-finds-identity-is-now-primary-target-as-global-vulnerabilities-rise-20
[3] Privacy Affairs, "Dark Web Price Index 2025," Privacy Affairs, 2025. [Online]. Available: https://www.privacyaffairs.com/dark-web-price-index/
[4] A. Weinert, "Your Pa$$word doesn't matter," Microsoft Tech Community, 2019/2025. [Online]. Available: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984
Not sure if your business accounts are secure? lilMONSTER can check your setup, find the gaps, and help you fix them — before someone else finds them first. Book a free consultation →
