There was a substantial rise year-on-year in the number of password cracks.
Enterprise passwords were cracked in just under half of corporate environments.
According to research from Picus Security, in 46% of environments at least one password hash was successfully cracked, and data exfiltration attempts were only stopped three percent of the time, down from 9% in 2024.
The company’s research shows a rise in attacks from 25% in 2024, highlighting continued reliance on weak or outdated password policies.
It also found that attacks using valid credentials were successful 98% of the time, making techniques like Valid Accounts (MITRE ATT&CK T1078) one of the most reliable ways to bypass defenses undetected.
“We must operate under the assumption that adversaries already have access,” said Dr. Süleyman Ozarslan, co-founder of Picus Security and VP of Picus Labs.
“An ‘assume breach’ mindset pushes organisations to detect the misuse of valid credentials faster, contain threats quickly, and limit lateral movement - which requires continuous validation of identity controls and stronger behavioural detection.”
The research also found that only 14% of attacks generated alerts, meaning that most malicious activity still goes unnoticed.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
