Sannikov said the MFA number in this report is also worth pointing out: 97% of the organizations breached through compromised credentials already had MFA turned on.
“That’s not an argument against MFA, but not all MFA is created equal,” said Sannikov. “Some organizations still push codes over SMS or email, and if a threat actor already has a working set of credentials, there’s a real chance they also have access to that person’s email or phone account, the same channels that MFA is relying on to prove it’s really them. I once had a CISO tell me, ‘why should I worry about credentials, we have MFA.’ That’s exactly the mindset this data should put to rest.”Jacob Krell, senior director, secure AI solutions and cybersecurity at Suzu Labs, added it’s clear MFA alone isn’t enough.“MFA works for people logging in at a screen, said Krell. “It doesn’t cover a stolen session token, an API key, or a service account authenticating in the background. Stopping credential acquisition matters more now than catching ransomware payloads at the endpoint. Once an attacker establishes trusted identity, every later stage of the attack gets easier.”Shane Barney, chief information security officer at Keeper Security, said stolen credentials are now the dominant ransomware entry point, and the trend has accelerated. Barney said once attackers obtain a legitimate identity, they can move through an environment undetected, escalating privileges and staging ransomware before most teams know something is wrong. “The goal isn’t just stopping the initial breach,” said Barney. “It’s limiting the blast radius when credentials are compromised. Organizations that can’t see who has access to what, and can’t revoke it fast, will keep finding out after the fact. That’s what zero-trust and strong identity governance are designed to prevent.”
