Why Hackers Are Ditching Stolen Passwords for Apps

For years, the playbook was simple: steal credentials, walk through the front door. Credential theft was the hacker's preferred entry point—low effort, high reward, and remarkably effective at evading detection. But according to IBM's newly released 2026 X-Force Threat Intelligence Index, something shifted in the past year.

Exploitation of public-facing applications surged by 44%, overtaking credential theft as attackers' top initial access vector. That's not just a statistical blip—it represents a fundamental change in how threat actors approach their targets.

The question isn't whether this matters. It's why it's happening now, and what it tells us about where security is actually breaking down.

The Gap Between Components

Chris Caridi, a cyber threat analyst with IBM X-Force who co-authored the report, points to supply chain complexity as a key driver. "I think it reflects a rise in the supply chain attacks targeting the development ecosystems and trust in infrastructure," Caridi explains. "There's a lot more implementations going around where we have multiple systems kind of talking to each other."

It's a pattern that keeps appearing in security incidents: two components might each be secure in isolation, but the seam where they connect becomes exploitable. As organizations build increasingly sophisticated supply chains with more moving parts, they're creating more of these seams. And 56% of the exploited vulnerabilities didn't even require authentication—attackers didn't need stolen credentials because the doors were already open.

Claire Nuñez, creative director of IBM's X-Force Cyber Range, flagged another telling statistic: major supply chain breaches increased fourfold. "Organizations still aren't always doing their due diligence with their supply chain partners," she notes. The reason isn't mysterious—it's economic. "The speed of business is not always the speed of security."

That tension shows up everywhere in the data. Conducting thorough risk assessments on supply chain partners takes time and money. Onboarding moves slower. But business doesn't wait for security to catch up, so organizations make trade-offs. Some of those trade-offs turn into vulnerabilities.

The Security 101 Problem

Here's the uncomfortable part: a lot of what's being exploited isn't novel or sophisticated. It's basic hygiene failures.

Joe Xatruch, chief technology architect at IBM, puts it bluntly: "Things that should be part of our day-to-day like multifactor authentication—are we securing the code? Are we doing the right thing? Following the right steps? Those things are being missed. They shouldn't be missed."

The most common attack patterns IBM's offensive security team found during penetration testing included exploiting misconfigured access controls, scanning for vulnerable software, and password brute forcing. OWASP's Top 10 still lists broken access control as the number one web application security risk. This isn't new information.

So why does it keep happening? Xatruch suggests it's partly about accessibility: "It's easier to put public-facing applications out there, and it's easier for users to just go ahead and create things" without the background to secure them properly. As technical barriers drop and more people can deploy applications, security knowledge doesn't automatically follow.

Nuñez sees the same pattern in cyber range training scenarios: "The initial attack vector for a lot of our scenarios, we do often bring it back to a very simple human element. Someone clicking a phishing link, someone's credentials being insecure, weak. We do it because that's what we see in the wild."

What Changed With Credentials

Credential theft didn't disappear—it just dropped to second place, still accounting for 32% of initial access. Caridi explains why it remains attractive: "It's low cost and incredibly effective. If they have valid credentials, they don't have to invest time and resources into finding exploits. They can just basically log in instead of hacking."

But one subset of credential theft is growing fast: AI-related access. The report found over 300,000 ChatGPT credentials exposed on the dark web. That's not just about accessing chatbots—it's about the permissions those tools have been granted.

"I think organizations are just giving AI permission to do the vast majority of things," Xatruch observes. "Multiple access to domains, servers, databases—to allow it to do whatever task you wanted. If I'm able to get a hold of those credentials, I'm not only getting access to AI, I'm getting access to a lot of things."

This creates a qualitatively different threat surface. A compromised AI agent isn't just a data breach—it's a breach of capability. The agent can act on behalf of the attacker with all the privileges it's been granted. Recent research from Hudson Rock documented infostealer malware targeting OpenCLI configuration files, including what they dramatically called the agent's "soul"—its operating principles and behavioral guidelines.

Nuñez is skeptical of the metaphor but clear about the risk: "I'm hesitant about calling the information a soul of an AI just because people do anthropomorphize AI so much. But depending on the organization, it may contain financials or specific policies. That could be super harmful depending what lives in it and what's attached to it."

The Silver Lining Problem

There's a tempting narrative here about how the fixes are simple—just implement MFA, patch your systems, do the basics. And that's true, to a point. "If you follow best practices, you should be okay," Xatruch says.

But if the solutions were truly simple, we wouldn't keep seeing the same vulnerabilities year after year. The gap isn't primarily technical—it's organizational, economic, and human. Security costs time and money. It slows things down. It requires expertise that not every team has access to.

Caridi's recommendation cuts to the core: "Make sure you have a grasp of what your actual footprint is, especially your external footprint. Understanding your risk exposure there is extremely important."

That sounds basic until you try to actually do it at scale. How do you inventory everything that's exposed when your infrastructure is distributed across multiple clouds, when developers are spinning up new services constantly, when your supply chain extends through dozens of third-party integrations?

Nuñez suggests AI itself might be part of the answer: "AI can be exploited, but you can also use AI to your advantage to automate and reduce human fatigue." As Caridi noted, manually inventorying everything exposed would be nearly impossible for a human. This is where automation becomes not just helpful but necessary.

The shift from credential theft to application exploitation isn't just about attackers getting smarter—it's about defenders struggling to keep pace with their own infrastructure's complexity. Every new integration, every microservice, every API endpoint creates potential attack surface. Organizations are building faster than they can secure, and attackers are learning to exploit the gaps that result.

Whether the answer is better tooling, more resources, or a fundamental rethinking of how we build and deploy software probably depends on who you ask. What's clear from IBM's data is that whatever we're doing now isn't closing the gap.

—Marcus Chen-Ramirez