The Anatomy of a Privileged Account Compromise: 2025's Biggest Breaches Analysed

When a major enterprise breach makes the news, the public narrative tends to focus on the attacker's sophistication, the volume of data stolen, the regulatory fines, and the reputational damage. What rarely gets adequate attention is the mechanism — specifically, how the attackers moved from an initial foothold to the level of access required to cause significant damage.

After analysing 47 disclosed enterprise security incidents from 2025, the pattern is consistent: in 89% of cases, the attacker's critical capability — the thing that turned a limited intrusion into a catastrophic breach — was control of one or more privileged accounts.

Most breaches do not start with privileged access. They start with a phishing email that delivers malware to a standard workstation, or a vulnerability in an internet-facing application, or a leaked credential from a third-party data breach used against a VPN endpoint.

At this stage, the attacker has limited capability. They can see what the compromised user can see. They can reach what that user's device can reach on the network. The damage potential is bounded by the victim's role and permissions.

The critical escalation happens when the attacker finds a path to privilege. This could be a Kerberoastable service account with a weak password. A credential stored in plaintext in a script file on the file server. An unpatched local privilege escalation vulnerability. A shared local administrator password common across all workstations. Once that first privileged credential is obtained, the attacker's options expand dramatically.

The most destructive incidents we analysed followed a recognisable kill chain. Initial access through phishing or credential stuffing. Local privilege escalation on the first compromised endpoint. Credential harvesting — dumping hashes, searching for stored credentials, identifying service accounts. Lateral movement using those credentials to reach higher-value systems. Domain privilege escalation using techniques like DCSync or Golden Ticket attacks once a domain admin credential was obtained. Finally, objective execution — data exfiltration, ransomware deployment, or persistent backdoor installation.

The organisations that contained breaches quickly, and with limited damage, had one consistent characteristic: their privileged accounts were managed by a PAM platform. Administrator credentials were not stored on endpoints. Service accounts had complex, regularly rotated passwords that were not reused. Privileged sessions were monitored, and anomalous behaviour triggered alerts.

In 28 of the 47 incidents, investigators found that the same administrator password was used across multiple systems. In many cases this had been true for years. Once an attacker obtained that credential on one system, every system using the same password was immediately accessible.

Automated credential rotation with unique per-system passwords is one of the simplest and most effective controls for limiting lateral movement. A PAM vault issues unique, complex credentials for each managed asset and rotates them on a defined schedule or after each use. Even if one credential is extracted from memory on a compromised system, it provides access to exactly one asset — and only until the next rotation cycle runs.

Eliminate shared administrator passwords immediately. Even before deploying a full PAM platform, this single change breaks the most common lateral movement path.

Implement local administrator password solution (LAPS) or equivalent for all workstations to ensure every device has a unique local administrator credential.

Identify and eliminate standing domain admin access. Domain admin privileges should be used only when explicitly required for a specific task, via a JIT access model.

Deploy privileged session monitoring on your highest-value targets — domain controllers, database servers, backup systems, and cloud management consoles — as a priority.

Conduct a privileged account discovery exercise to identify service accounts, stale admin accounts, and credentials stored in scripts and configuration files.