A new analysis of major cyberattacks reveals that the most expensive data breaches rarely begin with high-grade hacks.
Instead, attackers exploit simple, preventable security weaknesses that organisations repeatedly fail to fix.
Danny Mitchell, cybersecurity writer at Heimdal Security, examined high-profile breaches from the past decade and found that most began with stolen credentials, unpatched systems, or phishing attacks.
When we examine the anatomy of major data breaches over the past decade, a clear pattern emerges,” Mitchell said.
“Attackers consistently exploit the same entry points because organisations continue to leave these doors open. Understanding where breaches begin is the first step toward preventing them.”
- Compromised Credentials
One of the most common vulnerabilities is stolen or weak credentials. In the 2013 Target breach, hackers accessed the network through a third-party HVAC vendor.
Using these credentials, they moved across the system and stole 40 million credit card numbers and 70 million customer records.
Mitchell says, “Organisations often grant excessive access to third-party vendors without implementing proper oversight or segmentation. Once attackers obtain valid credentials, they appear as legitimate users, making detection extremely difficult.”
- Unpatched Systems
Equifax’s 2017 breach reveals another recurring issue, which is the failure to update systems. Attackers exploited a known vulnerability in Apache Struts, a patch that had existed for months.
The breach exposed sensitive data of 147 million people. “Equifax was breached using a vulnerability that had a publicly available patch,” Mitchell notes. “This breach occurred not because the attack was unavoidable, but because basic patch management processes failed.”
- Phishing and Email-Based Attacks
Email is an easy entry point for attackers. In 2011, Epsilon suffered a breach after phishing campaigns targeted client databases, affecting millions of customers from brands including JPMorgan Chase and Walgreens.
Mitchell explains, “Email-based attacks work because they exploit human behaviour rather than technical vulnerabilities. Even with advanced security tools, a convincing phishing email can bypass technical defences if an employee clicks a malicious link or provides credentials on a fake login page.”
Why These Weaknesses Persist
Mitchell identifies three systemic reasons organisations remain vulnerable:
- Over-Privileged Accounts: Many employees and vendors retain access rights they no longer need.
- Poor Visibility: Security teams often lack tools to monitor unusual network activity.
- Tool Sprawl: Multiple disconnected security systems create blind spots that attackers exploit.
Steps to Reduce Risk
Mitchell suggests helpful measures to block attackers at the most common entry points:
- Enforce strict privileged access controls and multi-factor authentication.
- Use DNS filtering to block connections to malicious domains.
- Deploy endpoint detection and response systems for real-time monitoring.
- Implement automated patch management and prioritise critical vulnerabilities.
“Attackers will always choose the path of least resistance,” Mitchell concludes. “By closing these common entry points, organisations force attackers to use more sophisticated, and therefore more detectable, methods. While perfect security may be impossible, you can make your organisation a harder target than the alternatives.”
