VPN Credentials: Theft, Abuse, and Why “Logging In” Is the New Break‑In

VPN Credentials: Theft, Abuse, and Why “Logging In” Is the New Break‑In

In addition to the inherent flaws of VPN technology, which has been exploited time and again in recent years, a new risk emerges that quickly surpasses that of hacking into the VPN device itself- the risk of abusing stolen credentials. With the right credentials attackers can connect to the organization and conduct reconnaissance, lateral movement, data encryption or corruption, and conclude with massive data exfiltration- all without raising the alert. 

This post explains what VPN credential theft looks like, why credential abuse is so effective, the scope of the problem, and several prominent examples from the past year.

What are VPN credentials?

“VPN credentials” are the authentication factors that let a user (employee, contractor, vendor) establish remote access into a private network. Depending on the platform, they may include:
• Username + password
• MFA factors (push, OTP codes)
• Certificates or device identities
• Session tokens created after authentication
• Local accounts on the VPN appliance (often privileged)

When attackers obtain any of these, the VPN becomes a direct entry point into the internal network- often with fewer or no security controls than your core identity provider.

How VPN credentials get stolen

Credential theft is an ecosystem with multiple supply chains:

1) Infostealers on endpoints

Infostealers harvest saved browser passwords, autofill data, session cookies, and application credentials. Mandiant notes that attackers increasingly use credentials stolen in infostealer operations for initial access; in its 2024 investigations, stolen credentials rose to 16% of initial infection vectors. In December 2025, an analysis of a new stealer family (“Arkanix”) marketed on Discord notes premium options included stealing VPN accounts and that configurable features included collecting VPN data.

2) Phishing and login-flow capture

Phishing still works, but modern kits aim to capture the full login flow- passwords plus MFA prompts or weaker fallback factors.

3) Major data leaks

Sometimes credentials aren’t stolen from the user- they’re pulled from the infrastructure. In January 2025, researchers highlighted a leak of Fortinet FortiGate firewall configuration data that included plaintext VPN user credentials.

How stolen VPN credentials are commercialised and sold

After credentials are stolen, they usually don’t get used “immediately” by the same actor who stole them. In today’s underground economy, stolen credentials are treated like inventory that gets validated, packaged, sold, and then operationalized by other crews. Many threat actors convert stolen credentials into working remote access: VPN/RDP/SSO- because that’s what buyers want. You’ll often see listings described as “VPN access to internal systems of Company XXX” listed on underground markets.  Sometimes, an additional  “middle layer” of Initial Access Broker (IAB) is employed. These are specialists who break in (or acquire credentials), then quietly confirm access, map the environment, and build a more valuable package before selling it. Once packaged, access is sold through forums and invite-only channels (including closed groups). Sometimes, stolen credentials or backdoor exploits are auctioned to the highest bidder. 

But even non-verified credentials can be used by threat actors. They can use coarser methods such as Credential stuffing ( trying known username/password pairs across VPN portals) at scale until they reach a target they can breach. 

How stolen VPN credentials are used

Once purchased, that access is commonly used to:

• Connect to internal networks, perform reconnaissance 
• Exfiltrate sensitive data
• Deploy ransomware
• Enable fraud
• Cause service disruption

Wait- it’s not over yet!

Listings and credential sets can be reused and resold- sometimes multiple times, especially if the victim doesn’t rotate credentials, fix misconfigurations, or enforce MFA consistently. This means that more than one attacker can use the same set of credentials to attack a company or organization again.

‍

The scope: remote access is a dominant precursor to serious incidents

The latest data point to the same conclusion: remote access is a top pathway into environments that later suffer ransomware and data theft.

• At‑Bay reported that in 2024, 80% of ransomware attacks in its insured population had a remote access tool as the entry vector, and 83% of those cases involved a VPN device.

• Beazley reported in its Q1 2025 threat report that compromised VPN credentials led to 56% of observed ransomware deployments.

‍
Why credential abuse is “replacing” VPN vulnerability exploitation

Exploitation hasn’t disappeared- VPN and edge-device CVEs still matter. But attackers increasingly prefer credential abuse because it scales better and often blends into normal operations. Recent examples illustrating these trends include the FortiGate configuration leak exposed plaintext VPN credentials (January 2025), in which a data leak led to theft of over  15,000 Fortinet FortiGate firewalls, including full configurations and plaintext VPN user credentials.  Another incident happened in mid‑December 2025, in which a coordinated credential‑based campaign targeting enterprise VPN authentication, observed against Palo Alto Networks GlobalProtect and Cisco SSL VPN. The activity was explicitly described as scripted login attempts- not vulnerability exploitation.

Remove the VPN credentials risk 

Zeroport acknowledged that Software-based remote access is inherently risky. Breaches will occur either by vulnerability exploitation or by credentials abuse. Zeroport’s hardware-enforced, non-IP connection at the network boundary that eliminates inbound malware risks and stops data exfiltration. 

Contact us today to schedule a demo

‍