What Attackers Do With Your Data in the First 60 Minutes

-


Thought Leadership Incident Response
May 2026  ·  8 min read

In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed.

At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover.

This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full data exfiltration in just 72 minutes. Four times faster than the prior year. The attack lifecycle is compressing because AI has become a force multiplier for threat actors — automating the reconnaissance, scripting, and execution steps that used to require human judgment at every stage.

Most small businesses have no monitoring in place that would trigger an alert in that window. They have a firewall watching the perimeter and an antivirus that catches malware in 18% of modern intrusions. By the time anyone knows something happened, the attacker has been inside — and possibly gone — for the better part of a year.

Here is what actually happens in those 60 minutes. Minute by minute.

72 min fastest attacks in 2025 — initial access to full data exfiltration. 4x faster than the prior year. Unit 42 2026 Global IR Report, Palo Alto Networks
90% of Unit 42 breach investigations involved identity weaknesses — attackers log in, they don't break in Unit 42 2026 Global IR Report
96% of ransomware attacks in Q3 2025 involved data exfiltration — the highest rate ever recorded BlackFog Q3 2025 Ransomware Report
"In the fastest cases we investigated, attackers needed just 72 minutes to move from initial access to data exfiltration — 4x faster than last year. We're seeing AI used in reconnaissance, phishing, scripting and operational execution, which enables machine-like speed at scale." — Unit 42 2026 Global Incident Response Report, Palo Alto Networks.

The 60-minute breach — minute by minute

The sequence below is drawn from documented real-world incident response patterns. Every phase has a purpose. Every phase has a window where detection is possible. Almost none of them are monitored by the average SMB.

Minute 0

Initial access — the credential works

Clock starts
An automated tool submits your employee's stolen username and password to your email platform, VPN, or SaaS application. The login succeeds. A session token is issued. To every security system watching, this looks identical to a legitimate login — recognized credential, familiar user agent, nothing anomalous. The attacker now has an authenticated session and has triggered no alerts.
90% of breaches investigated by Unit 42 involved identity weaknesses. Attackers aren't breaking in — they're logging in with credentials purchased for $10, or captured by infostealer malware from an employee's personal device.
Min 1–5

Reconnaissance — mapping what they can reach

Enumeration begins
The attacker surveys the environment — what the compromised account can access, which employees and systems appear in the inbox and shared drive. Email history reveals client names, contracts, financial relationships, and internal procedures. All read-only activity using legitimate access. No malware. No alerts.
Each compromised device yielded an average of 87 stolen credentials in 2025, per Recorded Future. An inbox isn't just one account — it's a map to every other account the employee has ever accessed.
Min 5–15

Credential testing — the same password, everywhere

Lateral movement begins
Automated tools test the compromised credential — and variations — against every other system visible from the initial foothold. CRM. Accounting platform. Cloud storage. Project management tools. If any accept the same password, access multiplies immediately. The tools used are legitimate ones — the same scripting utilities your IT team uses — which is why 82% of modern intrusions are malware-free and invisible to traditional antivirus.
CrowdStrike 2026 Global Threat Report: 82% of threat detections in 2025 were malware-free. Attackers use your own legitimate tools against your own systems.
Min 15–25

Privilege escalation — reaching for the keys

Impact window expanding
From the initial account, the attacker looks for higher-privilege access — an admin account, a shared IT credentials document, a password reset flow to a more powerful account. Identity weaknesses in 90% of investigated breaches means fragmented access management — service accounts with excessive permissions, admin accounts not removed after role changes, credentials stored in shared documents.
Unit 42 2026: "Attackers increasingly log in with stolen credentials and tokens, exploiting fragmented identity estates to escalate privileges and move laterally without triggering traditional defenses."
Min 25–40

Persistence — ensuring they can come back

Backdoor established
Before exfiltration, sophisticated attackers establish persistence — a new admin account created quietly, an email forwarding rule that continues after the account is revoked, an OAuth token granted to a third-party app, or an API key embedded in a configuration file. The attacker is now in your system independent of the credential that got them in. Changing the compromised password no longer evicts them.
In the documented SafePay ransomware case, attackers accessed systems via compromised VPN credentials, then used lateral movement and PowerShell for discovery before staging exfiltration. Persistence is what converts a 72-minute attack into a 292-day dwell time.
Min 40–72

Staging and exfiltration — the data leaves

Point of no return
The attacker identifies highest-value data — client lists, contracts, financial records, employee PII, intellectual property — and stages it for exfiltration. In ransomware operations, this data is copied before encryption, creating double extortion: pay the ransom or the data goes public. In Q3 2025, BlackFog found 96% of ransomware attacks involved exfiltration, with an average of 527 gigabytes transferred per victim.
36.4% of all indexed credentials were detected within 24 hours of exfiltration in 2025 — but 63.6% weren't. By the time most businesses discover a breach, the data has already been sold, published, or used. Detection after exfiltration isn't recovery. It's documentation of loss.
Day 292

Detection — if it happens at all

Average SMB discovery
The average business discovers a credential-based breach 292 days after initial access, per IBM's 2025 research. In many cases, discovery is triggered not by internal monitoring but by an external notification — a law enforcement tip, a customer reporting suspicious activity, or a threat researcher finding the data on a criminal marketplace. The attacker has had 292 days to move laterally, exfiltrate data, establish persistence, and sell access to other actors. The 72-minute attack is long over.
The asymmetry is the most alarming part. The fastest attackers need 72 minutes. The average business needs 292 days. In that gap, the attacker has operated freely inside your systems, with your credentials, using your legitimate tools, invisible to every defense designed to catch something that doesn't look like you. That is not a technology problem. It is a visibility problem.

Why your current defenses don't see this happening

The 60-minute breach is designed to be invisible to the defenses most SMBs have in place:

  • Firewall: Watches for unauthorized network traffic. The attacker uses authorized credentials on authorized systems. The firewall sees nothing unusual.
  • Antivirus: Catches known malware signatures. 82% of modern intrusions use no malware. Antivirus fires on 18% of cases.
  • MFA: Confirms identity at login. If MFA was bypassed via push bombing, AiTM proxy, or a legacy protocol gap, the session is already authenticated. Post-authentication behavior is invisible to MFA.
  • Password policy: Defines what passwords should look like. Says nothing about whether a valid credential is currently in use by someone who isn't your employee.
  • Annual security assessment: Shows posture at a point in time. The credential was stolen after the assessment. The attack happened between assessments. The report is silent.

The four controls that actually shrink the window

1Credential exposure monitoring

Know which credentials appeared in breach databases before an attacker tests them. The attack starts before minute zero — when the credential is sold. Early warning gives you the window to change the password before the login attempt.

2Behavioral anomaly detection

The attacker during reconnaissance, lateral movement, and exfiltration behaves differently from the legitimate user — unusual file access, unusual download volumes, unusual hours. Behavioral monitoring reads these signals in minutes, not months.

3Phishing-resistant MFA

FIDO2 security keys remove the initial access vector entirely for accounts where deployed. An attacker with a valid stolen password still can't log in without the physical key. The 72-minute clock never starts.

4Identity hygiene — no excess access

The privilege escalation phase relies on fragmented identity estates. Quarterly access audits close the gaps that turn a single compromised account into a full network compromise.

Platforms like Veriti Spottr close the visibility gap before the 72-minute clock starts — continuous scanning of your external attack surface that surfaces exposed credentials, legacy access paths, and identity gaps that attackers exploit in the first minutes of a breach. You can't respond in 72 minutes if you don't know the game has started. Visibility is what starts the clock on your side.

The number that should keep every SMB owner awake

72 minutes. 292 days. The gap between those two numbers is where your business lives if you have a stolen credential and no visibility into your identity surface. The attacker finishes their work in just over an hour. You discover it — on average — almost a year later.

The 2026 Unit 42 report ends with measured optimism: over 90% of breaches are still enabled by preventable gaps. Not zero-day exploits. Not nation-state infrastructure. Gaps in visibility, inconsistently applied controls, and excessive identity trust. Solvable problems — if you close them before someone else finds them first.

Close the visibility gap before the 72-minute clock starts. Veriti Spottr's beta is free.

Join the free beta →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more