9 Out of 10 Small Businesses Have a Compromised User Right Now. Most Don't Know I

-
Threat Intelligence Identity Risk
June 2026  ·  8 min read

The Guardz 2026 State of MSP Threat Report analyzed six months of real telemetry from SMB environments worldwide. The headline finding is the most alarming number in small business cybersecurity this year — and almost nobody is talking about it yet.

Every post in this series has described the risk of credential compromise — what it costs, how it happens, how attackers use it, and what to do about it. This post contains the research that puts a number on exactly how widespread that compromise actually is inside real small businesses right now.

In April 2026, Guardz published its 2026 State of MSP Threat Report — six months of telemetry data from September 2025 through February 2026, drawn from SMB environments managed by IT providers across North America, EMEA, and APAC, covering billions of audit events across Microsoft 365, Google Workspace, endpoint, and cloud infrastructure.

The headline finding: 89% of monitored small businesses had at least one user with confirmed credential compromise at any given time. Not "at some point." Not "historically." At any given time — meaning right now, on any random Tuesday, nearly 9 out of 10 small businesses have at least one compromised user account actively accessible to attackers.

89%

of small businesses have at least one compromised user right now

Not "at some point in the past year." At any given time — based on six months of live telemetry from real SMB environments. Nearly one-third of individual users (31%) face compromised password exposure every single month. This is not a theoretical risk. It is the documented current state of small business credential security.

Take a moment with that number. If you have 10 employees, statistically at least one of them has credentials that are actively accessible to attackers right now. If you have 20 employees, almost certainly two or three do. Not because your employees did anything wrong. Because 94% of leaked passwords are reused across accounts, because credential dumps from thousands of unrelated breaches are continuously being tested against business platforms, and because most small businesses have no monitoring in place that would tell them when this happens.

The Guardz report title captures it precisely: "Attackers aren't breaking in anymore. They're logging in." The credential series in this blog has been documenting exactly this shift for 20 posts. The Guardz telemetry from billions of real events confirms it with numbers that are harder to ignore than any case study.

The four shifts the data documents — and what each means for your business

+190% ransomware detections over a 50-day window — the fastest acceleration rate ever recorded in SMB environments Guardz 2026 State of MSP Threat Report
+2,000% spike in Google Workspace OAuth abuse — attackers stealing session tokens to bypass MFA entirely Guardz 2026 State of MSP Threat Report
25:1 ratio of machine identities to human users in Microsoft 365 — a largely unmonitored attack surface in most SMBs Guardz 2026 State of MSP Threat Report
1

Session hijacking has overtaken credential theft as the fastest-growing attack vector

+23% in 180 days · MFA bypass

Session hijacking — stealing the authentication token that proves you're already logged in, rather than stealing the password itself — increased 23% over 180 days and is now the fastest-growing attack vector in SMB environments. This matters specifically because session hijacking bypasses MFA entirely.

When you log into Microsoft 365 or Google Workspace, the platform issues a session token — a temporary credential that says "this browser, this device, is authenticated." Steal that token and you can access the account without knowing the password and without triggering the MFA prompt. The attacker isn't logging in. They're already in — from the platform's perspective, they are you.

What this means for your business MFA alone is no longer sufficient. The defenses: short session token lifetimes (configure automatic sign-out after inactivity), conditional access policies that detect impossible travel or new device logins, and monitoring for authentication events from unusual locations. Ask your IT provider whether any of these three controls are in place.
2

Google Workspace OAuth abuse spiked 2,000% — the "sign in with Google" button is a target

+2,000% spike · OAuth token theft

OAuth tokens power "Sign in with Google" and "Sign in with Microsoft" across thousands of third-party apps. When you connect a new app to your Google Workspace account, you issue that app an OAuth token granting it access to your account. The Guardz data shows a 2,000% spike in OAuth abuse — attackers stealing or manipulating these tokens at a dramatically accelerating rate.

Every third-party app connected to your business Google or Microsoft account is a potential OAuth token an attacker could steal and use to access your email, files, and calendar — without triggering any login alert, without needing your password, and without being stopped by MFA. Most SMBs have dozens of OAuth connections they've never audited.

What this means for your business Go to your Google Workspace admin console or Microsoft 365 admin center and pull the list of third-party apps with OAuth access to your accounts. Remove any you don't recognize or no longer use. This audit takes 15 minutes. Every unused OAuth connection is a potential entry point that no security tool is monitoring.
3

Machine identities outnumber humans 25:1 — and almost none are monitored

25:1 ratio · unmonitored attack surface

In a typical Microsoft 365 environment, machine identities — service accounts, API connections, automation scripts, scheduled tasks, app integrations — outnumber human user accounts by 25 to 1. A business with 10 employees may have 250 machine identities accessing their environment. Most businesses have never inventoried them, let alone monitored them for unusual activity.

Attackers know this. Compromising a service account or automation script doesn't trigger the same alerts as a human account login from an unusual location. It looks like normal system activity. The Guardz data shows attackers are increasingly targeting these non-human identities precisely because they're unmonitored, have broad access, and rarely require MFA.

What this means for your business Ask your IT provider: how many service accounts and app integrations have access to your Microsoft 365 environment? When were those accounts last reviewed? Do any have admin-level access that isn't required? Service account hygiene is the most overlooked security action in small business environments.
4

Attackers are going quiet — living off the land rather than deploying malware

26.2% of threats via RMM tools · no malware signature

RMM tool abuse now accounts for 26.2% of all endpoint threats in Guardz-monitored SMB environments. The same tools your IT provider uses to manage your systems are being used by attackers who have compromised either your IT provider or your own environment. The 2026 DBIR documented the same shift: attackers are avoiding malware that antivirus can detect, instead using tools that are already installed, already trusted, and already have the access they need.

What this means for your business Know what RMM tool your IT provider uses. Ask them: has it been patched to the latest version? Is there MFA on the admin console? Can they show you a log of actions taken via the RMM tool on your systems in the past 30 days? The Sophos/DragonForce incident confirmed this attack pattern is active against SMBs right now.
The 31% monthly exposure figure deserves specific attention. Nearly one-third of all users in monitored SMB environments had a compromised password in any given month. That's not an annual figure. Monthly. If you have 10 employees, statistically 3 of them have a password that appeared in a breach database this month — and if any of those passwords are reused at work, attackers are already testing them against your systems right now.

Why your existing defenses aren't catching this

The security tools most small businesses have — endpoint antivirus, email filtering, firewall — are designed to catch attacks that look like attacks. Malware with a signature. Phishing emails with suspicious links. Network traffic to known bad IPs.

The attacks driving the 89% figure don't look like attacks. A stolen session token used to read email looks like normal email access. An OAuth-compromised app pulling files looks like a scheduled sync. A service account logging in from an unusual location looks like a system task. Living-off-the-land ransomware deployment looks like your IT provider running a tool they run every week.

The Guardz CEO puts it directly: "What determines outcomes now is how security is structured — whether signals across identity, email, endpoints, and cloud are connected and can be acted on in time." Point solutions protecting individual layers miss the cross-layer attack that starts with a compromised credential, moves through a stolen session token, uses an OAuth connection to reach a file share, and deploys ransomware through an RMM tool — all using legitimate-looking activity at every step.

The five things to check right now

  • Run a HIBP domain search today. haveibeenpwned.com → Domain Search → your company domain. Any employee email appearing in a breach database should have their work password changed immediately.
  • Audit OAuth connections. Google Workspace Admin Console → Security → API Controls → App Access Control. Microsoft 365 Admin → Azure Active Directory → Enterprise Applications. Remove anything you don't recognize or actively use.
  • Review service accounts. Ask your IT provider for a list of all service accounts and machine identities with access to your cloud environment. Any with admin privileges that don't require it should be downgraded.
  • Configure session timeouts. Automatic sign-out after 8–12 hours of inactivity in Microsoft 365 and Google Workspace significantly reduces the window an attacker has to use a stolen session token.
  • Ask about your RMM tool. Know which RMM tool your IT provider uses. Ask when it was last patched and whether the admin console has MFA enabled.
The Veriti Spottr CyberScore's Exposure component continuously monitors your external attack surface for the credential exposures that feed into the 89% figure — scanning your domain against breach databases so you know when an employee credential appears before an attacker tests it against your systems. The Security Posture survey covers your session management, OAuth controls, and access review practices. The 89% figure is the problem. A CyberScore below 60 is evidence you're in it. The five checks above are how you start climbing out.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

Find out if your business is in the 89%. Veriti Spottr's beta is free.

Get your CyberScore →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more