The Veriti Spottr Cybersecurity Brief

Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...

How phishing, session theft, and AI voice scams still break in For years, small and midsize businesses were told a simple story: turn on multi-factor authentication, and you will be far safer. That advice was not wrong. It is still essential. But in 2026, it is no longer sufficient on its own. Attackers have adapted. They no longer focus only on stealing passwords. They increasingly target the layer after password entry: session cookies, MFA prompts, device trust, help-desk workflows, and human verification habits. The result is a more dangerous reality for SMBs. A company can deploy MFA and still be vulnerable to adversary-in-the-middle phishing, session hijacking, push fatigue, social engineering, and AI-enhanced impersonation. This is not theory. In January 2026, Microsoft said it had blocked more than 13 million malicious emails linked to Tycoon2FA in October 2025 alone . In March 2026, Microsoft said that by mid-2025 Tycoon2FA accounted for approximately 62% of all phishi...