New Jersey report warns stolen credentials remain top cyber threat

Late last year, Hoboken, New Jersey, suffered a debilitating ransomware attack that forced online services to be suspended and its city hall to be shuttered temporarily.

The attack was later attributed to the ThreeAM ransomware group, which has alleged links to the Russian-backed Conti malware and “Wizard Spider” cybercrime group, with city officials still investigating what happened alongside cybersecurity specialists and the Federal Bureau of Investigation.

It was one of several major cybersecurity incidents to hit New Jersey last year, and, in its 2025 Threat Assessment report, the state’s Office of Homeland Security and Preparedness warned that more are likely to follow, driven by the ongoing and growing scourge of stolen credentials.

The New Jersey Cybersecurity and Communications Integration Cell, a section of the homeland security office known as NJCCIC that shares information on cyber threats and preparedness, said it notified state, municipal and county governments hundreds of times about compromised credentials last year.

Credentials are stolen through a variety of ways, including phishing emails, data breaches and credential stuffing, where previously leaked usernames and passwords are tested across multiple platforms. Stealer malware, which exfiltrates credentials and other authentication data from infected devices, is also growing in popularity. The report said NJCCIC notified organizations across the state more than 28,000 times last year about stolen credentials, and it will continue to be a major issue.

“Compromised login credentials are a favored method for threat actors to gain unauthorized network access, often without detection, by appearing as legitimate logins,” the report says. “Various reports estimate over 15 billion sets of compromised credentials are available on the internet. As such, this attack vector is expected to remain a top choice for threat actors targeting New Jersey public- and private-sector organizations, as well as the state’s residents in 2025.”

The cell also will continue to “proactively” search for compromised credentials like email addresses and passwords, the report says. That includes scouring the dark web and other illegal sites, as well as websites belonging to select state and critical infrastructure personnel.

The report also warned of various other cyber threats, including fraud, systemic cyber risks like the faulty CrowdStrike update that impacted systems nationwide, and artificial intelligence. The report said generative AI brings “unparalleled opportunities and significant cybersecurity challenges.”

“AI-driven advancements are reshaping industries, enhancing automation, and improving decision-making, but they are also empowering cybercriminals with new attack capabilities,” it continued.

NJCCIC said it has “high confidence” that cybercriminals will turn increasingly to generative AI for nefarious means, including with phishing campaigns at scale. The report also raised the possibility that bad actors will turn to AI-driven deepfakes to craft convincing sounding texts and voice messages.

“Adversaries are already deploying deepfakes to impersonate executives in financial scams, spread misinformation on social media, and influence political processes by sowing distrust and undermining election integrity,” the report warned.

To address the threat of AI-driven cybercrime, the report called for “global collaboration, continuous threat intelligence monitoring, and adaptive cybersecurity defenses to ensure that AI serves as a tool for progress rather than a weapon for exploitation.”

The report called on organizations across the state to report cybersecurity incidents in a timely fashion, to help others improve their response and recovery times, bolster threat intelligence, prevent any cascading failures or “ripple effects” from a breach and encourage greater collaboration between the public and private sectors. But not everyone impacted by an attack is notifying the authorities. NJCCIC said it notified more than 200 organizations that they had been breached based on indicators of compromise that it has detected.

This year’s report takes on special significance, wrote Laurie Doran, director of the Office of Homeland Security and Preparedness, in the report’s foreword. New Jersey is set to host various events of worldwide significance in the near future, including soccer’s FIFA Club World Cup this summer, the 2026 FIFA World Cup and events around the 250th anniversary of the founding of the United States.

“These events will bring together diverse communities and present unique security challenges, and we are committed to ensuring the safety and security of all,” Doran wrote. “As the public serves as one of our most effective first lines of defense against terrorism and threats, I encourage everyone to remain vigilant.”

The report warned of the “direct risks” to public health and safety, critical infrastructure and the state’s economic and national security interests given the escalating cyber threats New Jersey faces. And it called for a whole-of-state approach to cybersecurity to combat them.

“Public sector organizations at the federal, state, and local levels, as well as the private sector and large and small businesses, must collaborate by sharing threat intelligence, implementing robust cybersecurity standards, and fostering a culture of vigilance,” the report says.