Japanese publishing conglomerate Nikkei announced this week that hackers gained unauthorized access to its Slack workspace, exposing personal information for over 17,000 employees and business partners. The breach occurred after malware infected an employee’s computer, stealing authentication credentials that were then used to access corporate accounts.
Nikkei discovered the security incident in September and immediately implemented countermeasures, including mandatory password resets. The compromised data includes names, email addresses, and chat histories for 17,368 individuals registered on the company’s Slack platform.
How the Attack Unfolded
The breach started when an employee’s personal computer became infected with a virus, which captured and leaked their Slack authentication credentials. Attackers used these stolen credentials to log into employee accounts without raising immediate red flags. Since the login activity appeared legitimate to security systems, the intrusion went undetected until September.
Despite the scale of the incident, Nikkei stated the stolen information doesn’t fall under Japan’s Personal Information Protection Law, which mandates reporting for certain data breaches. However, the company voluntarily reported the incident to Japan’s Personal Information Protection Commission, citing transparency and the “significance” of the breach.
The publisher emphasized that no information related to confidential sources or reporting activities was compromised, and personal data collected for journalistic purposes remains secure.
A Pattern of Credential-Based Attacks
This incident fits squarely into a disturbing trend. Credential theft now accounts for one in five data breaches, with compromised credentials surging 160% in 2025. What makes credential theft particularly dangerous is its simplicity: once attackers obtain legitimate user credentials, they can access any resources available to that user without bypassing security controls or disabling systems.
In the first half of 2025 alone, 1.8 billion credentials were stolen from 5.8 million infected hosts. This explosion in credential theft is driven by information-stealing malware (infostealers) that harvest login data from browsers, password managers, and system memory. These tools are increasingly sold as Malware-as-a-Service (MaaS), allowing even inexperienced cybercriminals to deploy sophisticated attacks.
The rise of AI-powered phishing campaigns has made matters worse, engineering highly personalized messages that trick users into revealing credentials or installing malicious payloads. Traditional security measures like email gateways and anti-phishing tools can’t guarantee protection against these sophisticated attacks.
The Cost of Collaboration Tools
Slack, Microsoft Teams, and similar platforms have become digital nerve centers for modern organizations. They host everything from casual conversations to sensitive business discussions, strategic planning documents, and confidential client information. This makes them attractive targets.
When attackers breach collaboration platforms, they gain visibility into internal operations, employee relationships, ongoing projects, and potential vulnerabilities. They can identify high-value targets, understand reporting structures, and plan more sophisticated follow-on attacks.
A History of Security Incidents
This marks the third major security incident for Nikkei in recent years. In May 2022, Nikkei’s subsidiary in Singapore was hit by a ransomware attack that impacted a server “likely containing customer data.”
Three years before that, in September 2019, the company lost approximately $29 million in a business email compromise attack after an employee was tricked by scammers posing as a Nikkei executive into sending funds to a bank account controlled by criminals. The pattern is clear: even large, sophisticated organizations with resources and security awareness training remain vulnerable to attacks that exploit human behavior and credential theft.
Protecting Against Credential-Based Breaches
Organizations can’t completely prevent credential theft, but they can reduce the damage when it happens. A few practical steps include:
Multi-factor authentication (MFA) for everything. MFA blocks the vast majority of credential-based attacks by requiring something more than just a password. If an attacker steals credentials but can’t provide the second factor, they’re locked out.
Implement privileged access management. Not every user needs permanent access to every system. Admin By Request’s EPM solution grants elevated access only when needed and only for specific applications. This means even if credentials are stolen, the damage is contained because the compromised account doesn’t have standing administrative privileges.
Monitor for credential exposure. Organizations should actively scan dark web forums and credential marketplaces for leaked employee credentials. The faster you detect exposure, the faster you can revoke access and prevent unauthorized use.
Endpoint security on all devices. Infostealers typically infect endpoints through phishing emails, malicious downloads, or compromised websites. Strong endpoint protection can catch malware before it steals credentials.
Comprehensive audit logging and monitoring. When someone does access your systems, detailed logging helps you detect suspicious behavior patterns. Track all privileged access attempts, elevation requests, and system changes to identify anomalies before they become breaches.
The Broader Implications
The Nikkei breach serves as a reminder that credential theft isn’t just a technical problem. With credential theft incidents soaring compared to previous years, organizations need to assume that credentials will be stolen and build security architectures that limit the damage when it happens.
Zero trust principles matter more than ever. Don’t assume that anyone with valid credentials should have unlimited access. Verify every access request, grant the minimum permissions necessary, and monitor everything.
Want to see how Admin By Request can help protect your organization from credential-based attacks? Book a free demo or sign up for our lifetime free plan with all features included for up to 25 seats.
