New Report Highlights Surge in Uncovered API Keys, Session Tokens, and Machine Identities, and extra.
SpyCloud, the chief in identification menace safety, at present launched its annual 2026 Id Publicity Report, one of the crucial complete analyses of stolen credentials and identification publicity information circulating within the legal underground and highlighting a pointy enlargement in non-human identification (NHI) publicity.
Final yr, SpyCloud noticed a 23% enhance in its recaptured identification datalake, which now totals 65.7B distinct identification data. The report reveals attackers are more and more concentrating on machine identities and authenticated session artifacts along with conventional username and password combos and personally identifiable info (PII).
“We’re witnessing a structural shift in how identification is exploited,” mentioned Trevor Hilligoss, Chief Intelligence Officer at SpyCloud. “Attackers are not simply concentrating on credentials. They’re stealing authenticated entry, together with API keys, session tokens and automation credentials, and utilizing this entry to maneuver sooner, keep persistent, and scale assaults throughout cloud and enterprise environments.”
Key Findings from the 2026 Id Publicity Report:
Non-Human Identities Are Now a Core Attack Floor
SpyCloud recaptured 18.1 million uncovered API keys and tokens in 2025, spanning fee platforms, cloud infrastructure suppliers, developer ecosystems, collaboration instruments, and AI companies.
The report additionally recognized 6.2 million credentials or authentication cookies tied to AI instruments, reflecting fast enterprise adoption of AI platforms and the related enlargement of machine-based entry paths.
Not like human credentials, these NHIs typically lack MFA enforcement, rotate occasionally, and function with broad permissions. When uncovered, they’ll present attackers with persistent entry to manufacturing programs, software program provide chains, and cloud infrastructure.
Phishing is an Enterprise Menace
SpyCloud recaptured 28.6 million phished identification data in 2025. Notably, practically half of these identities had been company customers, reinforcing that phishing stays a persistent enterprise menace.
This development aligns with SpyCloud analysis displaying that profitable phishing assaults have surged 400% YoY. The result’s a transparent warning to enterprises: their workforce is now 3x extra more likely to be focused with phishing assaults than infostealer malware.
Trendy phishing datasets more and more include greater than credentials. Many embody session cookies, authentication tokens, and MFA workflow information, permitting attackers to imagine authenticated periods with out triggering conventional alerts. With an inflow of unhealthy actors leveraging AI to craft extra sensible lures and automate campaigns, this downside shouldn’t be going away anytime quickly, and enterprise security groups should transcend worker coaching for a extra true preventative method.
Session Theft and MFA Bypass Proceed at Scale
SpyCloud recaptured 8.6 billion stolen cookies and session artifacts uncovered by malware infections, demonstrating continued attacker concentrate on session hijacking strategies that bypass conventional authentication safeguards. In parallel, SpyCloud evaluation of underground combolists discovered that 51% of data overlapped with beforehand noticed infostealer logs, indicating that criminals are more and more repackaging malware-exfiltrated information fairly than relying solely on recent breach disclosures.
Public reporting all through the previous yr has documented a number of MFA bypass campaigns leveraging adversary-in-the-middle (AitM) phishing kits and session replay strategies, together with exercise concentrating on Microsoft 365 environments by stolen authentication tokens.
On March 4, 2026, Europol introduced, in partnership with Microsoft and different personal organizations, that it had executed a coordinated seizure of Tycoon 2FA – a serious phishing-as-a-service infrastructure and repair that enabled widespread MFA bypass by AitM strategies – and disrupted its operational capabilities considerably. SpyCloud supported the worldwide disruption effort by contributing sufferer identification intelligence and operational evaluation drawn from legal underground sources. The current operation highlights the industrialization of phishing and the rising worth of session artifacts in attacker workflows.
Malware Continues to Exfiltrate Id Data
Regardless of the rise of phishing, infostealer malware stays a big contributor to identification publicity, enabling attackers to reap credentials, cookies, and authentication tokens from contaminated units. SpyCloud recaptured over 642.4 million uncovered credentials from 13.2 million infostealer malware infections in 2025. That’s a mean of fifty uncovered consumer credentials per malware an infection – additional increasing the quantity of entry factors obtainable to unhealthy actors.
A notable portion of infections occurred on endpoints with EDR or antivirus instruments put in, reinforcing that endpoint controls alone will not be enough to forestall identification theft.
Credential Publicity Stays Excessive, with Weak Password Hygiene
SpyCloud recaptured 5.3 billion credential pairs – stolen credentials consisting of usernames or e mail addresses and passwords.
Amongst uncovered company credentials, 80% contained plaintext passwords, considerably reducing the barrier to speedy account takeover assaults. As soon as once more, predictable patterns tied to popular culture, sports activities, and brief numeric strings proceed for use broadly. Prime stylish passwords embody:
- 67 / sixseven: 140.4M
- candy / cookie / sweet / cake / pie: 5.7M
- chiefs / kansas metropolis chiefs: 5M
- 2025: 4.1M
- apple / banana / orange / strawberry / fruit: 2.6M
Password reuse stays widespread, and the report additionally recognized 1.1 million password supervisor grasp passwords circulating in underground sources, elevating considerations about vault-level compromise when grasp credentials are weak.
The Increasing Id Publicity Floor
The 2026 report highlights a central shift in identification threats and underscores the necessity for steady identification menace safety throughout each human and machine identities. Attackers are combining breach information, phishing captures, malware logs, session tokens, and machine credentials to assemble composite identification profiles that gasoline every part from session hijacking and ransomware to produce chain compromise.
As organizations speed up cloud adoption and embed AI instruments throughout workflows, machine identities have gotten deeply built-in into vital programs. The theft of those credentials and authentication tokens can create downstream ripple results far past a single compromised account.
“The problem isn’t simply stopping phishing or malware,” Hilligoss added. “It’s understanding how uncovered identities join throughout programs, distributors, and automation workflows.” He continues, “SpyCloud has recaptured practically one trillion stolen identification property in our 10 years of disrupting cybercrime. It’s the idea of our insights on the evolution of identification sprawl and the methods by which unhealthy actors intention to weaponize information towards people and companies. However there’s excellent news for defenders. When organizations constantly monitor publicity and construct in automated remediation workflows – we’ve seen how that may considerably shrink the attacker’s window of alternative, and that’s a win price combating for.”
Full report and in-depth evaluation obtainable right here.
About SpyCloud
SpyCloud transforms recaptured darknet information to disrupt cybercrime. Its automated identification menace safety options leverage superior analytics and AI to proactively stop ransomware and account takeover, detect insider threats, safeguard worker and shopper identities, and speed up cybercrime investigations. SpyCloud’s information from breaches, malware-infected units, and profitable phishes additionally powers many fashionable darkish internet monitoring and identification theft safety choices. Clients embody seven of the Fortune 10, together with a whole bunch of world enterprises, mid-sized corporations, and authorities companies worldwide. Headquartered in Austin, TX, SpyCloud is dwelling to greater than 200 cybersecurity consultants whose mission is to guard companies and customers from the stolen identification information criminals are utilizing to focus on them now. To be taught extra and see insights in your firm’s uncovered information, customers can go to spycloud.com.
Contact
Katie Hanusik
REQ on behalf of SpyCloud
spycloud@req.co
