More Attackers Are Logging In, Not Breaking In

IDENTITY & ACCESS MANAGEMENT SECURITY PERIMETER THREAT INTELLIGENCE CYBER RISK NEWS More Attackers Are Logging In, Not Breaking In Credential theft soared in the second half of 2025, thanks in part to the industrialization of infostealer malware and AI-enabled social engineering. Jai Vijayan,Contributing Writer March 17, 2026 4 Min Read SOURCE: IWISSAWA VIA SHUTTERSTOCK Credential theft is now the primary way attackers gain initial access to enterprise networks, and the speed, scale, and sophistication with which they are weaponizing stolen credentials is outpacing the ability of defenders to block them. A new analysis of 2025 threat data by Recorded Future shows a startling increase in the volume of stolen credentials available in underground markets last year, suggesting accelerating attacks targeting usernames, passwords, authentication tokens, and other sensitive login data. In all, Recorded Future indexed nearly two billion credentials from malware combo lists — or aggregated lists of stolen username and passwords from across breaches — alone, in 2025. The threat intelligence firm observed 50% more compromised credentials in the second half of 2025 compared to the first half, and the volume in Q4 was some 90% more than in the first quarter.  A Sharp Rise in Credential Theft Related:Delinea's StrongDM Acquisition Highlights the Changing Role of PAM The acceleration in credential theft, especially in Q4, was driven by the industrialization of infostealer malware, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, says Alexander Leslie, senior advisor at Recorded Future. He describes these trends as lowering the barrier to entry for cybercriminals and increasing both the volume and quality of stolen credentials and session artifacts such as cookies that can bypass multifactor authentication (MFA). "This trend will almost certainly continue, given the compounding effects of SaaS sprawl, browser-based credential syncing, and generative AI-enabled targeting," Leslie tells Dark Reading, adding that all of these factors "expand the identity attack surface faster than defenses evolve." Loading... If the volume of stolen credentials is worrying by itself, what criminals could do with those credentials is even more so, Recorded Future's analysis showed. The company analyzed some seven million stolen credentials where the associated URL made it possible for an attacker to know clearly what system they could access with a particular credential set. Nearly two-thirds of such credentials were associated with authentication systems such as an Okta login page, a Microsoft Azure Active Directory portal, or a corporate VPN.   The data point shows that attackers are increasingly looking for credentials to systems that provide them with the broadest access to an environment and, in some cases, to systems that would allow them "to blind security teams entirely," Recorded Future said. Other high-value credentials that Recorded Future observed included those gating access to remote monitoring and management tools — a favorite for attackers targeting managed service providers (MSPs) and their downstream customers — cloud platforms, and email infrastructure. Related:SpecterOps Launches BloodHound Scentry to Accelerate the Practice of Identity Attack Path Management Enabling MFA Bypass  Record Future's report had more sobering data points. Some 276 million of the stolen credentials — or 31% of all malware-sourced credentials — that Recorded Future analyzed in 2025 included active session cookies. These are cookies that store proof of a user being already authenticated to a system, meaning an attacker could use them to hijack active sessions and access accounts without needing a password. What makes the theft of session cookies troubling is that they allow an attacker to bypass MFA completely, Recorded Future said. “The core takeaway is that identity has become the primary attack surface, and attackers are no longer breaking in but systematically logging in using stolen credentials at scale," Leslie notes. "Enterprises must shift from perimeter and MFA-centric defenses to continuous identity monitoring and response." Recorded Future's findings confirm what many others have noted recently about attackers shifting away from traditional vulnerability exploits toward credential-based access, where valid usernames, passwords, and session tokens are used to quietly enter systems without triggering alarms.  Related:Identity Security 2026: Four Predictions & Recommendations Google's Threat Intelligence Group identified threat actors using stolen credentials for initial access in 21% of ransomware incidents last year and were able to identify how an attacker gained an initial foothold. In many of the incidents, the credentials allowed the attacker to authenticate to a victims' VPN or remote desktop protocol login, Google said in a report this week. Additionally, Verizon identified attackers using stolen and compromised credentials in 22% of the incidents it investigated last year, making it one of the top initial access vectors. By way of advice, Leslie advocates that organizations enforce device- and behavioral-based conditional access policies to address MFA bypassing techniques like session hijacking, adversary-in-the-middle phishing and valid account abuse. Organizations should also consider using phishing resistant MFA such as FIDO2 and implement continuous monitoring and capabilities for rapid remediation of exposed credentials across both corporate and personal contexts.  "High-risk credentials tied to IAM, security tooling, and SIEM must be treated as Tier-0 assets with strict segregation, vaulting, rotation, and real-time exposure detection," Leslie says. "Attackers target this layer to disable defenses, escalate privileges, and gain durable, stealthy control over enterprise environments using legitimate access pathways rather than noisy exploits.” About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like IDENTITY & ACCESS MANAGEMENT SECURITY Orgs Move to SSO, Passkeys to Solve Bad Password Habits by Nate Nelson, Contributing Writer NOV 13, 2025 IDENTITY & ACCESS MANAGEMENT SECURITY Philippines Power Election Security With Zero-Knowledge Proofs by Mercedes Cardona AUG 26, 2025 IDENTITY & ACCESS MANAGEMENT SECURITY NIST Digital Identity Guidelines Evolve With Threat Landscape by Arielle Waldman AUG 14, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE