SpyCloud has today released its 2026 Identity Exposure Report, a comprehensive analysis of the stolen credentials and identity exposure data circulating in the criminal underground. It highlights a sharp expansion in non-human identity (NHI) exposure.
Last year, SpyCloud saw a 23 percent increase in its recaptured identity datalake, which now totals 65.7 billion distinct identity records. The report shows attackers are increasingly targeting machine identities and authenticated session artifacts in addition to traditional username and password combinations and personally identifiable information (PII).
“We’re witnessing a structural shift in how identity is exploited,” says Trevor Hilligoss, chief intelligence officer at SpyCloud. “Attackers are no longer just targeting credentials. They’re stealing authenticated access, including API keys, session tokens and automation credentials, and using this access to move faster, stay persistent, and scale attacks across cloud and enterprise environments.”
SpyCloud recaptured 18.1 million exposed API keys and tokens in 2025, spanning payment platforms, cloud infrastructure providers, developer ecosystems, collaboration tools, and AI services.
The report also identifies 6.2 million credentials or authentication cookies tied to AI tools, reflecting rapid enterprise adoption of AI platforms and the associated expansion of machine-based access paths.
Unlike human credentials, these NHIs often lack MFA enforcement, rotate infrequently, and operate with broad permissions. When exposed, they can provide attackers with persistent access to production systems, software supply chains, and cloud infrastructure.
See also:
Unused permissions + AI agents = security risk
Identity linked to two-thirds of security incidents
The challenges of managing non-human identities [Q&A]
The report also shows that modern phishing datasets increasingly contain more than credentials. Many include session cookies, authentication tokens, and MFA workflow data, allowing attackers to assume authenticated sessions without triggering traditional alerts.
Infostealer malware remains a significant contributor to identity exposure, enabling attackers to harvest credentials, cookies, and authentication tokens from infected devices. SpyCloud recaptured over 642.4 million exposed credentials from 13.2 million infostealer malware infections in 2025. That’s an average of 50 exposed user credentials per malware infection — further expanding the amount of entry points available to bad actors.
“The challenge isn’t just stopping phishing or malware,” adds Hilligoss. “It’s understanding how exposed identities connect across systems, vendors, and automation workflows. SpyCloud has recaptured nearly one trillion stolen identity assets in our 10 years of disrupting cybercrime. It’s the basis of our insights on the evolution of identity sprawl and the ways in which bad actors aim to weaponize data against individuals and businesses. But there is good news for defenders. When organizations continuously monitor exposure and build in automated remediation workflows — we’ve seen how that can significantly shrink the attacker’s window of opportunity, and that’s a win worth fighting for.“
You van get the full report from the SpyCloud site.
Image credit: Dwuzac0/Dreamstime.com
