New Report Highlights Surge in Exposed API Keys, Session Tokens, and Machine Identities, and more.
SpyCloud, the leader in identity threat protection, today released its annual 2026 Identity Exposure Report, one of the most comprehensive analyses of stolen credentials and identity exposure data circulating in the criminal underground and highlighting a sharp expansion in non-human identity (NHI) exposure.
Last year, SpyCloud saw a 23% increase in its recaptured identity datalake, which now totals 65.7B distinct identity records. The report shows attackers are increasingly targeting machine identities and authenticated session artifacts in addition to traditional username and password combinations and personally identifiable information (PII).
Key Findings from the 2026 Identity Exposure Report:
Non-Human Identities Are Now a Core Attack Surface
SpyCloud recaptured 18.1 million exposed API keys and tokens in 2025, spanning payment platforms, cloud infrastructure providers, developer ecosystems, collaboration tools, and AI services.
The report also identified 6.2 million credentials or authentication cookies tied to AI tools, reflecting rapid enterprise adoption of AI platforms and the associated expansion of machine-based access paths.
Unlike human credentials, these NHIs often lack MFA enforcement, rotate infrequently, and operate with broad permissions. When exposed, they can provide attackers with persistent access to production systems, software supply chains, and cloud infrastructure.
Phishing is an Enterprise Threat
SpyCloud recaptured 28.6 million phished identity records in 2025. Notably, nearly half of those identities were corporate users, reinforcing that phishing remains a persistent enterprise threat.
This trend aligns with SpyCloud research showing that successful phishing attacks have surged 400% YoY. The result is a clear warning to enterprises: their workforce is now 3x more likely to be targeted with phishing attacks than infostealer malware.
Modern phishing datasets increasingly contain more than credentials. Many include session cookies, authentication tokens, and MFA workflow data, allowing attackers to assume authenticated sessions without triggering traditional alerts. With an influx of bad actors leveraging AI to craft more realistic lures and automate campaigns, this problem is not going away anytime soon, and enterprise security teams must go beyond employee training for a more true preventative approach.
Session Theft and MFA Bypass Continue at Scale
SpyCloud recaptured 8.6 billion stolen cookies and session artifacts exposed through malware infections, demonstrating continued attacker focus on session hijacking techniques that bypass traditional authentication safeguards. In parallel, SpyCloud analysis of underground combolists found that 51% of records overlapped with previously observed infostealer logs, indicating that criminals are increasingly repackaging malware-exfiltrated data rather than relying solely on fresh breach disclosures.
Public reporting throughout the past year has documented multiple MFA bypass campaigns leveraging adversary-in-the-middle (AitM) phishing kits and session replay techniques, including activity targeting Microsoft 365 environments through stolen authentication tokens.
On March 4, 2026, Europol announced, in partnership with Microsoft and other private organizations, that it had executed a coordinated seizure of Tycoon 2FA – a major phishing-as-a-service infrastructure and service that enabled widespread MFA bypass through AitM techniques – and disrupted its operational capabilities significantly. SpyCloud supported the global disruption effort by contributing victim identity intelligence and operational analysis drawn from criminal underground sources. The recent operation highlights the industrialization of phishing and the growing value of session artifacts in attacker workflows.
Malware Continues to Exfiltrate Identity Data
Despite the rise of phishing, infostealer malware remains a significant contributor to identity exposure, enabling attackers to harvest credentials, cookies, and authentication tokens from infected devices. SpyCloud recaptured over 642.4 million exposed credentials from 13.2 million infostealer malware infections in 2025. That’s an average of 50 exposed user credentials per malware infection – further expanding the amount of entry points available to bad actors.
A notable portion of infections occurred on endpoints with EDR or antivirus tools installed, reinforcing that endpoint controls alone are not sufficient to prevent identity theft.
Credential Exposure Remains High, with Weak Password Hygiene
SpyCloud recaptured 5.3 billion credential pairs – stolen credentials consisting of usernames or email addresses and passwords.
Among exposed corporate credentials, 80% contained plaintext passwords, significantly lowering the barrier to immediate account takeover attacks. Once again, predictable patterns tied to pop culture, sports, and short numeric strings continue to be used broadly. Top trendy passwords include:
- 67 / sixseven: 140.4M
- sweet / cookie / candy / cake / pie: 5.7M
- chiefs / kansas city chiefs: 5M
- 2025: 4.1M
- apple / banana / orange / strawberry / fruit: 2.6M
Password reuse remains widespread, and the report also identified 1.1 million password manager master passwords circulating in underground sources, raising concerns about vault-level compromise when master credentials are weak.
The Expanding Identity Exposure Surface
The 2026 report highlights a central shift in identity threats and underscores the need for continuous identity threat protection across both human and machine identities. Attackers are combining breach data, phishing captures, malware logs, session tokens, and machine credentials to construct composite identity profiles that fuel everything from session hijacking and ransomware to supply chain compromise.
As organizations accelerate cloud adoption and embed AI tools across workflows, machine identities are becoming deeply integrated into critical systems. The theft of these credentials and authentication tokens can create downstream ripple effects far beyond a single compromised account.
Full report and in-depth analysis available here.
About SpyCloud
SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics and AI to proactively prevent ransomware and account takeover, detect insider threats, safeguard employee and consumer identities, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now. To learn more and see insights on your company’s exposed data, users can visit spycloud.com.
Contact
Katie Hanusik
REQ on behalf of SpyCloud
spycloud@req.co
