Identity Theft Surge - SpyCloud's 2026 Report Unveiled
Basically, a new report shows that hackers are stealing more digital identities, including those of machines, not just people.
SpyCloud's latest report reveals a sharp rise in non-human identity theft, impacting corporate users significantly. Exposed API keys and session tokens present serious risks. Organizations must enhance their security measures to combat this growing threat.
What Happened
SpyCloud has released its 2026 Identity Exposure Report, revealing alarming trends in identity theft. The report highlights a 23% increase in the recaptured identity datalake, totaling 65.7 billion distinct identity records. This year, the focus has shifted towards non-human identities (NHI), such as API keys and session tokens. These machine identities are now a primary target for attackers, indicating a structural shift in how identities are exploited.
Trevor Hilligoss, Chief Intelligence Officer at SpyCloud, noted that attackers are not just after traditional usernames and passwords. They are increasingly stealing authenticated access, which includes API keys and session tokens. This access allows them to move quickly and persistently within cloud and enterprise environments, raising serious concerns for organizations.
Who's Affected
The report indicates that corporate users are significantly impacted, with nearly half of the 28.6 million phished identity records belonging to them. This statistic underscores the persistent threat of phishing in enterprise environments. Additionally, the report highlights that 6.2 million credentials tied to AI tools were also compromised, reflecting the rapid adoption of AI technologies in businesses and the associated risks.
Phishing attacks have surged by 400% year-over-year, making it clear that organizations must take immediate action to protect their workforce. With attackers leveraging AI to create more convincing phishing lures, the stakes are higher than ever.
What Data Was Exposed
SpyCloud's findings reveal a staggering amount of exposed data. The report details that 18.1 million API keys and tokens were recaptured in 2025, spanning various platforms and services. Additionally, 8.6 billion stolen cookies and session artifacts were identified, demonstrating a significant focus on session hijacking techniques.
Moreover, 5.3 billion credential pairs were exposed, with 80% of corporate credentials containing plaintext passwords. This weak password hygiene lowers the barrier for immediate account takeover attacks. The report also identified 1.1 million compromised password manager master passwords, raising alarms about potential vault-level breaches.
What You Should Do
Organizations must adopt a proactive approach to identity threat protection. Continuous monitoring of identity exposure is crucial, especially as machine identities become more integrated into critical systems. Implementing automated remediation workflows can significantly reduce the window of opportunity for attackers.
Training employees on phishing awareness is essential, but it should be part of a broader strategy that includes advanced threat detection and response capabilities. As the landscape of identity theft evolves, businesses must stay vigilant and adapt their security measures accordingly to protect both human and machine identities.
CSO Online