Surge in Exposed API Keys, Tokens, and Machine Identities Highlighted in SpyCloud’s New Report
A significant rise in the exposure of API keys, session tokens, and machine identities has been detailed in the latest annual report from SpyCloud, a leader in identity threat protection. Released recently, the 2026 Identity Exposure Report offers one of the most thorough analyses of stolen credentials and identity exposure data available, drawing attention to a growing concern around non-human identity (NHI) exposure.
In the past year, SpyCloud reported a staggering 23% increase in its recaptured identity data lake, which now holds over 65.7 billion distinct identity records. This dramatic growth indicates that attackers are not only focusing on traditional username and password combinations but are increasingly targeting machine identities and authenticated session artifacts.
Trevor Hilligoss, Chief Intelligence Officer at SpyCloud, remarked that there is a fundamental change in how identities are exploited by attackers. "No longer are they content with just stealing credentials," he stated. "They are now focused on stealing authenticated access that includes API keys, session tokens, and automation credentials. This new paradigm enables them to launch attacks more swiftly, maintain persistent access, and scale their operations across both cloud and enterprise environments."
Key Findings from the 2026 Identity Exposure Report
Non-Human Identities as a Core Attack Surface
The report reveals that SpyCloud managed to recapture an astonishing 18.1 million exposed API keys and tokens in 2025. These artifacts span various sectors, including payment platforms, cloud infrastructure providers, developer ecosystems, collaboration tools, and AI services. Furthermore, an alarming 6.2 million credentials or authentication cookies associated with AI tools were also identified, reflecting the rapid adoption of AI platforms across enterprises.
Non-human identities often lack sufficient security measures like multi-factor authentication (MFA), rotate infrequently, and come with expansive permissions. Such vulnerabilities allow attackers to gain enduring access to crucial systems, including software supply chains and cloud infrastructures when these identities are compromised.
Phishing as an Ongoing Enterprise Threat
The report illustrates that phishing remains a prevalent threat in corporate settings, with 28.6 million phished identity records being recaptured in 2025. Nearly half of these records belonged to corporate users, highlighting that businesses are increasingly falling victim to such attacks. SpyCloud’s previous research indicated that successful phishing attempts surged by a staggering 400% year-over-year.
Today’s phishing datasets often include more than just credential information; they can now entangle session cookies, authentication tokens, and workflow data for MFA processes. Attackers can exploit these vulnerabilities to bypass traditional alert systems and assume authenticated sessions. With malicious actors frequently utilizing AI technologies to develop more convincing phishing campaigns, the challenges continue to mount for enterprise security teams.
Continued Focus on Session Theft and MFA Bypass
SpyCloud reclaimed 8.6 billion stolen session cookies and artifacts due to malware infections, demonstrating an ongoing strategy among attackers focusing on session hijacking tactics that circumvent traditional authentication protections. Analysis of underground combolists revealed that 51% of records overlapped with previously documented infostealer logs, illustrating an alarming trend wherein criminals are increasingly reusing and repackaging stolen data.
Reports have surfaced throughout the year regarding several MFA bypass campaigns using adversary-in-the-middle (AitM) phishing kits and session replay methods targeting platforms like Microsoft 365 with stolen authentication tokens. On March 4, 2026, Europol, alongside Microsoft and other organizations, executed a significant operation against Tycoon 2FA, a phishing-as-a-service platform that facilitated widespread MFA bypass. Such actions underline the industrialization of phishing and the increasing importance of session artifacts in attackers’ methodologies.
The Role of Malware in Identity Data Exfiltration
Despite the rise in phishing activities, infostealer malware continues to represent a substantial risk to identity exposure. SpyCloud reported recovering over 642.4 million exposed credentials linked to 13.2 million infostealer malware infections in 2025. This statistic reveals that each malware infection resulted in an average of 50 exposed user credentials, broadening the range of entry points available to attackers.
Interestingly, a considerable number of these infections occurred on endpoints that had endpoint detection and response (EDR) or antivirus systems in place. This highlights the reality that such security measures alone are insufficient to thwart identity theft.
Continued High Levels of Credential Exposure
SpyCloud also recaptured an alarming 5.3 billion credential pairs, consisting of combinations of usernames or email addresses and their corresponding passwords. Among these exposed corporate credentials, a worrisome 80% contained plaintext passwords, thus making it easy for attackers to orchestrate account takeover attempts. Predicable patterns related to sports, pop culture, and simple numeric sequences dominated the list of compromised credentials.
Password reuse is prevalent as well, with SpyCloud discovering 1.1 million circulating password manager master passwords on underground platforms, raising genuine concerns regarding vault-level security.
The Necessity for Ongoing Identity Threat Protection
The 2026 report clearly underscores the evolving landscape of identity threats, emphasizing the imperative for continuous monitoring and protection strategies that encompass both human and machine identities. Attackers are adeptly intertwining breach data, phishing captures, malware logs, and machine credentials to craft composite identity profiles facilitating various forms of cyber-crime.
Trevor Hilligoss stresses that the issue transcends merely addressing phishing and malware. "The crucial challenge lies in comprehending how exposed identities intersect across systems, vendors, and automated workflows," he explained. "SpyCloud has reclaimed nearly a trillion stolen identity assets during our decade-long endeavor to disrupt cybercrime. This extensive data is pivotal in understanding the evolution of identity sprawl and how malevolent actors weaponize such data against individuals and organizations."
To bolster defenses against these multifaceted threats, organizations must actively monitor for exposure and establish automated remediation workflows. Such proactive measures have the potential to significantly reduce opportunities for attackers and therefore mark a critical victory in the ongoing battle against identity theft.
For further insights and a comprehensive analysis, readers can access the full report here.
About SpyCloud
SpyCloud specializes in transforming recaptured darknet data to counter cybercrime. Their identity threat protection solutions leverage advanced analytics and artificial intelligence to proactively thwart ransomware attacks, account takeovers, and insider threats while safeguarding both employee and consumer identities. Notably, their intelligence on breaches, malware-infected devices, and successful phishing attempts fuels various popular dark web monitoring and identity theft protection services. With a roster of clients that includes seven of the Fortune 10 companies and numerous global enterprises, SpyCloud aims to defend businesses and individuals from emerging threats in an increasingly complex digital landscape.