SpyCloud’s 2026 Identity Exposure Report Shows Explosive Rise in Machine‑Based Identity Theft

In a stark reminder that the cyber‑threat landscape is evolving faster than many organizations anticipate, SpyCloud’s latest annual Identity Exposure Report for 2026 has unveiled a dramatic surge in the theft of machine‑generated credentials. The report, released on March 19th, 2026, details how attackers are no longer content with traditional username‑password pairs; instead, they are targeting API keys, session tokens, and other non‑human identities (NHIs) that grant persistent access to cloud services, software supply chains, and enterprise infrastructure.

A Surge in Machine‑Based Identity Theft

SpyCloud’s data lake, which aggregates stolen credentials from the underground, grew by 23% last year, reaching a staggering 65.7 billion distinct identity records. While the sheer volume of stolen human credentials remains a concern, the report’s most alarming revelation is the scale of non‑human identity exposure.

In 2025 alone, SpyCloud recovered 18.1 million exposed API keys and tokens across a wide array of platforms—including payment processors, cloud infrastructure providers, developer ecosystems, collaboration tools, and AI services. These credentials often lack multi‑factor authentication, are rarely rotated, and are granted broad permissions that can be leveraged to move laterally within an organization’s environment.

Adding to the threat, the report identified 6.2 million credentials or authentication cookies linked to AI tools. As enterprises increasingly adopt generative AI and other machine‑learning services, the attack surface expands, offering attackers new avenues to infiltrate and persist within corporate networks.

Trevor Hilligoss, SpyCloud’s Chief Intelligence Officer, summed up the shift: “We’re witnessing a structural change in how identity is exploited. Attackers are no longer just targeting credentials. They’re stealing authenticated access—API keys, session tokens, automation credentials—and using this access to move faster, stay persistent, and scale attacks across cloud and enterprise environments.”

Phishing Still Targets Corporate Users

Despite the rise in machine‑based theft, phishing remains a dominant vector, particularly against corporate employees. The report recorded 28.6 million phished identity records in 2025, with nearly half belonging to corporate users. This underscores that human factors continue to be a critical vulnerability, especially as attackers craft increasingly sophisticated spear‑phishing campaigns that mimic legitimate business communications.

Key takeaways from the phishing data include:

• Phishing attacks are now routinely combined with credential stuffing, allowing attackers to test stolen credentials across multiple services.
• Many corporate accounts are protected by single‑factor authentication, making them especially susceptible.
• Phishing campaigns targeting remote workers and hybrid teams have increased, reflecting the shift to distributed work models.

What This Means for Businesses

Organizations must recognize that protecting human credentials is no longer sufficient. The following actions can help mitigate the growing threat of machine‑based identity theft:

• Implement strict API key management. Rotate keys regularly, enforce least‑privilege access, and monitor for unusual usage patterns.
• Adopt multi‑factor authentication for all accounts. Even machine identities should be protected with MFA where possible.
• Deploy automated threat detection. Use behavioral analytics to spot anomalous token usage or session hijacking attempts.
• Educate employees on phishing. Continuous training and simulated phishing exercises can reduce the success rate of credential‑stealing campaigns.
• Secure AI and automation platforms. Treat AI tool credentials with the same rigor as traditional user accounts, ensuring they are stored securely and monitored.

By addressing both human and machine identity vulnerabilities, businesses can reduce the risk of persistent, high‑impact attacks that exploit the very infrastructure they rely on.

FAQ

Q