SpyCloud Reports a Sharp Rise in Non-Human Identity Exposure and Theft for 2026

A Closer Look at SpyCloud's 2026 Identity Exposure Report

SpyCloud, a frontrunner in identity protection, recently unveiled its 2026 Identity Exposure Report, shedding light on an alarming trend: a substantial increase in non-human identity theft. This comprehensive analysis not only highlights the surge in stolen credentials but also underscores changing tactics employed by cybercriminals.

The Data Breakdown

In the past year, SpyCloud noted a staggering 23% rise in captured identity records, bringing the total to 65.7 billion distinct identities. Notably, attackers have broadened their targets beyond just traditional username and password combinations, increasingly focusing on machine identities and session artifacts. Trevor Hilligoss, SpyCloud's Chief Intelligence Officer, pointed out how these attacks have become more sophisticated, enabling criminals to leverage authenticated access including API keys and session tokens.

Key Findings from 2026

Explosion of Non-Human Identities

The report revealed that 18.1 million exposed API keys and tokens were recaptured, spanning a multitude of platforms—from payment systems to cloud providers. In addition, 6.2 million credentials linked to AI tools were uncovered, showcasing the rapid adoption of AI technologies by enterprises and the subsequent exposure of machine access pathways. Unlike human credentials, which frequently utilize multi-factor authentication (MFA), these non-human identities often lack such protections, making them lucrative targets for hackers.

Phishing Still Poses a Major Threat

Among the alarming statistics, SpyCloud also reported the recapture of 28.6 million phished identity records last year. Notably, corporate users constituted nearly half of these identities, emphasizing that phishing remains a pressing concern for enterprises. Successful phishing attempts have surged by an astonishing 400% year-over-year, raising awareness among organizations that their workforce is now thrice as likely to fall victim to phishing attempts than to traditional infostealer malware.

Continued Focus on Session Theft

In the face of evolving threats, session hijacking techniques persist as significant dangers. SpyCloud reported the recovery of 8.6 billion stolen cookies and session artifacts attributed to malware infections. The report indicated that 51% of underground records matched prior infostealer logs, suggesting organized efforts to repurpose stolen data instead of relying solely on recent breaches. Recent campaigns have included theft attempts targeting Microsoft 365 environments, showcasing a proactive response from authorities such as Europol in combatting major phishing frameworks.

The Role of Malware

Despite an alarming rise in phishing, infostealer malware continues to pose a major risk. SpyCloud documented over 642.4 million exposed credentials harvested from 13.2 million malware infections. Remarkably, this translates to an average of 50 credentials exposed per malware instance, demonstrating a continuous flow of entry points available to attackers. Interestingly, many incidents occurred on endpoints equipped with endpoint detection response (EDR) or antivirus solutions, signaling that these measures alone may not suffice in the ongoing fight against identity theft.

Credential Exposure and Password Weaknesses

The report also highlighted another troubling trend: a staggering 5.3 billion credential pairs, including usernames and passwords, were exposed. Disturbingly, around 80% of the compromised corporate credentials contained plaintext passwords, significantly elevating the risk of breaches. Predictable password patterns remain prevalent, with popular choices revealing a lack of awareness—passwords linked to pop culture, sports, and simple numeric strings are still common.

In conclusion, SpyCloud’s 2026 Identity Exposure Report paints a sobering picture of the evolving landscape of identity threats. With a combination of breach data, phishing captures, and machine credentials, attackers are increasingly able to assemble composite identity profiles that pose severe risks to enterprises and their operations. It’s clear that organizations must not only invest in defense against phishing and malware but also prioritize an understanding of how various components of identity are interconnected. Continuous monitoring and proactive remediation efforts are fundamental to shrink the window of opportunity for attackers, ultimately safeguarding both human and machine identities in an increasingly interconnected world.