Skip to main content

SpyCloud Issues 2026 Identity Exposure Report on Non-Human Identities

March 19, 2026

SpyCloud released its 2026 Identity Exposure Report covering identity exposure activity seen in 2025, including increased exposure of non-human identity elements alongside phished identity records and stolen session artifacts. The report centers on how credentials tied to machines and authenticated sessions appear in addition to traditional username and password data.

SpyCloud said its recaptured identity datalake rose 23% from the prior year to total 65.7 billion distinct identity records. The report also described patterns that include exposed Application Programming Interface (API) keys and tokens, session artifacts, and credentials obtained through infostealer malware infections.

In its findings, SpyCloud reported recapturing 18.1 million exposed API keys and tokens in 2025 and 6.2 million credentials or authentication cookies tied to Artificial Intelligence (AI) tools. It also reported 8.6 billion stolen cookies and session artifacts exposed through malware infections, and 642.4 million exposed credentials from 13.2 million infostealer malware infections in 2025. SpyCloud further reported 5.3 billion stolen credential pairs and stated that 80% of exposed corporate credentials contained plaintext passwords.

The report addressed phishing and Multifactor Authentication (MFA) bypass activity, with SpyCloud citing 28.6 million phished identity records in 2025 and stating that nearly half of those identities were corporate users. It referenced Europol’s March 4, 2026 coordinated seizure of Tycoon 2FA and said SpyCloud supported the disruption effort with victim identity intelligence and operational analysis drawn from criminal underground sources. “We're witnessing a structural shift in how identity is exploited,” said Trevor Hilligoss, Chief Intelligence Officer at SpyCloud. “Attackers are no longer just targeting credentials. They're stealing authenticated access, including API keys, session tokens and automation credentials, and using this access to move faster, stay persistent, and scale attacks across cloud and enterprise environments.”

SpyCloud said the report highlighted how exposed identities connect across systems, vendors, and automation workflows and described continuous monitoring and automated remediation as an approach for reducing the period in which exposed identities can be used.

Related Perspectives

Canadian AI and business leaders meet with Minister Evan Solomon at Web Summit Vancouver

May 15, 2026

DIGITAL hosted an AI roundtable at Web Summit Vancouver with Canada’s Minister Evan Solomon and leaders from government and the AI ecosystem. The discussion focused on barriers to real-world AI adoption and commercialization, including procurement, scaling, talent, and infrastructure, alongside reported commercialization metrics and sector coverage.