MORE Attackers Are Logging In, Not Breaking In reports that credential theft surged in the second half of 2025, driven by infostealer malware, malware-as-a-service ecosystems and AI-enabled social engineering. According to Recorded Future, the firm indexed nearly two billion credentials from malware combo lists in 2025, with 50% more compromised credentials in the second half than in the first and 90% more in Q4 than in Q1.
The analysis also found that 276 million credentials, about 31% of all malware-sourced credentials, included active session cookies that could let attackers hijack sessions and bypass MFA completely. The core takeaway is that identity has become the primary attack surface, and attackers are no longer breaking in but systematically logging in using stolen credentials at scale, according to Alexander Leslie of Recorded Future.
Google’s Threat Intelligence Group identified threat actors using stolen credentials for initial access in 21% of ransomware incidents last year, and Verizon reported such credentials in 22% of the incidents it investigated. The article, published on 17 March 2026, advises organisations to enforce device- and behavioural-based conditional access and to consider phishing-resistant MFA alongside continuous monitoring.