Identity Attacks 2026: Why Hackers No Longer Break In – They Log In

3 min Reading Time

75 percent of all security incidents in 2026 stem from stolen identities, not technical exploits. A 50 percent increase in compromised credentials in the second half of 2025 compared to the previous year. Hackers aren’t breaking in anymore. They’re logging in. The paradigm shift from perimeter security to identity security is no longer a prediction. It’s reality.

TL;DR

• 🔒 75 percent of all breaches in 2026 occur via stolen identities. Hackers log in instead of breaking in (Cloudflare, 2026).
• 📈 50 percent more compromised credentials in H2 2025 compared to the same period last year.
• ⚠️ 97 percent of identity-based attacks use passwords as the initial entry vector.
• 🛡️ Multi-factor authentication (MFA) alone is no longer sufficient: AiTM-Phishing (Adversary-in-the-Middle) systematically bypasses MFA.
• 🔧 Solution: Passwordless authentication (Passkeys, FIDO2), continuous verification, and Identity Threat Detection and Response (ITDR).

Why Identities Are the New Battlefield

The 2026 Cloudflare report is clear: three out of four security incidents begin with a compromised identity. Not a buffer overflow, not a zero-day vulnerability – but valid login credentials that have fallen into the wrong hands. This trend has accelerated over the past two years. In the second half of 2025, 50 percent more credentials were compromised than in the same period in 2024.

Heise recently headlined: “Login as a Weapon.” The phrase captures the essence. An attacker with valid credentials appears to security systems as a legitimate user. They trigger no alarms, pass through firewalls and network segmentation, and access sensitive data. Only when they move laterally or exfiltrate data do they become visible – often too late.

The recent Microsoft Teams campaign involving A0Backdoor exemplifies the pattern: initial access is achieved through social engineering, not a software exploit. Attackers exploit trust, not technical vulnerabilities.

Why MFA Is No Longer Enough

For years, multi-factor authentication (MFA) was the standard defense against credential theft. But 2025 and 2026 show: MFA is no longer a protective wall, but an obstacle that organized attackers systematically bypass. The tool? AiTM-Phishing (Adversary-in-the-Middle).

In an AiTM attack, the attacker positions themselves between the user and the authentication server. The user enters their password and second factor – but instead of reaching the real server, the data goes to the attacker. The attacker captures the session cookies and gains authenticated access. To the server, everything appears normal.

The EvilProxy phishing kit has industrialized AiTM attacks. Available as a service, it requires no technical expertise and is actively used against Microsoft 365 environments. Regulated industries, which rely on MFA as a primary control, must reevaluate this assumption.

“The shift from network-based to identity-based attacks is the most significant change in the threat landscape since the rise of ransomware.”
Cloudflare Security Report 2026, Executive Summary

The Path to Passwordless: Passkeys and FIDO2

The response to identity-based attacks isn’t stronger MFA – it’s eliminating the attack vector itself: the password. Passwordless authentication using Passkeys and FIDO2 makes credential theft technically impossible, because there are no transferable credentials left to steal.

Passkeys use asymmetric cryptography: the private key never leaves the user’s device. Even during a phishing attack, there’s nothing for an attacker to intercept and reuse. Google, Microsoft, and Apple have natively supported Passkeys in their operating systems since 2024.

For enterprises, the transition requires effort: identity providers must support FIDO2, end-user devices must be compatible, and employees need training. But the ROI is clear: if 97 percent of identity-based attacks rely on passwords, passwordless authentication eliminates 97 percent of that attack surface.

ITDR: The New Category in Identity Security

Alongside passwordless, a new product category is emerging: Identity Threat Detection and Response (ITDR). ITDR solutions don’t monitor network traffic – they analyze identity behavior. They detect anomalies such as: a user logging in simultaneously from two countries, a service account suddenly accessing data it has never accessed before, or a login from an unknown device at an unusual time.

Gartner predicts that by 2027, ITDR will be a mandatory component in every enterprise security stack. The challenge: ITDR is only as effective as the data quality of the identity systems. Organizations that haven’t hardened Active Directory won’t get clean signals, even with ITDR.

5 Immediate Actions for Security Teams

1. Plan a Passkey rollout: Verify whether your identity provider (Entra ID, Okta, Ping) supports FIDO2/Passkeys. Define a pilot group. Goal: eliminate passwords for privileged accounts by Q3 2026.
2. Enforce AiTM-resistant MFA: Require phishing-resistant MFA methods (FIDO2, Windows Hello) for all admin and C-level accounts. SMS and app-based OTPs are not AiTM-resistant.
3. Implement session token hygiene: Shorten token lifetimes, tighten Conditional Access Policies (geolocation, device compliance, risk-based), and enable Continuous Access Evaluation.
4. Evaluate ITDR: Assess whether your current security architecture can detect identity-based anomalies. If not, evaluate ITDR solutions (CrowdStrike, Microsoft Defender for Identity, SentinelOne).
5. Monitor credential exposure: Set up dark web monitoring for compromised corporate credentials. Regularly check your domains against breach databases (Have I Been Pwned, SpyCloud).

Conclusion: The Firewall of the Future Is Identity

The paradigm shift is complete. The perimeter firewall no longer protects when the attacker logs in with valid credentials. The response is threefold: Passkeys eliminate the attack vector, AiTM-resistant MFA secures the transition period, and ITDR detects attackers who slip through anyway. Security teams that in 2026 still primarily invest in network security are investing in the wrong front line.

Frequently Asked Questions

What exactly are identity-based attacks?

Attacks that use stolen or compromised credentials (username + password, session tokens, API keys) to impersonate legitimate users. Unlike technical exploits (buffer overflow, SQL injection), no software vulnerability is exploited – instead, the attacker abuses the trust of the authentication system.

Why is MFA no longer effective against phishing?

AiTM-Phishing (Adversary-in-the-Middle) inserts a proxy between the user and the authentication server. The user enters their password and second factor, and the attacker captures the session cookies. Result: the attacker is fully authenticated – even with MFA. Only phishing-resistant methods (FIDO2, Passkeys) are immune.

What are Passkeys and why are they more secure?

Passkeys use asymmetric cryptography: the private key remains on the user’s device and never leaves it. During login, a cryptographic proof is generated – no password is transmitted. Even in a phishing attack, there’s nothing for the attacker to intercept and reuse.

What is ITDR?

Identity Threat Detection and Response (ITDR) is a new category of security solutions that detect anomalies in identity behavior: simultaneous logins from different countries, unusual access times, sudden privilege escalations. ITDR adds the identity dimension to EDR and SIEM.

Which industries are most at risk?

Financial institutions and healthcare organizations are the primary targets of identity-based attacks due to their highly sensitive data and widespread use of Microsoft 365. But any organization with more than 100 employees and cloud services is a potential target.

Header Image Source: Tima Miroshnichenko / Pexels

About the author: Tobias Massow

More articles by Tobias Massow