Credential theft compounded in 2025, says new data from Recorded Future

Recorded Future has released its 2025 Identity Threat Landscape Report, highlighting credential theft as “the dominant initial access vector for enterprise breaches.”

It’s not just that lots of credentials are being stolen: the rate of theft is a sharp upward curve. Recorded Future identified 50 percent more credentials in the second half of 2025 than in the first half of the year, and 90 percent more credentials in the last three months of the year than in the first three months.

Credential theft, it says, is targeted, not random. “Of the 7 million credentials indexed with identifiable authorization URLs, 63.2 percent were tied to authentication systems.” That represents a much bigger chunk of the pie than any other category; next in line is web content management at 9.95 percent. “Attackers are often going directly for the systems that provide the broadest access and, in some cases, the ability to blind security teams entirely.”

New fraud tactics focus on scaling attacks, and infostealer malware is outpacing traditional breach detection. Multifactor authentication in itself is no longer sufficient protection: “276 million of the credentials indexed in 2025 included active session cookies, meaning attackers can bypass multi-factor authentication entirely.”

“The scale and precision of modern infostealers means a single infected endpoint – including a personal device used to access corporate systems – can expose an entire organization,” says a release.

Detection speed is “the decisive advantage.” Organizations that act on intelligence quickly can intervene before stolen credentials are exploited.

Other data from the report shows India, the U.S. and Brazil as nations with the most compromised indexed credentials. Infiltrations spread quickly; “in 2025, the average compromised device yielded 87 stolen credentials, spanning corporate applications, personal accounts, and cloud services accessed from the same machine.”

Recorded Future says “one of the most significant findings from 2025 is the volume of credentials that included active session cookies alongside stolen passwords.” Session cookies allow attackers to authenticate as a user without entering a password or completing an MFA challenge. The firm indexed 276 million credentials with session cookies, constituting 31 percent of all malware-sourced credentials.

“MFA enrollment is necessary but not sufficient. Organizations should monitor for session cookie theft specifically, enforce shorter session token lifespans for high-risk applications, and treat any credential exposure from an infostealer log as a potential authentication bypass.”

Continuous, contextual identity verification

New research conducted by International Data Corporation (IDC) and sponsored by Ping Identity shows the value of continuous, contextual identity verification.

The independent global study finds that organizations meeting verified trust criteria achieve 51 percent higher transaction conversion and 43 percent lower fraud losses, according to a release. This puts them ahead of peers across revenue growth, fraud reduction, compliance readiness, and workforce productivity in a landscape increasingly influenced by AI.

According to Ping, only 9 percent of organizations are prepared for the scale of the threat. This
“highlights a clear maturity gap between perception and execution.”

“While more than half of organizations believe they lead in digital trust, only a small fraction has operationalized continuous, contextual identity verification at scale.”

Peter Barker, chief product officer at Ping Identity, says that in today’s threat landscape, identity can no longer be treated as a single authentication event. “In an AI-mediated enterprise, every authorization decision must be continuously verified, contextualized, and governed,” Barker says. This is the verified trust concept: “a continuous assurance that every digital interaction, whether human or machine/AI agent, is tied to an independently verified identity and remains trusted over time.”

Barker says “this research confirms that organizations embracing continuous, contextual verification reduce risk while unlocking measurable business value.”

Follow-through remains a key problem. “IDC data shows that 94 percent of leaders operate at scale, while early-stage organizations linger in pilots. Passwordless adoption tells the same story: leaders embrace biometrics, passkeys, and digital wallets at 80-83 percent while starters (those who have initiated their verified trust journey but are still early in execution) hover below 30 percent.”

Only 9 percent have operationalized verified trust at scale across customer, employee, partner, and AI identities.

This, says Ping Identity, simply will not do. “Identity has moved beyond a static gate and evolved into a trust fabric of digital ecosystems,” says the report. “Organizations that fail to operationalize continuous verification are risking fragmentation, compliance gaps, and exposure to AI-driven threats.”

The report recommends making verified trust a board-level priority, starting with high-impact identity flows with the greatest risk and business impact, and tracking verification coverage as a leading KPI. Firms should diversify budget ownership to break the IT silo and “engage security, digital/CX, and LOB stakeholders to align investments with outcomes such as fraud reduction, onboarding speed, and operational agility.”

Organizations must move beyond passwords to adopt device-bound passkeys, biometrics with liveness, and verifiable credentials for human identities, in order to accelerate platform unification.

“Verified trust is no longer a design choice,” says Emanuel Figueroa, senior research analyst at IDC. “It’s the prerequisite for operating at scale in AI driven environments. As AI increases autonomy and complexity, identity becomes the mechanism for control, accountability, and confidence. Organizations that establish this foundation early will move faster with less risk; those that don’t will accumulate cost, friction, and regulatory exposure over time.”

Article Topics

access control  |  biometric authentication  |  cybersecurity  |  digital identity  |  digital trust  |  identity verification  |  passkeys  |  Ping Identity