Credential theft is now a primary method unauthorized parties use to gain initial access to enterprise networks. The scale and speed at which threat actors systematically utilize stolen login data are actively testing traditional defensive strategies.
A new analysis of 2025 threat data by Recorded Future shows an accelerating volume of compromised usernames, passwords, and authentication tokens available in underground markets. In 2025, Recorded Future indexed nearly two billion credentials sourced entirely from malware combo lists, aggregated lists of exposed login data gathered from various security incidents. The threat intelligence firm observed a 50% increase in compromised credentials during the second half of 2025 compared to the first half. By the fourth quarter, the volume had grown 90% higher than the first quarter.
Accelerating credential theft
Alexander Leslie, senior advisor at Recorded Future, attributes this growth to the industrialization of infostealer malware, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering. These elements lower the barrier to entry for threat actors, increasing both the volume and quality of stolen credentials and session artifacts, such as cookies, that can bypass standard multifactor authentication (MFA).
This pattern is expected to continue due to the compounding effects of SaaS sprawl, browser-based credential syncing, and generative AI-driven targeting. Together, these factors expand the identity exposure surface faster than traditional defenses adapt.
Beyond the raw volume, the specific systems targeted present elevated risks. Recorded Future analyzed seven million stolen credentials where associated URLs clearly identified the target systems. Nearly two-thirds of these credentials corresponded to authentication systems, including Okta login pages, Microsoft Azure Active Directory portals, and corporate VPNs.
This data indicates that threat actors seek credentials providing the broadest environment access. In some cases, these access levels allow unauthorized parties to disable security telemetry entirely. Other high-value targets include remote monitoring and management (RMM) tools—often used by managed service providers (MSPs) and their downstream clients. As well as cloud platforms and email infrastructure.
Enabling MFA bypass
The Recorded Future report includes further data on session hijacking. Approximately 276 million of the analyzed credentials—31% of all malware-sourced credentials in 2025. Contained active session cookies. These cookies store cryptographic proof that a user has already authenticated, allowing an unauthorized party to resume active sessions without entering a password. The exposure of session cookies is particularly concerning because it enables threat actors to bypass MFA entirely.
Identity is now the primary exposure surface. Unauthorized parties are systematically logging in using stolen credentials rather than relying on technical perimeter bypasses. To adapt, enterprises are advised to shift from perimeter-only and standard MFA defenses toward continuous identity monitoring and response.
These findings align with broader industry observations showing a shift away from traditional software vulnerabilities toward credential-based access. Valid usernames, passwords, and session tokens are used to enter systems quietly without triggering standard perimeter alarms.
Google's Threat Intelligence Group determined that unauthorized parties used stolen credentials for initial access in 21% of ransomware incidents last year where the entry vector was identifiable. These credentials frequently enabled authentication to a target's VPN or remote desktop protocol (RDP) services. Additionally, Verizon's 2025 Data Breach Investigations Report (DBIR) found compromised credentials involved in 22% of investigated incidents, ranking it among the top initial access vectors.
Actionable guidance for identity protection
To safeguard systems against MFA bypass techniques like session hijacking, adversary-in-the-middle phishing, and valid account abuse, organizations should enforce device- and behavior-based conditional access policies. Security teams should also evaluate adopting phishing-resistant MFA, such as FIDO2, and deploy continuous monitoring capable of rapid remediation for exposed credentials in both corporate and personal contexts.
Credentials tied to identity and access management (IAM), security tooling, and security information and event management (SIEM) systems require strict protection. These should be treated as Tier-0 assets, implementing strict segregation, credential vaulting, rotation, and real-time exposure detection. Securing this layer prevents unauthorized users from disabling defenses or escalating privileges through legitimate access pathways.