Identity Abuse Fuels 2/3 of All Breaches: Understanding the Threat
Identity Abuse Drives Nearly Two-Thirds of All Breaches, Report Finds
A recent report by Unit 42, a research group at Palo Alto Networks, has revealed that identity abuse is now the primary driver of nearly two-thirds of all breaches. The report, released on February 17, 2026, found that 65% of initial access was gained through identity-based techniques, such as social engineering and credential misuse, while vulnerabilities accounted for initial access in 22% of attacks.
Key Findings of the Report
- 65% of initial access was gained through identity-based techniques, such as social engineering and credential misuse.
- 22% of attacks involved vulnerabilities.
- 87% of attacks now span two or more attack surfaces, blending activity across endpoints, cloud, SaaS platforms, and identity systems.
- 48% of attacks involved the browser, as threat actors exploit routine web sessions to harvest credentials and bypass local controls.
- Attacks targeting third-party SaaS applications have surged nearly four-fold since 2022, accounting for 23% of all attacks.
Expert Insights
According to Jason Fruge, CISO-in-residence at XM Cyber, the report emphasizes the need for organizations to prioritize remediation by assessing vulnerabilities based on their proximity to privileged identities and other identity-related exposures. “Treat a CVE affecting a critical account or identity key as a top priority, regardless of its standalone score,” Fruge said.
Shane Barney, CISO at Keeper Security, noted that identity has become the attacker’s “skeleton key.” Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens, and abused permissions, then moving laterally under the cover of legitimacy. “When identity controls are fragmented or overly permissive, attackers do not need novel exploits,” Barney said. “They just need access that looks routine.”
Sean Malone, CISO at BeyondTrust, warned that the report is a stark warning for organizations that are still defending their networks using outdated methods. “Attackers aren’t picking a single lane anymore; they’re driving across all of them,” Malone said. “When 87% of incidents span multiple attack surfaces and 90% abuse identity weaknesses, we’re long past thinking of this as ‘an endpoint problem’ or ‘an identity problem’ in isolation.”
Roy Katmor, co-founder and CEO of Orchid Security, noted that the traditional network boundary has dissolved, and access decisions across SaaS, cloud, APIs, and automation now define the real boundary. “Identity isn’t centrally installed,” Katmor said. “Every app, workload, integration, and automation onboards its own identities and auth paths: local users, service accounts, API keys/tokens, legacy directories, external domains, and now autonomous agent identities.”
Conclusion
The report’s findings highlight the growing threat posed by identity abuse and the need for organizations to prioritize remediation and security measures to prevent attacks.
About Author
English