February 18, 2026

Identity Abuse Now Accounts for Nearly Two-Thirds of All Breaches

Vaibhav February 17, 2026
Identity-Abuse-Now-Accounts-for-Nearly-Two-Thirds-of-All-Breachesdata
Post Views: 33

Identity-Based Cyberattacks on the Rise

A recent report from Palo Alto Networks’ Unit 42 highlights the growing threat of identity-based cyberattacks. According to the firm’s annual incident response report, nearly two-thirds of all initial network intrusions in the past year involved identity-based techniques. Social engineering was the leading attack method, accounting for one-third of the 750 incidents Unit 42 responded to during the period.

Attack Methods and Tactics

Attackers used a range of tactics to bypass security controls, including compromised credentials, brute-force attacks, and overly permissive identity policies. Insider threats also played a significant role in many incidents. The report notes that identity-related elements were a critical factor in nearly 90% of all incidents last year.

According to Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42, the biggest challenge for defenders is detecting identity-based tactics. “Once you have an identity, you’ve got everything,” Rubin said. “It’s like having the key to the castle. Enterprises are still not very good at finding the signal in the noise, essentially detecting when an identity-based tactic is used.”

Vulnerability Exploits and Human Factors

Vulnerability exploits were also a significant factor in many incidents, accounting for 22% of initial intrusions. However, Rubin noted that humans remain the weakest link in many cases. The rise of machine-based identities and AI agents is expanding the attack surface for cybercriminals, as these entities require an identity to take action.

Software Supply Chain Challenges

The report also highlights the challenges posed by the software supply chain, particularly with regards to API access and SaaS integrations. A recent attack on Salesloft Drift customers, which impacted over 700 organizations, demonstrates the potential risks of tightly integrated services.

Rubin noted that attackers are increasingly jumping from branch offices into a victim’s headquarters or data centers due to over-permissioned accounts and cloud-based accounts with too much privilege or a lack of segmentation. This allows threat groups to turn break-ins into significant attacks.

“We see this time and again,” Rubin said. “There could have been better identity-based practices that would have constrained the blast radius, even if it didn’t stop the initial access. It’s a problem of signal and noise. How do you see and identify the one instance where a user is already authenticated but doing something they shouldn’t do?”

Legacy Systems and Security Vulnerabilities

Large and older organizations are at a greater disadvantage due to their complex technology stacks, which often include legacy systems acquired through various business deals. This leaves IT teams managing a patchwork of disparate systems that are poorly integrated, creating significant security vulnerabilities.

Rubin emphasized the importance of considering the entire attack chain, rather than focusing on individual silos. “We forgot as defenders to consider the entire attack chain,” he said. “Too often, we see defense happening in silos. Attacks that pivot from endpoints to cloud-based services are commonly missed.”

Attack Trends and Financial Motivations

The report notes that nearly 90% of the attacks Unit 42 investigated last year involved malicious activity across multiple attack surfaces. Financially motivated attacks accounted for most of the incidents, with median payments increasing 87% year-over-year to $500,000. Attackers are also getting faster, exfiltrating data from victim networks in under two days in many cases.

Report Findings and Limitations

The report’s findings are based on Unit 42’s response to 750 incidents last year. While the report provides valuable insights into attack trends and critical areas of concern, it is not comprehensive, as it only includes incidents that were severe enough to prompt victims to seek help from Unit 42.


Blog Image

About Author

Vaibhav

See author's posts

More Stories

AI-Driven-Vulnerability-Management-Solution-Secures-42-Million-Fundingdata-1

AI-Driven Vulnerability Management Solution Secures $42 Million Funding

Vaibhav February 18, 2026
Staying-Ahead-in-a-Perpetually-Unstable-Cybersecurity-Landscape-2026-Predictionsdata

Staying Ahead in a Perpetually Unstable Cybersecurity Landscape: 2026 Predictions

Vaibhav February 18, 2026
Claude-Sonnet-4-6-Enhanced-Coding-Experience-with-Advanced-Developer-Toolsdata

Claude Sonnet 4.6: Enhanced Coding Experience with Advanced Developer Tools

Vaibhav February 18, 2026

You may have missed

Cellebrite-Tool-Used-on-Kenyan-Activist-s-Phone-in-Police-Custody-Surveillance-Concerns-Risedata

Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody: Surveillance Concerns Rise

Vaibhav February 18, 2026
Grandstream-GXP1600-VoIP-Phones-Vulnerable-to-Unauthenticated-Remote-Code-Execution-Flawdata

Grandstream GXP1600 VoIP Phones Vulnerable to Unauthenticated Remote Code Execution Flaw

Vaibhav February 18, 2026
Quantum-Resilient-Convergence-Safeguarding-AI-Space-and-Critical-Infrastructure-from-Cyber-Threatsdata

Quantum-Resilient Convergence: Safeguarding AI, Space, and Critical Infrastructure from Cyber Threats

Vaibhav February 18, 2026
SmarterMail-Vulnerabilities-Exposed-Rapid-Weaponization-of-Critical-Flawsdata

SmarterMail Vulnerabilities Exposed: Rapid Weaponization of Critical Flaws

Vaibhav February 18, 2026
SmarterMail-Vulnerabilities-Exposed-Rapid-Weaponization-of-Critical-Flaws-in-Telegram-Channelsdata

SmarterMail Vulnerabilities Exposed: Rapid Weaponization of Critical Flaws in Telegram Channels

Vaibhav February 18, 2026
en_USEnglish
en_USEnglish