Identity Abuse Now Accounts for Nearly Two-Thirds of All Breaches: Cybersecurity Insights
Identity-Based Attacks Remain Primary Entry Point for Cyber Threats
A recent report from Palo Alto Networks’ threat intelligence unit, Unit 42, reveals that nearly two-thirds of breaches begin with identity abuse. The report, which analyzed 750 incidents over a one-year period ending in September 2025, found that social engineering was the leading attack method, accounting for one-third of all initial network intrusions. Compromised credentials, brute-force attacks, overly permissive identity policies, and insider threats were also common tactics used by attackers to bypass security controls.
The Role of Identity in Cyber Attacks
The report highlights the significant role identity plays in the attack lifecycle, with an identity-related element involved in nearly 90% of all incidents. According to Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42,
Rubin notes that enterprises struggle to detect identity-based tactics, as they often don’t involve unauthorized access from a technical telemetry standpoint.
Vulnerability Exploits and Human Error
While vulnerability exploits remain a significant threat, accounting for 22% of initial intrusions, human error remains the weakest link in the security chain. The rise of machine-based identities and AI agents is expanding the attack surface for cybercriminals, who can use these identities to take action. The software supply chain is also vulnerable, particularly when it comes to API access and SaaS integrations.
Consequences of Weak Identity Controls
A recent attack on Salesloft Drift customers demonstrates the potential consequences of weak identity controls. The attack, which impacted over 700 organizations, highlighted the risks of tightly integrated services and the potential for attackers to move laterally through a network. Rubin notes that attackers often jump from branch offices to headquarters or data centers due to over-permissioned accounts and cloud-based accounts with excessive privileges.
Recommendations for Better Identity-Based Practices
The report emphasizes the need for better identity-based practices to constrain the blast radius of attacks. However, this can be a challenge, particularly for large and older organizations with complex, poorly integrated technology stacks. Rubin notes that defenders often focus on individual components of the attack chain rather than considering the entire lifecycle of an attack.
Financially Motivated Attacks
Financially motivated attacks accounted for the majority of incidents analyzed in the report, with median payments increasing 87% year-over-year to $500,000. Attackers are also becoming more efficient, exfiltrating data from victim networks in a median duration of two days. In 22% of cases, attackers stole data in under one hour.
Limited Visibility into the Global Threat Landscape
While the report provides valuable insights into attack trends and techniques, it is limited to incidents that prompted victims to seek help from Unit 42. Rubin notes that t
About Author
English