SpyCloud 2026 Report: Non-Human Identity Theft Explodes as Dark Web Data Hits 65.7 Billion Records

SpyCloud’s 2026 report reveals a surge in stolen API keys and session tokens, totaling 65.7B dark web records and highlighting the failure of traditional MFA.

By: AXL Media

Published: Mar 19, 2026, 10:32 AM EDT

Source: Information for this report was sourced from SpyCloud

The Evolution of Identity Exploitation

The 2026 Identity Exposure Report, released by Austin-based SpyCloud, paints a stark picture of an "industrialized" criminal underground. The firm’s "datalake" of recaptured stolen information now totals a staggering 65.7 billion distinct records. While traditional credential theft remains high, the report identifies a "structural shift" in how attackers operate. Rather than just collecting usernames and passwords, bad actors are now constructing "composite identity profiles" that combine breach data, malware logs, and session tokens to bypass modern defenses at scale.

The Surge in Non-Human Identities (NHI)

The report’s most significant finding is the explosion of stolen machine identities. In 2025, SpyCloud recaptured 18.1 million exposed API keys and automation tokens. These non-human identities are used by cloud services, payment platforms, and AI tools to communicate without human intervention. Unlike human accounts, NHIs often lack Multi-Factor Authentication (MFA) and are rarely rotated. Notably, 6.2 million credentials identified were tied specifically to AI tools, reflecting the rapid and often unmonitored adoption of generative AI in corporate workflows.

Phishing and the Tycoon 2FA Takedown

Phishing remains a top threat, with 28.6 million identity records recaptured in 2025—nearly half belonging to corporate users. The report highlights the "Tycoon 2FA" disruption on March 4, 2026. This major international operation, led by Europol and Microsoft, dismantled a "Phishing-as-a-Service" platform that allowed criminals to bypass MFA by stealing live session cookies. This "Adversary-in-the-Middle" (AitM) technique effectively renders traditional one-time passcodes useless by hijacking the active "logged-in" state of a user.