COMMENTARY: From executive credentials to cloud accounts and cross vendor access, identity-based attacks are now the linchpin of many high impact breaches. Looking ahead to 2026, one thing is clear, organizations that fail to prioritize identity security risk being blindsided by increasingly sophisticated and stealthy attacks.
The year attackers logged in
Breaches in 2025 revealed a hard truth that many security leaders have long known but few have fully acted on: the greatest vulnerabilities are no longer unpatched systems or zero-day exploits — they’re the trusted logins, tokens, and integrations we rely on every day.Attackers no longer “break in” the way they once did. They leverage the same credentials that power cloud workloads and third-party APIs to move through digital environments like insiders — and in too many cases, they do so for months before anyone notices. One analysis found the average identity-based breach took nearly 10 months to detect and contain, an eternity in cybersecurity terms.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts.Read more Perspectives here.]Identity, once considered an administrative layer, has become the defining battleground of enterprise security. The question heading into 2026 isn’t whether attackers will continue targeting identities but rather, will the industry finally treat identity as the foundation of resilience rather than a subset of access control?
Credentials as weapons
The breach landscape over the past year has made that question impossible to ignore. Consider the PowerSchool incident, one of the largest education-sector breaches ever recorded. Attackers exploited a single unprotected maintenance credential without MFA to access the data of 62 million students and nearly 10 million teachers. No exploit chain or malware, just one forgotten account.Or take the Akira ransomware campaign for example, which hijacked VPN credentials and bypassed one-time-password MFA to compromise SonicWall devices worldwide. In less than an hour, attackers went from initial access to full encryption, a pace that rendered even the best incident response playbooks obsolete.
Retailers weren’t spared either. Both Marks & Spencer and Co-op UK were breached through social engineering of third-party IT help desks. By impersonating employees, attackers persuaded contractors to reset passwords, seizing control of Active Directory domains and halting operations. Hundreds of millions were lost and not because technology failed, but because identity trust was misplaced.
The ever expanding attack surface
Machine identity sprawl has emerged as a defining challenge for enterprises. Non-human accounts — including API keys, service tokens, bots, etc — now outnumber people in most organizations, yet many still don’t treat them as privileged identities. That blind spot has fueled a wave of machine-to-machine compromises.The Salesloft/Drift OAuth token theft was a wake-up call. In August, threat actor UNC6395 stole refresh tokens from a popular sales integration and used them to siphon Salesforce data from more than 700 customer environments. It was a breach without malware or phishing, just hijacked trust.Third-party identity risks also surged. The Allianz Life breach, which exposed 1.4 million policyholders, didn’t exploit a vulnerability in Allianz’s infrastructure at all — attackers used stolen API credentials from a cloud CRM vendor to query customer data — or as investigators put it, they “fooled the system not the servers.” Similar incidents at Adidas, Harrods, and Cartier/Dior all stemmed from over-privileged service accounts or expired tokens.Looking ahead, the proliferation of machine and third-party identities shows no signs of slowing. Organizations that fail to secure these invisible accounts risk remaining blind to the most insidious attacks on the horizon.
Building identity resilience
If identity is now our core infrastructure, resilience must become a daily discipline and not a delayed initiative. That starts with eliminating the easy wins for attackers. Push-based MFA and OTP codes have already shown their limits through fatigue and social-engineering attacks. Hardware-backed authentication needs to become the default, especially for privileged, service, and vendor accounts.Equally urgent is reigning in the explosion of machine identities. API keys, OAuth tokens, and unattended service accounts now proliferate faster than most security teams can track, and yet, many organizations still fail to classify them as privileged. Continuous discovery and lifecycle governance are essential to prevent a single forgotten credential from becoming the next PowerSchool-style foothold.
No single control solves identity risk, but when authentication is phishing-resistant, machine trust is governed, vendor access is continuously verified, and credential misuse is detected in real time, attackers lose the camouflage that has made identity their easiest ingress point. Identity resilience isn’t built through one technology shift, but earned through relentless governance of every login that powers a business.
The road ahead
Security practitioners talk about shifting left, but identity requires a complete shift in mindset. The organizations best positioned in 2026 will be the ones that treat identity not as the last mile of security, but as the first mile of resilience. If the past year has taught us anything, it’s that identity risk does not just escalate, it compounds. Every new integration adds another connection to defend and every unattended account becomes a potential disguise. In a world where digital trust is the most valuable target, proactive identity defense is the only sustainable advantage. Leaders who recognize this now will navigate the next wave of threats with confidence into 2026 and beyond. Those who wait for another wake-up call may find it arrives wearing their own credentials.
The Massachusetts House unanimously passed the Consumer Data Privacy Act, a bill that will give residents rights to access and delete their data held by large tech firms.
