Credential theft dominated 2025

Recorded Future’s 2025 Identity Threat Landscape report counted 1.95 billion malware combo‑list credential exposures, 892 million malware‑log exposures, 36 million database combo‑list exposures, and 24 million database‑dump exposures. (recordedfuture.com/blog/identity-trend-report-march-blog) Recorded Future recorded a sharp acceleration through the year: 50% more indexed credentials in the second half of 2025 than the first half, and the final three months showed 90% more volume than the first three months. (recordedfuture.com/blog/identity-trend-report-march-blog) Of seven million credentials in the dataset that included identifiable authorization URLs, 63.2% were tied to authentication systems — with VPNs, remote‑management (RMM) tools, cloud platforms and security‑detection software repeatedly appearing as the targeted services. (recordedfuture.com/blog/identity-trend-report-march-blog) Recorded Future indexed 276 million credentials that included active session cookies — equal to 31% of malware‑sourced credentials — a class of artifacts the report says can be used to circumvent multi‑factor authentication protections. (recordedfuture.com/blog/identity-trend-report-march-blog) Indexing lag and per‑device yield amplified the risk: 53% of exfiltrated credentials were indexed within one week and 36.4% within 24 hours, while each compromised endpoint produced an average of 87 stolen credentials. (recordedfuture.com/blog/identity-trend-report-march-blog) Independent industry telemetry mirrored the trend: Check Point reported a 160% surge in compromised credentials in 2025, Verizon’s 2025 DBIR found compromised credentials were the initial access vector in 22% of breaches, and SecurityScorecard researchers warned of a 130,000‑device botnet used for large‑scale password‑spraying against Microsoft 365. (itpro.com) (verizon.com) (therecord.media)