Identity-based cyberattacks are now among the most serious and fastest-growing online threats affecting both individuals and organisations across the world. New research from Sophos X-Ops counter threat unit (CTU) shows that the number of stolen login details for sale on the dark web has increased by 106% between June 2024 and June 2025. This sharp rise demonstrates how hackers now view digital identities as a valuable commodity in the world of cybercrime.
The
Sophos active adversary report revealed that stolen credentials are once again the main cause of cyberattacks for the second year in a row. According to the report, 56% of all incidents investigated by Sophos’ managed detection and response (MDR) and incident response teams involved criminals logging into remote systems using valid usernames and passwords, rather than breaking in through brute-force methods.
Explaining the trend, Rob Harrison, senior vice president (SVP) for product management at Sophos, says, “Cloud computing and remote work have widened the attack surface for identity-based threats, creating more chances for hackers. Complex identity and access management systems with constantly changing settings and policies often leave gaps that attackers exploit.”
Shift From Perimeter to Identity
For many years, cybersecurity has relied on protecting the network’s outer boundary using tools such as firewalls, network segmentation, and endpoint protection. But with the rise of remote work, cloud services, and artificial intelligence (AI), that traditional network perimeter has largely disappeared. Today, cybercriminals do not need to 'break in' — they simply log in.
Identity-based attacks target a person’s or system’s digital credentials — such as usernames, passwords, tokens, or digital certificates — to pose as authorised users. Once they gain access, attackers can move through the network, raise their privileges, and steal confidential or financial information, all while appearing to be legitimate users.
Rise of Machine Identities
A worrying new trend is emerging in the world of cybersecurity — the rapid growth of machine identities. According to
CyberArk’s 2025 threat landscape report, machine identities — which belong to bots, application programming interfaces (APIs), AI systems, and cloud workloads — now outnumber human identities by 82 to 1. Almost half of these have privileged or sensitive access rights, yet many are poorly protected or not managed at all.
The phrase 'rise of the machines' is no longer science fiction — it is becoming a real cybersecurity problem. As more organisations rush to adopt AI and automate their operations, they are unintentionally creating thousands of unsecured AI agents and service accounts with powerful access permissions.
Clarence Hinton, chief strategy officer at CyberArk, warned that this new wave of AI integration is creating serious security risks. “The race to embed AI into environments has inadvertently created a new set of identity security risks centred around unmanaged and unsecured machine identities. The privileged access of AI agents will represent an entirely new threat vector,” he says.
How Identity-Based Attacks Work
Identity-based attacks usually follow a simple but highly effective pattern:
1. Credential theft:
Hackers steal or buy usernames and passwords through phishing emails, malware infections, or dark web marketplaces.
2. Legitimate login:
Using these real login details, attackers access systems, cloud accounts, or emails — appearing as authorised users and bypassing traditional security alerts.
3. Privilege escalation:
Once inside, they gain higher access rights, such as administrator privileges, to move deeper into the system.
4. ‘Living off the land’:
Instead of using suspicious hacking tools, cybercriminals employ legitimate system tools, such as PowerShell, Remote Desktop, or cloud consoles, to avoid detection.
5. Data theft or destruction:
Ultimately, attackers steal sensitive data or install ransomware, resulting in significant financial and reputational harm to the victims.
Common Types of Identity-Based Attacks
Phishing: Cybercriminals send fake emails or messages to trick people into sharing their login details or clicking on malicious links.
Credential stuffing: Hackers use stolen usernames and passwords from old data breaches to try logging into multiple online accounts.
Password spraying: Instead of targeting a single account repeatedly, attackers test a few common passwords (like Password@123) across thousands of accounts to avoid being locked out.
Social engineering: Criminals manipulate or impersonate trusted people — such as colleagues, IT staff, or company executives — to steal confidential information.
Brute-force attacks: Attackers use automated tools to guess passwords repeatedly until they find the right one.
Golden or silver ticket attacks: Hackers use stolen login details to create fake digital access passes (tokens or ‘ticket’), allowing them to secretly enter and remain in an organisation’s network for an extended period without being detected. A golden ticket grants attackers full access across the network, while a silver ticket provides partial access to specific services — both allowing for undetected, long-term intrusions.
Why Identity Is the New Attack Surface
The shift to digital systems, cloud services, and hybrid work has made life easier — but it has also widened the attack surface for cybercriminals. Every employee, contractor, or connected device is now a potential entry point into an organisation. If even one user’s identity is compromised, attackers can often move freely between systems and networks, especially where zero-trust security is not enforced.
In many cases, hackers don’t even need complex malware. They take advantage of weak passwords, reused credentials, or unsecured high-access accounts. With remote work and AI tools creating more digital access points than ever, even a small security lapse can lead to a major data breach.
How Common Users Can Protect Their Identity
Cybercriminals are no longer just after big companies — they are increasingly targeting individuals through social media scams, bank fraud and data theft.
Here are some easy and effective ways to protect your identity online:
Use strong, unique passwords
Never reuse the same password on multiple sites. Create passwords with at least 13–16 characters using a mix of letters, numbers, and symbols. A password manager can help you create and store strong passwords safely.
Enable multi-factor authentication (MFA)
Turn on MFA for all important accounts such as email, banking, and social media. Even if hackers get your password, they will not be able to log in without the extra verification code.
Be wary of phishing messages
Be cautious of emails, text messages, or WhatsApp and Telegram messages that ask you to click on links or update login details. Always check the sender’s email address carefully. When in doubt, go directly to the official website instead of clicking on links.
Recently, Deepak Shenoy, chief executive officer (CEO) of Capitalmind AMC, highlighted a phishing email where fraudsters used a fake domain — ‘rnicrosoft.com’ resembling ‘microsoft’. At first glance, the letters ‘rni’ look like ‘mi’ in Microsoft, tricking users into believing the message is genuine.
Monitor your accounts regularly
Check your bank statements, email alerts, and social media logins often. Most platforms show recent login locations — review these to spot any suspicious activity.
Keep devices and software updated
Install updates for your operating system, browsers, and apps as soon as they are released. Enable automatic updates if possible, as these patches often address security flaws that hackers exploit.
Avoid public Wi-Fi for sensitive tasks
Do not log into your banking or financial accounts using public Wi-Fi. If you must access sensitive services while travelling, use a virtual private network (VPN) for secure connectivity.
Use security tools and monitor activity
Install trusted antivirus or endpoint protection software to detect malware that steals credentials. For workplace users, tools like user behaviour analytics (UBA) can help identify unusual login attempts.
Adopt a zero-trust mindset
‘Zero trust’ means never automatically trusting any user or device, even inside your own network. Always verify identities and limit access to only what is necessary.
Limit what you share online
Avoid posting too much personal information, such as your date of birth, phone number, or workplace, on social media. Scammers often collect these details to impersonate victims.
Stay informed
Cyber threats evolve every day. Follow alerts from CERT-In, your bank, trusted cybersecurity sources or this column to stay informed about new scams and emerging attack methods.
Identity-based attacks have completely changed today’s cybersecurity landscape. With more than half of global cyber incidents involving valid login credentials, your digital identity is now as valuable — and as vulnerable — as your money.
While companies must strengthen their identity and access management systems, individuals also need to take active steps to protect their personal credentials. Every stolen password, reused login, or unsecured AI bot adds to this growing threat.
Remember, in a world where attackers log in instead of breaking in, your best defence is vigilance, verification, and control over your digital identity.
Stay Alert, Stay Safe!
