Stolen Credentials Report: KELA Reveals 2.86 Billion Records Exposed

The digital perimeter has not just moved; it has effectively dissolved. According to the newly released Stolen Credentials Report—formally titled the State of Cybercrime 2026 by threat intelligence leader KELA—the global security ecosystem is grappling with an unprecedented 2.86 billion compromised records harvested over the last twelve months. This staggering volume represents more than just a statistical spike; it signals a fundamental shift in the “physics” of cyberattacks. No longer are threat actors primarily focused on the labor-intensive process of exploiting zero-day software vulnerabilities. Instead, they are simply logging in.

The 2026 Stolen Credentials Report: A Year of Identity Collapse

The data released on April 30, 2026, paints a grim picture of the current threat landscape. KELA’s researchers identified approximately 3.9 million unique machines infected with infostealer malware globally in the past year alone. These infections were not merely targeting home users; they served as the primary pipeline for the 347.5 million credentials extracted directly from malware logs. When combined with historical breach databases and underground marketplace aggregations, the total pool of weaponized identity data has reached a critical mass that renders traditional password-based security models obsolete.

One of the most alarming findings in the Stolen Credentials Report is the high-value nature of the exposed data. Security analysts found that:

• 30% of all exposed data is now tied directly to business cloud and authentication services.
• Over 75% of compromised credentials involve high-privilege access points, including Content Management Systems (CMS), email servers, and corporate VPNs.
• The United States remains the primary target, accounting for over 53% of documented ransomware victims, which are almost exclusively enabled by initial access via stolen credentials.

Infostealers 2.0: The Technical Evolution of Vidar and StealC

The “Great Credential Harvest” of 2025-2026 was largely driven by a generational leap in infostealer malware technology. Following the 2025 law enforcement takedowns of the Lumma and Rhadamanthys infrastructures, a new king has emerged: Vidar 2.0. Rewritten entirely in pure C (moving away from its C++ origins), Vidar 2.0 features a multithreaded architecture that allows it to exfiltrate data from hundreds of sources simultaneously, drastically reducing its “dwell time” on a victim’s machine to mere seconds.

Bypassing AppBound Encryption

Modern browsers like Google Chrome have implemented “AppBound Encryption” to protect local storage, but the 2026 report highlights that this defense has already been breached. Modern infostealers now utilize direct memory injection to hook into the browser’s process at the moment of decryption. By intercepting the Local State key as it is being used by the browser, the malware can decrypt the cookies.sqlite and Login Data files with 100% accuracy, bypassing the hardware-bound protections that OS vendors relied upon just two years ago.

The macOS Myth Shattered

Perhaps the most shocking technical metric in the report is the 7,000% surge in macOS-specific infostealer infections. Historically, macOS was viewed as a “safe haven” for executives and developers. Threat actors have realized this and shifted their focus toward the “Atomic Stealer” (AMOS) and its successors. These tools specifically target the Keychain and local browser profiles of high-value targets, resulting in the theft of proprietary source code and administrative cloud tokens.

Session Hijacking: Why 2FA is Failing at Scale

The industry has long viewed Multi-Factor Authentication (MFA) as the ultimate safeguard. However, the 2026 data shows that 87% of successful cyberattacks now involve session hijacking. This technique, often referred to as “Pass-the-Cookie,” allows an attacker to bypass even the most robust 2FA implementations (including SMS OTP, TOTP, and Push notifications) without ever needing the secondary code.

The process is devastatingly efficient:

1. The infostealer exfiltrates the active session tokens and authentication cookies stored in the user’s browser.
2. These tokens are sold on underground markets like “Russian Market” or distributed via private Telegram “Logs” channels.
3. The attacker imports these cookies into a “hardened” browser instance (often using anti-detect browser technology).
4. The target service (e.g., Salesforce, Azure AD, or Okta) recognizes the session as already authenticated, granting the attacker full access without a new login prompt.

By stealing the “proof of life” for a session rather than the password, attackers are “logging in” as a trusted user who has already passed the perimeter checks. This has collapsed the “breakout time”—the interval between initial infection and lateral movement—to a record low of just 27 seconds.

The Rise of Autonomous AI and “Vibe Hacking”

The Stolen Credentials Report further identifies the industrialization of cybercrime through Agentic AI. We are no longer facing human hackers manually entering credentials. Instead, autonomous AI agents now orchestrate 90% of the intrusion lifecycle for elite threat groups. These agents use stolen session tokens to automatically map out a company’s internal cloud architecture, identify sensitive repositories, and deploy ransomware at machine speed.

A new technique dubbed “Vibe Hacking” has also surfaced. In these scenarios, attackers use stolen identities to trick corporate AI assistants (like Copilot or internal LLMs) into performing malicious tasks. By posing as a legitimate user via a stolen session, the attacker can ask the AI to “summarize the last three weeks of financial audits” or “generate a list of all active API keys,” effectively turning a company’s own productivity tools against them.

The Strategic Response: A Mandatory “Passkey Pivot”

In light of these findings, security analysts are no longer suggesting a transition away from passwords—they are demanding it. The industry consensus is a “Passkey Pivot” toward FIDO2/WebAuthn standards. Passkeys represent a fundamental departure from shared secrets. Unlike a password or a session cookie, a passkey is a cryptographic key pair where the private key never leaves the user’s physical hardware (phone, laptop, or YubiKey).

Technical Advantages of Passkeys (FIDO2)

• Phishing Resistance: Passkeys are bound to the specific domain (Origin) they were created for. If an infostealer tries to redirect a user to a fake login page, the hardware-level handshake will fail because the origins do not match.
• Zero Shared Secrets: The server only stores a public key. Even if a company’s entire user database is leaked (as in the 2.86 billion record count), the data is useless to attackers.
• Biometric Enforcement: Every authentication attempt requires a “local” gesture (FaceID, TouchID, or PIN), ensuring that the person using the device is the authorized owner.

According to current deployment data, organizations that have fully transitioned to passkeys have seen a 99.9% reduction in account compromises. Furthermore, the login success rate for passkeys is 93%, compared to a dismal 63% for legacy 2FA methods, which are often plagued by user error, network latency, and “MFA fatigue” attacks.

Recommendations for CISOs and Security Leaders

The 2026 report serves as a definitive wake-up call. To mitigate the risks of the current credential crisis, organizations must move beyond reactive monitoring and adopt a “Strength by Default” posture. This includes:

1. Mandating Phishing-Resistant MFA: Phase out SMS and Push-based notifications in favor of FIDO2-compliant passkeys for all internal and consumer-facing applications.
2. Implementing Continuous Trust Authentication: Move away from “one-and-done” login sessions. Security systems must continuously monitor behavioral biometrics and device telemetry throughout a session to detect hijacked tokens.
3. Shadow AI Governance: Establish a centralized asset registry to monitor where employee credentials are being used in unauthorized AI tools, which accounted for a significant portion of “leakage” in the past year.
4. Dark Web Monitoring: Integrate real-time “bot-net log” tracking to identify when employee credentials or session tokens appear on underground markets, allowing for immediate session revocation before an attack can begin.

Conclusion: The End of the Password Era

The 2.86 billion records documented in the Stolen Credentials Report are not just a warning; they are a monument to a failing system. As infostealers like Vidar 2.0 become more efficient and AI-driven attacks collapse the time for defense, the reliance on shared secrets—passwords—has become the single greatest risk to the global economy. The “Passkey Pivot” is no longer an optional upgrade for the tech-savvy; it is the essential bedrock of digital survival in 2026 and beyond. In an age where criminals are no longer breaking in but simply logging in, the only viable defense is to ensure there are no more “keys” to steal.