Report: Attackers Now Focus on Credential Theft to Access Systems

Hackers are shifting their focus from "breaking in" to "logging in," according to the 2026 Cloudflare Threat Report.

Sophisticated security tools are harder to penetrate and raise alarms when targeted, the report found. This has forced hackers to steal legitimate credentials to exploit system vulnerabilities, instead.

This method has proven to be quicker, stealthier, and harder to detect. The main identity systems that are vulnerable to theft include usernames, passwords, tokens, and access privileges.

Furthermore, it has become incredibly hard to identify attackers. Once they obtain the target's credentials, they can move around the internal system with ease.

Cloudflare also found that 4% of login attempts are bots automatically testing credentials. The report outlines that 54% of ransomware attacks originate from credential-stealing malware.

Close to 50% of human logins use credentials already exposed to breaches.

Fundamental changes in how organizations manage their IT environments have made this type of attack, which steals login details, more prevalent. These include:

  • Cloud and SaaS ecosystems: Corporate systems are increasingly connected through single sign-on (SSO) and federated identity platforms.
  • Remote and hybrid work: Employees log in from personal devices, home networks, and mobile endpoints.
  • Machine identities and automation: Bots, APIs and service accounts now outnumber human users in many systems.

All these changes have provided a breeding ground for a sophisticated web of targeted attacks on organizations, as attackers seek large troves of usernames and passwords.

These databases are then sold or traded online on the dark web. These attacks come full circle when hackers use stolen credentials to breach IT systems.

AI as a Tool for Hackers

The Cloudflare Threat Report also outlines how hackers are using generative AI to bolster their arsenal. They use it for automated reconnaissance, to create phishing messages or deepfake communications, and to map networks and identify high-value targets more quickly.

The concerning trend here is that it gives attackers access to the arena with sophisticated tools, causing breaches at scale.

In the past, the focus for IT was on keeping attackers out. Now, it is about identifying threats that appear as employees or contractors and who operate within trusted applications like Slack, Google Workspace, or GitHub.

Cloudflare recognizes that the cybersecurity response must utilize autonomous defense systems to use AI and automation to detect suspicious activity and respond instantly.

Cloudflare recommends these systems be used for continuous identity verification, as well as monitoring the behavior of users and devices and the automated containment of compromised accounts.

Attackers are always on the lookout for new and innovative ways to compromise IT systems. This wave of stealing credentials and entering systems under the auspices of legitimate users results in a need for real-time automation rather than manual response.

"Organizations must shift to automated, edge-based mitigation that can respond in seconds," the report's authors wrote. "Legacy scrubbing center models are no longer sufficient for attacks that peak and conclude within 10 minutes."

For the full report, visit the Cloudflare blog.

Featured

  • Digital Network of User Profiles and Data Connections

    Microsoft, RSA Make Identity Security Push in the Age of AI

    Two of the bigger authentication announcements to come out of the recent RSA Conference both point in the same direction: Organizations need a more flexible, unified approach to identity security, especially as AI agents start acting alongside human workers.

  • AI logo near computer equipment

    White House Releases National Policy Framework for AI

    The White House has released a four-page AI policy framework aimed at setting a national approach to AI, with priorities including child safety, intellectual property protections, truth and accuracy guardrails, and worker training for an AI-driven economy.

  • Profile silhouette of a person thoughtfully touching their chin, overlaid with transparent data visualizations and digital interface elements suggesting artificial intelligence and analytics.

    The Institutional Knowledge Shift Is Reshaping Higher Ed IT

    Higher education IT leaders are navigating a quiet but consequential transition: Experienced team members are retiring or leaving for private-sector roles, and the teams replacing them are smaller, newer, and often stretched thin. The result is a structural shift in how technology decisions are made, executed, and sustained.

  • Abstract digital data stream with binary code and colorful light trails

    Microsoft Releases Open Source AI Safety Tools for Agent Development

    Microsoft released RAMPART and Clarity as open-source projects intended to help developers test AI agents earlier in the software lifecycle and turn red-team findings into repeatable engineering checks.