Report Finds Attackers Now Focus on Credential Theft to Access Systems
Hackers are now shifting their focus from "breaking in" to "logging in," according to the 2026 Cloudflare Threat Report.
Sophisticated security tools are harder to penetrate and raise alarms when targeted, the report found. This has forced hackers to steal legitimate credentials to exploit system vulnerabilities, instead.
This method has proven to be quicker, stealthier, and harder to detect. The main identity systems that are vulnerable to theft include usernames, passwords, tokens, and access privileges.
Furthermore, it has become incredibly hard to identify attackers. Once they obtain the target's credentials, they can move around the internal system with ease.
Cloudflare also found that 4% of login attempts are bots automatically testing credentials. The report outlines that 54% of ransomware attacks originate from credential-stealing malware.
Close to 50% of human logins use credentials already exposed to breaches.
Fundamental changes in how organizations manage their IT environments have made this type of attack, which steals login details, more prevalent. These include:
- Cloud and SaaS ecosystems: Corporate systems are increasingly connected through single sign-on (SSO) and federated identity platforms.
- Remote and hybrid work: Employees log in from personal devices, home networks, and mobile endpoints.
- Machine identities and automation: Bots, APIs and service accounts now outnumber human users in many systems.
All these changes have provided a breeding ground for a sophisticated web of targeted attacks on organizations, as attackers seek large troves of usernames and passwords.
These databases are then sold or traded online on the dark web. These attacks come full circle when hackers use stolen credentials to breach IT systems.
AI as a Tool for Hackers
The Cloudflare Threat Report also outlines how hackers are using generative AI to bolster their arsenal. They use it for automated reconnaissance, to create phishing messages or deepfake communications, and to map networks and identify high-value targets more quickly.
The concerning trend here is that it gives attackers access to the arena with sophisticated tools, causing breaches at scale.
In the past, the focus for IT was on keeping attackers out. Now, it is about identifying threats that appear as employees or contractors and who operate within trusted applications like Slack, Google Workspace, or GitHub.
Cloudflare recognizes that the cybersecurity response must utilize autonomous defense systems to use AI and automation to detect suspicious activity and respond instantly.
Cloudflare recommends these systems be used for continuous identity verification, as well as monitoring the behavior of users and devices and the automated containment of compromised accounts.
Attackers are always on the lookout for new and innovative ways to compromise IT systems. This wave of stealing credentials and entering systems under the auspices of legitimate users results in a need for real-time automation rather than manual response.
"Organizations must shift to automated, edge-based mitigation that can respond in seconds," the report's authors wrote. "Legacy scrubbing center models are no longer sufficient for attacks that peak and conclude within 10 minutes."
For the full report, go to the Cloudflare blog.