For most of the past decade, the industry talked about credential theft as a downstream problem — a thing that happened after a breach, not the breach itself. Recorded Future’s 2025 Identity Threat Landscape data, surfaced this week in a Dark Reading analysis, makes the inversion explicit. Identity is now the primary attack surface, and the volumes involved no longer fit any prior framing.
The numbers
Recorded Future indexed 1.95 billion malware-sourced credentials across 2025, plus another 36 million pulled from breached database dumps. The headline figure for security teams is narrower and more dangerous: of those 1.95 billion, roughly 276 million — about 31% — included active session cookies. Those cookies represent already-authenticated sessions, which means an attacker holding them can re-establish a logged-in state without ever touching the username, the password, or the multi-factor prompt. Per Recorded Future, “MFA bypass via stolen cookies is not a theoretical threat — it is an observed, frequent attack pattern.”
The acceleration is steeper than the absolute numbers suggest. The firm detected 50% more credentials in the second half of 2025 than in the first, and Q4 volume was roughly 90% above Q1. Each compromised device yielded an average of 87 stolen credentials, and 53% of credentials were indexed within one week of exfiltration — 36.4% within twenty-four hours. The infostealer ecosystem is now a throughput engine, not a smash-and-grab.
Why MFA is no longer the answer alone
Of the seven million credentials with identifiable authentication URLs, 63.2% were tied to authentication systems themselves, with VPNs, RMM tools, cloud platforms, and security software prominent in the long tail. LummaStealer led the field of infostealer families across 2025, harvesting browser credentials, session cookies, cryptocurrency wallets, and 2FA tokens from infected Windows endpoints.
The implication for defenders is uncomfortable. MFA mitigates password reuse and phishing — but a stolen authenticated session cookie is, by design, indistinguishable from the legitimate user’s session. As Dark Reading’s reporting emphasizes, “identity has become the primary attack surface, and attackers are no longer breaking in but systematically logging in using stolen credentials at scale.” Conditional-access policies that key on device posture, IP, and behavioral signals are the gap-closers; the MFA prompt itself is the easy-to-bypass first gate it always was.
What this means
For practitioners, three controls move up the priority list.
First, session lifetimes need to shrink. Cookies and refresh tokens that expire in hours rather than days turn captured sessions into rapidly decaying assets and compress the attacker’s usable window before the stealer log even reaches a marketplace.
Second, continuous authentication signals — device binding, token rotation, anomaly-based session re-prompts — become the actual MFA. The login-time challenge moves to a coarse first filter; the real verification happens silently and continuously inside the session.
Third, infostealer telemetry belongs in the SOC’s primary detection backlog. Browser session-cookie exfiltration, suspicious reads of the Windows credential store, anomalous DPAPI access, and outbound connections to known stealer C2 should be alert classes the SOC owns end-to-end — not events that live in a vendor-specific endpoint queue and never reach an analyst.
The slogan is starting to age into truth: attackers are not breaking in. They are logging in, with session cookies an MFA stack already approved.
