Skip to content
Delinea Blog > Credential theft at scale: How identities were used maliciously

Credential theft at scale: How identities were used maliciously

Published January 2026
Read time 5 minutes
What you will learn
How attacks actually unfolded in December 2025, what failed in real environments, and what those failures mean for the month ahead.

Delinea Labs January 2026 Threat Outlook

In this monthly series, Delinea Labs reviews the identity-related activity that had the greatest operational impact over the previous month. We focus on how attacks actually unfolded, what failed in real environments, and what those failures mean for the month ahead.

December 2025 closed out the year with a familiar pattern: large breaches driven by valid credentials rather than new exploits.

Identity remains the central battleground of modern cybersecurity

Credentials, tokens, and service accounts now function as durable attack infrastructure, allowing threat actors to bypass perimeter controls and operate quietly inside trusted systems.

From delayed token abuse in a cryptocurrency supply-chain breach, to insider credential misuse at scale, and identity-first ransomware campaigns across regulated industries, last month’s incidents shared a common thread: valid identities were used maliciously and often went unnoticed for weeks or months.

Here’s Delinea’s outlook for January.

The big theme: authentication has become the attack vector

December closed the year by reinforcing a lesson defenders learned repeatedly in 2025: adversaries no longer need zero-days when they already possess trusted credentials. Tokens, service accounts, and orphaned employee access provided frictionless entry into production systems, often without triggering alarms.

$8.5 million

The Trust Wallet browser-extension breach illustrated the delayed blast radius of developer token theft. Credentials stolen months earlier during the Shai-Hulud supply-chain campaign were repurposed to publish malicious updates through legitimate distribution channels, ultimately draining over $8.5 million from user wallets.

$22.7 million

At Aflac, the Scattered Spider group used social engineering and stolen credentials to access internal systems and exfiltrate data tied to 22.7 million customers before ransomware activity appeared. The breach happened in June 2025 with Aflac making a public disclosure in December 2025.

$34 Million

And in South Korea, e-commerce giant Coupang disclosed a breach affecting 34 million users not from malware or exploits, but from a former employee whose access was never revoked. This breach went undetected for months, from June to when it was disclosed publicly in December 2025.

These examples have one thing in common: compromise began with authentication.

What we’re seeing at Delinea Labs: identity misuse becomes industrialized

Across these incidents and others investigated in December, several trends were consistent:

  • Developer credentials as supply-chain weapons: Token theft during earlier npm campaigns re-emerged months later as trusted Chrome Web Store publisher access, enabling attackers to distribute malware through legitimate update mechanisms.

  • Service accounts as low-visibility entry points: Multiple investigations revealed attackers authenticating via CI/CD and automation credentials tied to internal tooling—identities that bypass MFA and rarely trigger user-centric alerts.

  • Insider access turned external threat: Coupang’s breach underscored how failed offboarding converts trusted employee identities into long-lived backdoors.

  • Ransomware remains identity-first: Scattered Spider, Qilin, LockBit, and Akira continued to rely on stolen credentials for persistence, lateral movement, and staging long before encryption.

The pattern is consistent: attackers authenticate early, remain invisible, and monetize later.

Identity infrastructure is under pressure—and detection is falling behind

December produced a large volume of identity-related vulnerability disclosures. Of the 4,481 CVEs disclosed globally last month, 609 were identity-related, and 19 directly impacted identity products themselves. Notable examples include:

  • A logic flaw in PingFederate’s OTP integration kit that allowed MFA checks to be bypassed during certain federation flows (CVE-2025-27935)

  • A JWT verification weakness in auth0/node-jws that could allow forged tokens to be accepted under specific configurations (CVE-2025-65945)

  • A Kubernetes authentication flaw involving KEDA and HashiCorp Vault that exposed service-account tokens and secrets to arbitrary file reads (CVE-2025-68476)

These issues matter because credential theft rarely happens in isolation. Once an attacker holds valid tokens or passwords, weaknesses in validation logic and authorization boundaries determine how far that access can spread.

At the same time, ransomware reporting continued to concentrate around a small number of mature operators:

  • Qilin (21%) – prolonged dwell time and heavy use of privileged credentials

  • Lockbit (11%) – affiliate-driven credential abuse across VPN and directory services

  • Akira (9%) – credential dumping, lateral movement, and double extortion

What stands out is not their malware tooling, but their operational model. Compromise rarely coincided with detection. Attackers authenticated successfully days or months before discovery. Activity was logged, access looked legitimate, and no alarms were raised. Detection came only after data theft or encryption forced an investigation. Visibility into identity behavior is lagging behind.

What enterprises should prepare for next

The identity economy will remain under sustained assault. In the months ahead, Delinea Labs expects increased targeting of non-human identities, continued abuse of third-party SaaS integrations and OAuth grants, delayed monetization of stolen credentials, and growing exploitation of authentication logic flaws in federation and token validation systems.

What organizations should prioritize:

  • Continuous identity threat detection that correlates behavior across users, tokens, and service accounts

  • Lifecycle governance for human and machine identities to eliminate orphaned access and long-lived secrets

  • Real-time monitoring of privileged and automated activity

  • Aggressive credential rotation and scope reduction

  • Policy-driven authorization and session validation

Identity controls have shifted from one-time authentication to ongoing access and privilege controls.

Check out the Delinea Platform powered by Iris AI to learn more about how you can strengthen identity security without sacrificing control.

Product - Platform

Delinea Platform Powered by Delinea Iris AI

Reduce risk across human and machine identities with intelligent, centralized authorization.
EXPLORE PLATFORM
Related Topics
Related Posts
The rise of vibe hacking: The evil twin of vibe coding
PAM in the cloud vs. PAM for the cloud. What’s the difference?
Rising to the modern PAM challenge