The Growing Problem of Stolen Access: Understanding the Digital Black Market for Identity Credentials

Key Takeaways

• With employees always just one click away from becoming victims, identity credential theft is a growing, increasingly expensive problem impacting more than nine out of 10 companies.
• Bad actors continue to aggressively target identity credentials—especially those of system administrators and c-suite executives as well as SSO configurations—because they open the door to valuable data and systems while eliminating the need to deal with firewalls and VPNs.
• AI exponentially amplifies the threat, empowering fraudsters to craft more sophisticated scams and automate credential harvesting and testing while simultaneously introducing new types of lucrative identities to steal; Agentic AI in particular carries an identity that companies must protect.
• Defending against the threat demands a robust business identity theft protection strategy tailored from multiple solutions—including proactive and reactive tools—to deliver end-to-end identity protection and promote real-time regulatory compliance.

How the black market for identity credentials works:

It’s like a regular marketplace, only illegal.

In many ways, the digital black market operates very much like a thriving legitimate online marketplace (think Amazon or eBay) complete with product listings, buyer reviews, and even customer support and the ability to get a refund if the data doesn’t work as promised. The only difference—the goods for trade are stolen, and the buying and selling happen on the dark web where access is limited to cybercriminals. Transactions take place in cybercurrencies, and anonymity is the name of the game for both buyers and sellers, keeping all the dirty work in the shadows and law enforcement at bay.

The bad actors conducting business within this ‘hidden’ environment include small time fraudsters looking for financial gain, organized crime groups—even state-level actors engaged in corporate espionage, and they’re all looking for the same thing: identity credentials. Examples include passwords, session tokens, OAuth tokens, and other identity assets that form the cornerstone of modern cybersecurity attacks.

The value of identity credentials:

Their worth just keeps growing.

Effective business identity theft protection has never been more critical as these credentials eliminate the need for criminals to worry about firewalls and VPNs. Credentials belonging to a system administrator or CEO, or those or a single sign-on (SSO) configuration, are especially valuable. They literally open the door and offer instantaneous access to the real prizes, i.e. the devices, operating systems, workloads, apps, and all manner of sensitive corporate information that many organizations would do or pay just about anything to get back.

With the reality of quantum computing hovering on the potentially not-too-distant horizon, identity credentials will only become more valuable. Essentially, quantum computers will be easily and quickly able to break encryptions. Bad actors can steal encrypted information now, and it will only be a matter of time before they can decrypt it and hold the keys to unprecedented volumes of priceless data and information.

The size and scope of the identity credential theft problem:

No organization is immune to attack, especially those operating in sensitive environments.

As highly regulated industries with direct access to funds and a plethora of sensitive information to exploit, financial institutions and healthcare/life sciences organizations are obvious targets for cyberattacks. These industries are also notorious for possessing more than their fair share of technical debt; most have an abundance of on-prem data, and many continue to rely on legacy infrastructure. These factors make them particularly vulnerable to attack, especially where multifactor authentication (MFA) isn’t an option.

Indeed, according to the Identity Theft Resource Center’s 2024 Annual Data Breach Report, financial services came in first place as the most breeched industry. Healthcare took second. To put the prevalence in perspective,  U.S. Department of Health and Human Services Office for Civil Rights data shows that the healthcare industry reports a breach of unsecured protected health information affecting 500 or more individuals nearly every business day. Clearly, successful attacks are not isolated events in high-profile industries.

While financial services and healthcare organizations bear the brunt of attacks, companies operating in other industries are in no way safe, either. A 2023 study of identity fraud by the fraud prevention company Regula suggests that as many as 95% of enterprises and 90% of small businesses across industry sectors dealt with identity fraud the previous year. The study confirms that banks are the hardest hit with an average loss of $310,000 per incident. Losses can, of course, be even more extreme depending on the circumstances. For example, a February 2025 public service announcement from the FBI states that, “The Democratic People’s Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit. . .” Clearly, identity credential thieves are looking to score major gains, and they are achieving their objects with alarming success.

The size and scope of the identity credential theft problem:

No organization is immune to attack, especially those operating in sensitive environments.

As highly regulated industries with direct access to funds and a plethora of sensitive information to exploit, financial institutions and healthcare/life sciences organizations are obvious targets for cyberattacks. These industries are also notorious for possessing more than their fair share of technical debt; most have an abundance of on-prem data, and many continue to rely on legacy infrastructure. These factors make them particularly vulnerable to attack, especially where multifactor authentication (MFA) isn’t an option.

Indeed, according to the Identity Theft Resource Center’s 2024 Annual Data Breach Report, financial services came in first place as the most breeched industry. Healthcare took second. To put the prevalence in perspective,  U.S. Department of Health and Human Services Office for Civil Rights data shows that the healthcare industry reports a breach of unsecured protected health information affecting 500 or more individuals nearly every business day. Clearly, successful attacks are not isolated events in high-profile industries.

While financial services and healthcare organizations bear the brunt of attacks, companies operating in other industries are in no way safe, either. A 2023 study of identity fraud by the fraud prevention company Regula suggests that as many as 95% of enterprises and 90% of small businesses across industry sectors dealt with identity fraud the previous year. The study confirms that banks are the hardest hit with an average loss of $310,000 per incident. Losses can, of course, be even more extreme depending on the circumstances. For example, a February 2025 public service announcement from the FBI states that, “The Democratic People’s Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit. . .” Clearly, identity credential thieves are looking to score major gains, and they are achieving their objects with alarming success.

Cyberattack methods and trends:

Both old and new schemes are getting the deed done.

The prevalence of cyber-attacks begs the question—how is identity credential theft occurring in the first place? Cybercriminals have a number of attack vectors at their disposal, some tried and true and others just beginning to become more popular in today’s identity economy.  

Some of the most common attack methods and trends we’re seeing include:

• Phishing. While phishing has been around for as long as cybercrime has existed, it’s still a popular attack vector, especially against banks and credit unions. Thanks in part to AI, this means of tricking employees or customers into handing over the identity credentials is becoming increasingly convincing and sophisticated, making the scams that much more effective.
• Man-in-the-middle attacks. In this type of attack, hackers secretly intercept and sometimes alter login credentials by ‘eavesdropping’ on customers and employees who are logging into their accounts. Bad actors can do this by setting up a rogue Wi-Fi hotspot, faking an IP address, redirecting users to fake sites, or downgrading a secured connection to an unencrypted one. Anyone using a public network without a VPN puts themselves at risk for these types of man-in-the-middle attacks.
• MFA prompt bombing. Hackers that successfully steal identity credentials may then have to get around multifactor authentication security tactics. To do this, they continuously spam MFA requests to users over and over again, often late at night or during working hours when users are likely to be tired, distracted, or stressed. The goal is to drive MFA fatigue and get the user to approve the MFA either by mistake or out of sheer frustration with the seamlessly endless barrage of requests.
• Session hijacking. When bad actors steal session IDs or tokens, which are established any time a user logs into a system, they gain full access to accounts and can view sensitive information and data or even change account settings without needing a password. Session hijacking is becoming more prevalent today and can be accomplished though man-in-the-middle attacks or session cookie theft using malware installed on a device. The recent Cloudflare data breach is an example. Attackers stole Cloudflare session tokens during a previous attack on the customer support system of Okta, of which Cloudflare is a customer. The fraudsters, likely a nation-state actor aiming to obtain persistent and widespread access to Cloudflare systems, then used the session token to breach Cloudflare’s self-hosted Atlassian server, gaining access to systems like Confluence, Jira, and Bitbucket.
• Social engineering and impersonation. Often by leveraging data that people willing provide about themselves on their social media accounts, bad actors can convincingly pose as the CEO, IT director, or some other corporate authority or official and ask employees for their login credentials. This can be done via email, text, or by phone, or even through fake social media accounts. The scams often involve a sense of urgency, where the information needs to be handed over immediately to avoid an unwanted consequence, such as being locked out of the account.

Common security gaps:

Employees often inadvertently help bad actors; however they attack. 

Whatever attack method a fraudster chooses to deploy, companies and their employees are very often lending them a hand, usually without realizing it. Indeed, as many as 60% of stolen identity credentials can be traced to internal actors. In some cases, a disgruntled employee will willingly hand over a username and password for personal gain or simply as revenge against a corporation that has presumably wronged the employee in some way. Nine out of ten times, however, the theft stems from inadvertent mistakes—employees fall victim to phishing, social engineering, or other scams, they don’t properly use MFA, or they suffer from MFA fatigue.

Other times, companies don’t enforce the security rules, or they accidentally expose information while trying to keep up with emerging technologies (uploading proprietary information to a chatbot, for example). Employees and leaders often don’t fully realize the inherent security risks involved with these actions. Third-party partners and affiliates can also unintentionally expose a company’s credentials if they do not follow the same security protocols or standards as the organizations with which they do business.  

Organizations often overlook these critical vulnerabilities in their business identity theft protection approaches:

• Poor security posture on mobile devices. Employees increasingly use personal smartphones and tablets for work purposes. These devices are constantly connected via (often unsecured) Wi-Fi, Bluetooth, and cellular means, and they are typically less protected than laptops and desktops, creating hotspots for cybercrime and identity credential theft to occur.
• Skipped or delayed security updates. Especially with personal mobile devices, employees might not keep up with security and operating system updates as well as they should, creating vulnerabilities that hackers can easily exploit. Mobile or otherwise, older devices and operating systems may not even receive or be able to accommodate the latest security updates.
• Weak dynamic access controls and privileged access management. Identity authentication controls are often not as robust as they could or should be when it comes to detecting anomalous behaviors, such as log in attempts from unexpected devices, locations, or time frames. Privileged access identity accounts especially require an extra dose of security measures and safeguards that are not always applied or enforced.
• Orphaned and shadow identities. Human and non-human identities often end up orphaned, meaning the identity credentials exist within an organization’s ecosystem, but are not tied to an actual employee who is responsible for monitoring or managing them. When bad actors get their hands on these credentials, they can often use them without raising any red flags. Shadow identities, or those that exist outside the organization’s visibility or control, pose the same problem. In the hands of the wrong person, they can provide undetected access to privileged systems and sensitive information for significant periods of time.

• Over-permissioning and failure to follow the principle of least privilege. When establishing new identities, best practice calls for granting the minimum level of access or permissions that users need for a task. But companies often error on the side of giving more than less. Further, if permissions are needed for a specific project, companies can forget to remove that permission when the project is finalized, leaving the door wide open in the event of an attack.
• Federation misconfigurations. It’s easy to make security and access control mistakes when setting up or managing identity federation systems that allow users to authenticate across multiple systems or domains using a single set of credentials or that enable interactions between a company’s systems and a third party. As the CISO of JPMorgan Chase points out in his open letter to third-party suppliers, “these integration models collapse authentication (verifying identity) and authorization (granting permissions) into overly simplified interactions,” a practice that ultimately “undermines fundamental security principles. . . .”
• DIY or whack-a-mole security approaches. Companies often fail to take security as seriously as they should. They may purchase a solution or (more likely) multiple solutions to address various issues. But those solutions are not always properly implemented, integrated, or maintained over time to provide a comprehensive and up-to-date approach that keeps pace with the evolving cybercrime landscape.
• An either/or view of security and user experience. Companies that believe user experience trumps security and that a choice must be made to prioritize one over the other are missing out on best-in-class approaches that help create delightful total secure experiences. The goal should be to leverage technologies such as biometrics, contextual adaptive authentication, and AI to make it easier for legitimate users to do business while defending against bad actors at the same time.

• Lack of continuous training. Cybercriminals do not sit still. They are always engineering new and improved scams and methods of attack. Companies must be just as vigilant about keeping their people up to date with the latest protocols for smart digital users. Making security training a continuous initiative and a part of the ongoing best practices conversation within the organization sends the message that people are expected to be informed and proactive when it comes to keeping corporate systems and data safe.

• IT budget cuts.  When IT budgets are slashed, security spend is very often on the chopping block. Unfortunately, cutting security initiatives to save a few dollars today always has a much higher cost down the road as vulnerabilities are inevitably created, identified, and exploited by bad actors.

• A toxic or unhealthy culture. Identity credentials security is just as much an HR issue as it is an IT issue. While unhappy employees are not necessarily going to turn to a life of cybercrime and sell the company down the river to the highest bidder, they are likely to be less vigilant or even nonchalant about security practices. Being aware of the vibe and monitoring the health of the company’s culture is a good idea for many reasons, including ensuring employees are invested in their jobs and motivated to do their part to help the organization thrive on every level.

How AI impacts identity security:

AI amplifies the threat—and the defense.

Like everything else in the digital world, identity credential theft is fundamentally evolving as AI reshapes how people work and make decisions. Bad actors are using the new technologies and capabilities in the same way as good actors, namely, to become more sophisticated, efficient, and effective at their crafts. This means fraudsters are getting better and faster at discovering and exploiting vulnerabilities and at harvesting and testing credentials. They are hitting on more winning combinations more often, and more and more companies are paying the price.

At the same time, AI is creating a new breed of identities that companies need to protect. In particular, agentic AI—artificial intelligence systems that can act as independent agents by making decisions and taking actions with little to no human intervention—have their own identities and, often, accompanying identity credentials that must be safeguarded with the same care and attention as human credentials.

All of this adds new layers of complexity to the identity landscape that companies need to carefully consider as they develop and evolve their cybersecurity strategies. The good news is that while AI poses additional threats, it can also be leveraged as a highly effective tool for improving a company’s security defenses.

Defensive strategies and emerging solutions for the current identity economy:

Robust identity strategies are a must for all companies

As identity credentials become increasingly valuable and bad actors become increasingly capable, companies have no choice but to step up their business identity theft protection strategies. One-size-fits-all approaches will no longer suffice. Emerging defensive strategies will need to be tailored to each company’s unique security needs, and modern identity solutions will:

• Encompass advisory, implementation, and operational phases to ensure companies remain vigilant about identifying and closing current and emerging security gaps.
• Incorporate multiple identity solutions designed to work together to deliver end-to-end identity protection and management for the lifecycle of each identity (human or otherwise) from creation through deprovisioning.
• Integrate proactive management to connect the dots between different tools and platforms and ensure maximum value, smooth operation, and ongoing reliable delivery of the intended protections.
• Focus on real-time, continuous compliance with regulations and best practice recommendations to keep companies a step ahead of emerging threats through the strategic use of both proactive and reactive defenses.