Stolen credentials remain the single most common enabler of data breaches analysed in the Verizon 2026 DBIR, appearing in 44% of incidents β unchanged from the prior year. What has changed is the attacker toolkit for defeating the most common credential security control: multi-factor authentication.
The 2026 DBIR documents a marked increase in MFA bypass techniques β methods that defeat MFA as it is commonly deployed in enterprise environments without requiring the attacker to compromise the second factor directly.
Credential Theft: The Persistent Baseline
The credential theft figure (44% of breaches) reflects multiple distinct attack patterns that all produce the same outcome β an attacker authenticating with legitimate credentials:
- Phishing credential harvesting: Traditional phishing campaigns that direct users to fake login pages and capture credentials submitted. Remains effective despite anti-phishing training, particularly for employee populations that interact with many different web portals.
- Infostealer malware: Malware that extracts saved credentials from browsers, credential managers, and application memory. The infostealer ecosystem has expanded significantly in 2024β2025, with credentials sold on criminal marketplaces within hours of theft.
- Password spray against exposed services: Automated credential stuffing against internet-exposed services (VPN gateways, OWA, O365, RDP) using credential lists from prior breaches. Effective when password reuse is common and MFA is not enforced on external access.
- Dark web credential reuse: Credentials from prior data breaches used against enterprise services where the same password is reused. Password hygiene campaigns address this, but incompletely.
MFA Bypass: The Accelerating Threat
The headline finding in the DBIRβs identity section is not the credential theft volume β that has been stable for years. It is the documented increase in MFA bypass techniques that defeat commonly deployed MFA configurations.
Adversary-in-the-middle (AiTM) phishing: Phishing toolkits such as Evilginx2, Modlishka, and Muraena proxy the victimβs connection to the real authentication service. The victim enters real credentials and completes real MFA β the toolkit captures the resulting session token after MFA is completed. The attacker uses the captured session token directly, bypassing the need to interact with MFA at all.
AiTM attacks defeat:
- SMS OTP (one-time passcode)
- TOTP authenticator apps (Google Authenticator, Microsoft Authenticator)
- Push notification MFA (as commonly deployed)
AiTM attacks do NOT defeat:
- FIDO2/WebAuthn hardware security keys (the key signs the origin of the authentication request; a proxy cannot forge the origin)
- Passkeys (same origin binding as FIDO2)
- Certificate-based authentication with mutual TLS
Push notification fatigue (MFA bombing): Attackers who have captured credentials send repeated MFA push notifications to the victimβs registered device until the victim approves a request to stop the notifications. The 2026 DBIR documents a significant increase in this technique, particularly in after-hours attacks when users are more likely to approve a notification to stop the disruption.
SIM swapping: Social engineering of mobile carrier customer service representatives to redirect a victimβs phone number to an attacker-controlled SIM. Defeats SMS OTP and call-based MFA. Remains effective despite carrier security improvements.
MFA Hierarchy: Not All Second Factors Are Equal
The DBIR data implies a risk hierarchy for MFA implementations:
| MFA Type | Defeats AiTM Phishing | Defeats Push Fatigue | Phishing-Resistant |
|---|---|---|---|
| SMS OTP | No | No | No |
| TOTP app | No | N/A | No |
| Push notification | No | No | No |
| Number matching push | No | Partial | No |
| FIDO2 hardware key | Yes | Yes | Yes |
| Passkey (platform authenticator) | Yes | Yes | Yes |
| Certificate-based auth | Yes | Yes | Yes |
The MFA types that defeat AiTM phishing (the most rapidly growing bypass technique in the DBIR data) are FIDO2-based or certificate-based. SMS OTP, TOTP app, and push notification MFA β the most commonly deployed enterprise MFA configurations β do not defeat AiTM.
Recommended Actions from DBIR Identity Findings
Migrate high-risk accounts to phishing-resistant MFA: Admin accounts, privileged service accounts, and executives should be migrated to FIDO2 hardware keys or platform passkeys as a priority. These accounts are the highest-value targets for credential theft.
Enable number matching for push notifications: For Microsoft Authenticator users, enable number matching (the user must type the number displayed in the sign-in flow, not just approve a push notification). This defeats push notification fatigue attacks without requiring hardware key deployment.
Implement Conditional Access policies that restrict session token reuse: AiTM attacks steal session tokens. Conditional Access policies that bind session tokens to device compliance state (Entra ID Compliant Device requirement) significantly limit the utility of a stolen session token β the attackerβs device will not meet the compliance requirement.
Audit infostealer exposure: Services like SpyCloud and HaveIBeenPwned Enterprise allow organisations to check whether employee credentials or session tokens appear in infostealer logs. Regular checks identify employees whose credentials have been compromised before attackers use them.
Share this article