Enterprise Identity Credentials Exposed in 1 in 10 Infostealer Infections—And the Rate Is Accelerating

A sweeping new analysis of nearly 19 million stolen credential logs has uncovered a dramatic and accelerating threat to enterprise cybersecurity: over 10 percent of infostealer infections now contain direct access to corporate identity systems, including Single Sign-On (SSO) and Identity Provider (IdP) credentials. The findings, released by cybersecurity firm Flare, paint a sobering picture of how attackers are increasingly targeting the very core of enterprise authentication systems.

The data, which examined 18.7 million infostealer logs collected over the past year, reveals that in 2025 alone, 2.05 million logs exposed enterprise identity credentials. These credentials provide a potential gateway to corporate email systems, cloud infrastructure, SaaS applications, and internal networks. Alarmingly, preliminary figures from late 2025 show that enterprise identity exposure has surged to 16 percent of all infections—well above predictive models and signaling a rapid escalation in the sophistication and focus of modern cyberattacks.

“Centralized identity has become the control plane of the modern enterprise,” said Estelle Ruellan, cybersecurity researcher at Flare. “What this data shows is that attackers understand that shift very well. When an infostealer infection succeeds today, it’s increasingly likely to deliver direct access to the systems organizations depend on most.”

The report highlights a staggering doubling in enterprise identity exposure: from roughly six percent of infections in early 2024 to nearly 14 percent by late 2025. Microsoft Entra ID, the successor to Azure Active Directory, appears in 79 percent of all enterprise identity logs—making it the single most impacted identity provider by a wide margin. This dominance underscores the critical importance of Microsoft’s identity ecosystem in enterprise IT, and the outsized risk it now faces.

Even more concerning, over 18 percent of enterprise identity logs expose credentials for multiple identity providers. This multi-provider exposure significantly amplifies the potential impact of a breach, complicating incident response and increasing the attack surface. In 1.17 million cases, logs contained both enterprise credentials and session cookies, enabling attackers to bypass multi-factor authentication (MFA) and gain immediate, persistent access to corporate systems.

Despite a 20 percent year-on-year decline in total infostealer infections, the proportion of infections yielding enterprise credentials has continued to rise. This trend suggests that attackers are becoming more selective and efficient, focusing their efforts on systems where the highest-value credentials are stored. It also reflects the increasing prevalence of enterprise access on compromised devices, as remote work and cloud adoption expand the attack surface.

The implications are profound. With centralized identity serving as the linchpin of modern enterprise security, the compromise of SSO and IdP credentials can open the door to widespread data breaches, ransomware attacks, and supply chain compromises. Organizations are urged to adopt a defense-in-depth strategy, including regular credential rotation, robust monitoring of identity systems, and employee training to recognize and avoid phishing and malware attacks.

As the threat landscape evolves, the data underscores a critical reality: the battle for enterprise security is increasingly being fought over identity. With attackers honing their focus on the most valuable targets, organizations must act swiftly to protect their identity infrastructure—or risk losing control of their most sensitive systems.

For more detailed insights and recommendations, the full report is available on the Flare website.

Image credit: Tsingha25/Dreamstime.com

Tags & Viral Phrases:
enterprise identity compromise, infostealer logs, SSO credentials, Identity Provider breach, Microsoft Entra ID, session cookies, MFA bypass, cybersecurity threat, enterprise credential theft, identity exposure surge, centralized identity, modern enterprise attack surface, rapid acceleration, data breach risk, cloud infrastructure vulnerability, SaaS platform compromise, internal systems access, Flare cybersecurity research, Estelle Ruellan, enterprise access value, remote work risk, defense-in-depth strategy, phishing attack, malware infection, credential rotation, identity system monitoring, supply chain compromise, ransomware attack, identity infrastructure protection, critical enterprise systems, cybersecurity escalation, enterprise security battle, identity control plane, attacker targeting, credential exposure doubling, multi-provider breach, identity provider dominance, enterprise credential logs, identity theft acceleration, enterprise identity logs, infostealer infection rate, enterprise identity vulnerability, identity compromise surge, enterprise credential exposure, identity provider logs, enterprise access credentials, identity system breach, enterprise identity risk, identity theft trend, enterprise identity threat, identity provider exposure, enterprise identity compromise rate, identity theft surge, enterprise credential compromise, identity provider vulnerability, enterprise identity breach, identity theft escalation, enterprise identity compromise surge, identity provider breach risk, enterprise identity theft, identity provider compromise, enterprise identity exposure, identity provider threat, enterprise identity logs surge, identity provider logs breach, enterprise identity theft rate, identity provider exposure surge, enterprise identity compromise trend, identity provider breach surge, enterprise identity exposure rate, identity provider compromise surge, enterprise identity theft surge, identity provider breach trend, enterprise identity exposure trend, identity provider compromise trend, enterprise identity theft trend, identity provider breach rate, enterprise identity exposure surge, identity provider compromise rate, enterprise identity theft rate, identity provider breach surge, enterprise identity exposure trend, identity provider compromise surge, enterprise identity theft surge, identity provider breach trend, enterprise identity exposure rate, identity provider compromise rate, enterprise identity theft rate, identity provider breach surge, enterprise identity exposure trend, identity provider compromise surge, enterprise identity theft surge, identity provider breach trend, enterprise identity exposure rate, identity provider compromise rate, enterprise identity theft rate.

,