MONTREAL, Feb. 02, 2026 (GLOBE NEWSWIRE) — Flare, the leader in Threat Exposure Management, today released its 2026 State of Enterprise Infostealer Exposure report, revealing a sharp acceleration in enterprise identity compromise. Based on an analysis of 18.7 million infostealer logs in 2025, Flare researchers found that more than one in 10 infections already contained enterprise Single Sign-On (SSO) or Identity Provider (IdP) credentials, and that rate is quickly increasing.
In 2025 alone, 2.05 million infostealer logs exposed enterprise identity credentials, providing attackers with potential access to corporate email, cloud infrastructure, SaaS platforms, and internal systems. Preliminary data from late 2025 shows enterprise identity exposure surging to 16% of infections, well above model predictions, signaling a shift toward rapid acceleration.
As organizations consolidate authentication around centralized identity platforms like Microsoft Entra ID, Okta, and AWS IAM Identity Center, identity has become the gateway to nearly every enterprise system. While this centralization improves usability and baseline security, it also concentrates risk. A single compromised credential or session can unlock dozens of connected systems at once. Infostealers exploit this by harvesting all saved credentials and active sessions from infected machines, turning one infection into broad enterprise access.
“Centralized identity has become the control plane of the modern enterprise,” said Estelle Ruellan, cybersecurity researcher at Flare. “What this data shows is that attackers understand that shift very well. When an infostealer infection succeeds today, it’s increasingly likely to deliver direct access to the systems organizations depend on most.”
Key Findings from the 2026 State of Enterprise Infostealer Exposure Report
- Enterprise identity exposure more than doubled, rising from approximately 6% of infections in early 2024 to nearly 14% by late 2025.
- Microsoft Entra ID appears in 79% of enterprise identity logs, making it the most impacted identity provider by a wide margin.
- Over 18% of enterprise identity logs expose multiple identity providers, significantly increasing breach impact and complexity.
- 1.17 million logs contained both enterprise credentials and session cookies, enabling immediate access and potential MFA bypass.
Future Outlook for Enterprise Identity Exposure
Data from late 2025 shows a clear evolution in attacker behavior. Despite a 20% year-over-year decline in total infostealer infections, enterprise identity exposure continued to rise. Research shows that infostealers are increasingly linked to enterprise credential theft, reflecting the higher prevalence and value of enterprise access on compromised systems.
This divergence points to a structural shift in attacker economics: fewer infections with far greater impact when compromises occur. Flare researchers warn that if this trend holds, one in five infostealer infections could expose enterprise credentials as early as Q3 2026. Each successful infection carries greater business risk, delivering immediate access and reducing the time between initial compromise and enterprise impact.
To read the report and learn more about Flare, visit the website.
About Flare
Flare is the leader in Threat Exposure Management, helping global organizations detect high-risk exposures found on the clear and dark web. Combining the industry’s best cybercrime database with a ridiculously intuitive user experience, Flare enables customers to reclaim the information advantage and make cyber crime irrelevant. For more information, visit https://flare.io. To experience the platform firsthand, start a free trial at https://try.flare.io/free-trial/. Join our Discord community and explore Flare Academy to stay up-to-date on the latest in threat intelligence.
Media Contact
Geena Pickering
Look Left Marketing
flare@lookleftmarketing.com
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/8f47de6b-9040-4c73-86ab-fc8c65108562
