Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense

A publicly exposed database surfaced in early 2026 containing more than 149 million stolen login credentials. The records were not tied to a single breach or organization. Instead, they had been quietly collected over time from individual devices infected with information-stealing malware, each entry capturing usernames, passwords, session data, and the context needed to use them.

Unlike traditional breach dumps, this data was structured, searchable, and immediately actionable. Credentials were mapped to specific services. Session artifacts reflected active logins, and in many cases, the information was recent enough to enable direct access without triggering security controls.

For defenders, there was no clear incident to respond to. No alert tied to a single intrusion. Just a growing pool of valid identity data circulating, resold, and ready to be tested across corporate systems, cloud platforms, and third-party services. 

This is not an isolated event. It reflects a broader shift in how access is obtained and exploited. 

Infostealers have transformed identity into a scalable attack vector — one that extends beyond corporate infrastructure into employee browsers, personal devices, and SaaS environments. As a result, organizations are now responsible for defending an attack surface that is continuously expanding, often outside the visibility of traditional security controls.

For security teams, the challenge is no longer just detecting when a breach occurs. It is understanding when access already exists: where compromised credentials are circulating, how they are being used, and how quickly they can be weaponized.

That’s why we created this asset — to help Information Technology (IT), Threat Intelligence (TI), Fraud, and HUNT teams understand and respond to a threat that is no longer contained within the network perimeter.

This report is for:

• Cyber Threat Intelligence teams
• Threat Hunters / HUNT teams
• Fraud teams
• IT Security teams

What you’ll learn:

• How infostealers power modern attack chains – An analysis of the most active strains, how they evolve, and how they enable downstream activity — from initial access to ransomware and fraud.
• How to manage the expanding identity attack surface – A practical look at how stolen credentials, cookies, and session data are weaponized, and how to monitor, prioritize, and respond before access is exploited.
• How to operationalize infostealer intelligence for proactive defense – A framework for turning raw stealer logs into actionable intelligence, helping teams identify exposure, track infection trends, and close gaps before attackers act.
• How to evaluate infostealer intelligence and detection capabilities – A practical checklist to help security, fraud, and intelligence teams assess whether their current tools and providers can identify, contextualize, and respond to credential exposure before it is used.

Key findings:

• Volume: According to Flashpoint’s 2026 Global Threat Intelligence Report, more than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data circulating across illicit markets.
• Speed: Flashpoint collects and parses infostealer logs in as little as one to two days after infection, helping organizations identify credential exposure closer to the point of compromise before logs are widely redistributed or weaponized.
• Scale: Flashpoint analysts identified over 30 unique infostealer strains actively listed for sale across illicit marketplaces, forums, and underground communities, highlighting the scale and accessibility of the modern Malware-as-a-Service ecosystem.
• Credential Exposure: Infostealers now account for more than 1 billion credentials within Flashpoint’s credential database of over 48 billion total credentials, with Flashpoint processing approximately 200 million total credentials and 10 million net new credentials every month.
• Cookies & MFA Bypass: Over 4.2% of infostealer-exposed credentials within Flashpoint’s dataset include browser cookies, which attackers can use to hijack authenticated sessions and potentially bypass MFA protections.
• Threat Economics: Many infostealers are now sold through Malware-as-a-Service subscription models starting at around $60 USD per month, dramatically lowering the barrier to entry for threat actors seeking scalable identity-based access.

Key takeaways:

• Identity is now a continuously exposed attack surface: Infostealers have transformed identity into a scalable access vector that extends beyond the corporate network into employee browsers, SaaS platforms, personal devices, and third-party environments. Organizations must now defend against exposure that often exists outside the visibility of traditional security controls.
• Modern attacks increasingly begin with valid access, not exploitation: Threat actors are shifting away from noisy intrusion methods and increasingly “logging in” using stolen credentials, session cookies, and authenticated browser data harvested by infostealers. Exposure is no longer just a precursor to attack — it has become part of the attack lifecycle itself.
• Infostealer activity is driving a rapidly expanding underground economy: The MaaS ecosystem has made infostealers inexpensive, scalable, and widely accessible, allowing threat actors of varying skill levels to obtain, operationalize, and resell stolen identity data at scale across forums, marketplaces, Telegram channels, and private communities.
• Speed and context are critical for proactive defense: Raw stealer logs alone are difficult to operationalize. Security teams need structured intelligence that enriches stolen credentials with metadata such as malware family, infected host details, session cookies, browser artifacts, timestamps, and infrastructure context to quickly prioritize and respond to high-risk exposure.
• Primary source intelligence provides earlier visibility into compromise: Flashpoint’s Primary Source Collection approach gives defenders direct visibility into the underground ecosystems where infostealer activity originates, helping organizations detect exposed credentials and active session data closer to the point of compromise — often before the data is widely redistributed or weaponized.
• Infostealer intelligence supports multiple operational teams: Threat intelligence, incident response, fraud, and identity teams can all use infostealer intelligence to investigate exposure, revoke sessions, prioritize enterprise infections, identify third-party risk, accelerate remediation, and reduce the likelihood of downstream account takeover, ransomware, or fraud activity.