For most of the last decade, the security industry told mid-market and SMB buyers the same thing: turn on multi-factor authentication (MFA) and you have solved 99% of credential attacks. In 2026 that sentence is no longer true, and the data is unambiguous about why.
According to the **SpyCloud 2026 Identity Exposure Report**, **18.1 million API keys and authentication tokens** were exposed via malware in the last twelve months — a volume that the report frames as an explosion in the theft of **non-human (machine) identities** alongside the long-running theft of user credentials. The same report tracks **infostealer logs**, the standardized package that malware drops onto criminal marketplaces after a successful infection, and notes that these logs typically appear for sale on dark-web marketplaces **within roughly 48 hours of the original infection**.
The other half of the picture comes from **Microsoft**, whose threat-intelligence team has stated publicly that **roughly 80% of incidents in which MFA was bypassed trace back to the misuse of a stolen session token** — not to a flaw in the MFA protocol, not to a SIM swap, and not to user error at the prompt. The attacker simply skipped the prompt entirely by reusing the cookie the browser was already carrying.
**F5** adds the volume dimension: in monitored enterprise environments through 2026, **roughly one out of every three login attempts uses credentials sourced from leaked compilations** — the breached-password dumps that have accumulated on criminal forums since 2019 and are now traded as a commodity. And the supply of new material keeps coming: a new infostealer family commercially marketed as **"Storm"** appeared in early 2026, scraping browser credentials, session cookies and cryptocurrency wallets from infected endpoints and shipping the encrypted bundle to a server-side decryption pipeline.
Put together, these four data points describe the same thing from four angles: **identity is the new perimeter, and in 2026 the perimeter is being defeated post-login**. This article is a defender playbook for that reality, written for the security lead at a mid-market or SMB company who has already turned on MFA and is being told, accurately, that it is no longer enough.
A realistic attack chain looks nothing like the phishing pages we trained users to spot in 2019. It looks like this:
A contractor working on a marketing project clicks a download link in what looks like a routine Slack DM from a colleague — actually a thread-jacked account on a separate, compromised tenant. The download is a cracked plugin, an installer for a free productivity tool, or a fake browser extension. The payload is an infostealer — Storm, Lumma, Vidar, RedLine or one of the dozens of variants on the market.
Within minutes, the stealer enumerates **every browser profile** on the machine, extracts saved passwords, autofill data, cryptocurrency wallets and — critically — the **cookie store**. The cookie store holds the session tokens for every authenticated tab the user has open: the corporate single-sign-on, the email client, the CRM, the source-code host, the cloud console.
The bundle is uploaded to an attacker-controlled server. Within 48 hours per the SpyCloud data, the infostealer log is on a dark-web marketplace, sold per record for a few dollars. A second actor — typically an **Initial Access Broker (IAB)** — buys the log, sifts it for tokens that map to high-value tenants, and either uses them directly or resells the curated subset to a ransomware affiliate.
The affiliate then **replays the session cookie** against the corporate SSO from an attacker-controlled browser. **No password prompt. No MFA prompt.** The cookie is, by design, the artifact that proves the MFA challenge already happened. The corporate identity provider sees a valid, in-date session and serves the application. The attacker is logged in as the contractor, with the contractor's exact entitlements, on a device the user has never owned.
This is the failure mode Microsoft's 80% figure describes. The MFA protocol worked. The session token defeated it.
The SpyCloud 18.1-million figure for API keys and tokens is not a separate problem from session hijacking — it is the same problem on a different surface. A leaked API key for a CI/CD pipeline, a cloud account, an observability platform or an internal microservice does not need MFA at all. It authenticates by possession of the key. Steal the key, you are the service.
Three structural shifts make 2026 worse than 2024 on machine identity:
The session cookie is a human identity stolen post-MFA. The API key is a machine identity stolen pre-MFA. Both end at the same place: the attacker is now an authenticated principal inside your environment.
A 2026 defense program is not a single tool. It is a small number of controls operated continuously, with a human on the rotation. The eight that matter:
**1. Session-token telemetry, not just login telemetry.** The identity provider must emit and the SIEM must ingest events at the session level — token issuance, refresh, replay from a new IP or device fingerprint, geographic impossibility. Most IdPs (Entra ID, Okta, Google Workspace) expose this. Few mid-market teams are watching it.
**2. Forced revocation on signal.** When an endpoint is flagged as infostealer-infected — by EDR, by a SpyCloud-style exposed-credentials feed, by a user self-report — every active session for that user across every application must be revoked in minutes, not the next morning. This is a button on the IdP. It needs an operator.
**3. Token binding and device-bound credentials where the platform supports them.** The IETF token-binding spec, plus newer device-bound session credential proposals being adopted by the major browsers and IdPs through 2026, raise the cost of cookie replay because the token is cryptographically tied to the original device. Roll these on as your IdP and browser fleet support them.
**4. Phishing-resistant MFA on privileged accounts.** Hardware-key WebAuthn (FIDO2) for admins, finance, legal and any non-human-friendly service account is the floor in 2026 — not the ceiling. It does not defeat session theft on its own, but it raises the cost of the initial login the attacker has to bypass when the cookie expires.
**5. Machine-identity inventory and rotation.** A real registry of every API key, OAuth client, service account and CI token, with an owner, an issued date, a last-used date and a maximum lifetime. Anything past lifetime auto-rotates or is disabled. This is unglamorous and it is the single highest-leverage control in 2026.
**6. Exposed-credentials monitoring.** Subscribe to a feed (SpyCloud, HaveIBeenPwned Enterprise, Recorded Future, Flashpoint) that surfaces infostealer logs and breach compilations against your domains within the same 48-hour window the attackers operate on. Wire the feed to automatic password reset and session revocation.
**7. Endpoint detection that actually catches infostealers.** Modern EDR plus a managed-detection rotation that knows what Storm, Lumma, Vidar and RedLine look like on disk and on the wire. The infostealer dwell time on an unmanaged or contractor endpoint is the window in which everything else fails.
**8. A 24/7 human on the rotation.** Most infostealer-driven account takeovers in 2026 happen overnight in the victim's local time, because the attacker is in a different time zone and the SOC is offline. A real 24/7 rotation — not a pager that wakes someone at 04:00 once a quarter — closes that window.
The same broader thesis on operating-model change for the work that surrounds these controls is covered in the companion piece, [You're Not Buying Developer Hours Anymore: Agentic Coding, Orchestration, and Outcome-Based Pricing in 2026](/en/blog/agentic-coding-orchestration-outcome-based-pricing-outsourcing-2026).
A mid-market company is not going to staff a 24/7 identity-operations rotation in-house. The math does not work: six to eight FTEs across three shifts to cover a single seat continuously, plus on-call, plus tooling, plus a manager. That budget pays for a small team or a managed partner — not both.
This is the part of the security stack where managed [cybersecurity](/en/services/cybersecurity) makes the most sense for a mid-market buyer, **provided** the partner is doing identity operations and not just commodity log review. The questions to ask a prospective partner:
The CET/UTC+1 alignment is why a [nearshore Morocco](/en/why-morocco) rotation works particularly well for European and UK clients — the "overnight" gap for the buyer is the working day for the operator, which reverses the staffing economics. For US clients, the same geography gives a clean afternoon-and-evening overlap with US business hours, and a real human on the keyboard when the East Coast SOC has gone home.
Two adjacent capabilities matter alongside the security rotation: a [technical support](/en/services/technical-support) tier-1 that recognizes the early signals of a session-theft incident (unusual password resets, customers reporting unsolicited prompts, contractor laptops showing strange behavior), and a [cloud-infrastructure](/en/services/cloud-infrastructure) operations function that owns the machine-identity registry and the rotation policy on the cloud and CI surfaces. In 2026, these three functions overlap so heavily that splitting them across three vendors is the most common cause of the gap an attacker walks through.
For a mid-market security lead reading this on a Friday afternoon, the 90-day version of the playbook is:
**Days 1–30.** Subscribe to an exposed-credentials feed and wire it to forced password reset. Enable session-event logging on the IdP and pipe to the SIEM. Inventory every privileged human account and migrate the top tier to phishing-resistant MFA. Identify the EDR coverage gap on contractor and BYOD endpoints and close it.
**Days 31–60.** Stand up the machine-identity registry, even if it starts as a spreadsheet with an owner column. Cap PAT and service-account lifetimes. Pilot token-binding or device-bound session credentials on the IdP for one application group. Write the session-revocation runbook and rehearse it once.
**Days 61–90.** Decide on the 24/7 rotation — in-house, managed, or hybrid — and contract it. Wire alerts end-to-end. Run a tabletop with a realistic infostealer-driven account-takeover scenario, including the overnight escalation path. Publish the post-exercise gaps and remediate them in the next sprint.
The 18.1 million tokens are already out there. The 48-hour window is already running. The attacker does not need to find a flaw in your MFA — they need the cookie that proves it already fired. The defender's job in 2026 is to make that cookie short-lived, bound to a device, monitored on use, and revoked at the first signal of an infected endpoint.
${CTA_IDENTITY}
**Q: Does MFA still help if attackers can just steal the session token?**
A: Yes — but it is no longer sufficient. MFA prevents the initial login when the attacker only has the password. Session theft defeats MFA after the login already happened, which is why Microsoft attributes roughly 80% of MFA-bypass incidents to session-token misuse. Keep MFA, harden the session.
**Q: What is the difference between phishing and an infostealer-driven account takeover?**
A: A phishing page tries to capture the user's password and MFA code in real time, in front of the user. An infostealer compromises the endpoint silently, extracts the session cookies the browser has already been issued, and the attacker reuses them later from their own device. No prompt is ever shown to the victim.
**Q: How fast does stolen credential material reach the dark-web market?**
A: Per the SpyCloud 2026 Identity Exposure Report, infostealer logs typically appear on dark-web marketplaces within roughly 48 hours of the original infection. Defender operations need to run on that timescale, not on a monthly review cadence.
**Q: We are a 200-person company. Do we really need a 24/7 SOC for this?**
A: You need 24/7 coverage on the session-revocation function. That can be an in-house rotation, a managed partner, or a hybrid where business-hours stays in-house and overnight is outsourced. The volume of alerts at 200 people does not justify a full in-house SOC for most companies — the coverage gap does.
**Q: How does machine-identity theft (API keys, service accounts) differ from session hijacking?**
A: Machine identities authenticate by possession of a key, with no MFA in the loop. A stolen API key is immediately usable as the service. SpyCloud's 18.1 million figure for exposed API keys and tokens in 2026 makes machine-identity hygiene — inventory, rotation, lifetime caps — as urgent as human-session monitoring.
**Q: What single control gives a mid-market company the biggest improvement in 90 days?**
A: Wiring an exposed-credentials feed (SpyCloud, HaveIBeenPwned Enterprise, or equivalent) to automatic password reset and session revocation across the IdP. It closes the 48-hour window between infection and exploitation more reliably than any other single change at this budget level.
Yes — but it is no longer sufficient. MFA prevents the initial login when the attacker only has the password. Session theft defeats MFA after the login already happened, which is why Microsoft attributes roughly 80% of MFA-bypass incidents to session-token misuse. Keep MFA, harden the session.
A phishing page tries to capture the password and MFA code in real time. An infostealer compromises the endpoint silently, extracts the session cookies the browser already holds, and the attacker reuses them from their own device. No prompt is ever shown to the victim.
Per the SpyCloud 2026 Identity Exposure Report, infostealer logs typically appear on dark-web marketplaces within roughly 48 hours of the original infection. Defender operations need to run on that timescale, not on a monthly review cadence.
You need 24/7 coverage on the session-revocation function. That can be an in-house rotation, a managed partner, or a hybrid where business-hours stays in-house and overnight is outsourced. The volume at 200 people rarely justifies a full in-house SOC; the coverage gap does.
Machine identities authenticate by possession of a key, with no MFA in the loop. A stolen API key is immediately usable as the service. SpyCloud reports 18.1 million exposed API keys and tokens via malware in the last twelve months, which makes machine-identity hygiene as urgent as human-session monitoring.
Wiring an exposed-credentials feed (SpyCloud, HaveIBeenPwned Enterprise, or equivalent) to automatic password reset and session revocation across the IdP. It closes the 48-hour infection-to-exploitation window more reliably than any other single change at this budget level.
CALL IT DEV — Software, AI and dedicated tech teams — Casablanca | Madrid | Dubai — contact@callitdev.com — +212-537-373777