Data breaches came thick and fast this past year, continuing some trends from 2024. Healthcare remained a highly targeted and susceptible sector, with millions of records exposed and millions of dollars in damages and costs incurred (with education and financial sectors deserving an honorable mention). Third-party and supply chain vulnerabilities wreaked havoc again in the form of a string of Salesforce data exposures. Compromised credential data volumes have risen, powered by infostealer malware log data, and their derivatives: hacker-favorite “ULP” lists. To make things even more unclear and chaotic, all this was swept along in a river of “AI” headlines, startups, vulnerabilities, and buzzwords.
First prize in this super-undesirable category has to collectively go to the Salesforce data breaches. The terminology is unfortunate for Salesforce, as the company itself wasn’t actually breached; rather many of their customers who ran Salesforce software on their own machines or clouds to store customer data were attacked via an assortment of different methods, and had lots of the CRM data stolen. Affecting high-profile clients like Google, Qantas, TransUnion, Farmers Insurance, some estimate as many as 700 victims were attacked in this spree, though it’s difficult to know for sure.
The “Most Susceptible Industry” was once again healthcare. We discussed this some last year, when providers and adjacent services were getting hit hard with ransomware. Technically, this year was an improvement over last year in terms of the number of individuals affected, but we need to take that with a grain of salt as 2024 had been pushed to record highs by the Change Healthcare (expected to cost the organization over $1 billion). This year, over 50 million people are estimated to have been affected by a healthcare-related data breach, with the top three spots going to Aflac, Conduent, and Yale New Haven Health.
The top spot in “Most Erroneously Reported” goes to the “16 Billion Credential Breach”. Touted variously as the “largest data breach ever” and a breach of “Google, Facebook and Apple”, this one made its way on to some of the mainstream news platforms, ensuring the misconceptions were spread far and wide. The data did not come from a single breach, as its monikers and epithets imply, but is yet again a collection of mostly recycled data. Some sources pointed out that a lot of the records were new or recent compared to the last time this happened (probably the “MOAB”). This may be true, but the source of much of this newer data was large aggregated lists of credentials sourced over the past few years of infostealer malware activity. These events where a large collection of compromised credentials is thrust into the spotlight fail to identify the real threats (e.g. infostealers), but do serve to highlight the scale of the problem. Hopefully, knowing that there are such large lists out there helps communicate how much effort threat actors are putting in to collect and distribute credentials… and they do this because credentials work really, really well.
We reported on the massive amounts of compromised credentials coming from infostealer malware back in 2023 and at this time last year, but it took until this past June for mainstream tech media to really take notice. As mentioned above, the “16 Billion Record Breach” was really just a big mass of previously seen credentials, including much of the infostealer log data that we’ve been processing for years. Despite some attempts to shut infostealer servers down, supply and demand both remain strong in the threat actor underground. Threat actors known as “access brokers” are trading and selling huge amounts of compromised credentials and other personally identifying information (PII) harvested from victims’ web browsers and hard drives.
At Enzoic, we processed billions and billions of compromised credentials from what threat actors term “ULPs”, an acronym for “URL, Login, Password” that refers to the typical format of the files: three columns for those respective data fields. They hold often millions of rows per file of login information sourced primarily from infostealer malware data. Threat actors absolutely love these, because the URL indicates the login endpoint for which the credential is valid, i.e. exactly which site you can access with that username and password- saving the poor, overworked threat actor a lot of blood, toil, tears, and credential stuffing. Infostealers typically harvest this information from browser-based password managers, which store those three pieces of information together in order to autofill your login info as you visit sites.
Not that CISOs, sysadmins, and other security practitioners ever had things easy, but it must be a pretty rough time right now. It’s getting increasingly hard to separate the signal from the noise out in the broader threat landscape. Combine AI-slop-clogged newsfeeds, the usual one-upping alarmism of vendors and clickbait trying to cut through the fog, and a rather rudderless federal posture, where does one turn? Well, the good news is that the basics basically haven’t changed, despite the AI craze. In fact, they’ve become even more important. There was initial speculation that jailbreaking AI would let hackers supercharge their coding abilities and discover zero-day exploits, implementing never-before-seen attack chains at an alarming rate, or that teams of malicious AI agents would be the next-gen actors. And some were skeptical that AI would make any difference at all. Now that we’ve had widespread access to LLMs for a couple years, we see what actually happened was that threat actors were able to increase the rate and reach of the same old attacks we’ve been seeing for years- namely, phishing (and other kinds of ‘ishing’), and credential stuffing. That is, instead of opening up a whole new security front, AI has turbocharged the patterns we were already seeing. This makes it beyond imperative for organizations and users to take the basics like anti-phishing education/training and credential security seriously. Additionally, we will surely start to see more advanced AI-powered vulnerabilities and attacks over the coming years, and any meaningful defensive security posture will need to start on a solid foundation.
Despite the hype cycles and evolving threats, fundamental security hygiene remains your best defense. Strong, unique passwords; multi-factor authentication; regular updates; security awareness; and monitoring for compromised credentials form the foundation upon which more advanced defenses must be built. As we head into 2026, these basics are not just best practices but absolute necessities: if nothing else, having a solid foundation will give us more bandwidth to respond to whatever chaos the cybersecurity landscape has in store for us this year.
Start your free trial of Enzoic for Active Directory
For Individual Users:
For Organizations:
ULP stands for URL, Login, Password, which is a common format used in credential dumps derived from infostealer logs.
They matter because:
AUTHOR
Dylan Hudson
Dylan leads the Threat Research team at Enzoic, developing and implementing cutting-edge threat intelligence infrastructure to help protect users and organizations from cyberattacks. When not at work, he can be found hiking and biking in the Rocky Mountains or playing traditional Celtic music on various stringed instruments.