How do identity-based breaches differ from traditional network intrusions?

Rather than breaking through a firewall, attackers compromise credentials or tokens to gain legitimate-looking access, making detection slower and remediation more complex.

What are some recent real-world examples of breaches caused by compromised identities?

The Alert 360 breach exposed 2.5 million records, and the Zara breach affected nearly 200,000 customers through a third-party vendor, both stemming from compromised access credentials.

Why are non-human identities like API keys and AI agents becoming prime targets?

They are frequently mismanaged with overly broad permissions, rarely rotated, and inconsistently monitored, making them high-value targets that can persist unnoticed.

What makes API keys in code repositories especially risky?

An API key embedded in a repository can grant attackers access without proper lifecycle management, as these non-human identities often lack regular rotation and monitoring.

Sophos: 71% of Firms Hit by Identity Breaches in 2025

A major new report from Sophos has put a striking number on a problem that security professionals have been warning about for years: 71% of organizations worldwide suffered at least one identity-related security breach in the past year. The findings land at a moment when identity-based attacks are no longer a niche threat, but the dominant method by which attackers gain footholds inside corporate environments. For businesses and individuals alike, the data is a clear signal that identity hygiene can no longer be treated as a secondary concern.

What the Sophos Data Reveals About Identity Breach Frequency and Scope

The sheer scale of the Sophos findings is difficult to ignore. Nearly three in four organizations, across industries and geographies, experienced an identity-related compromise in a single year. This is not a story about a handful of high-profile targets; it reflects a broad, systemic vulnerability in how organizations manage who, and what, has access to their systems.

Identity-related breaches differ from traditional network intrusions in an important way. Rather than breaking through a firewall, attackers compromise credentials or tokens that grant them legitimate-looking access. Once inside, they can move laterally, escalate privileges, and exfiltrate data while appearing, at least initially, to be an authorized user. This makes detection slower and remediation more complex.

Real-world consequences from identity failures have already filled headlines in 2025. The Alert 360 breach exposing 2.5 million records and the Zara breach affecting nearly 200,000 customers through a third-party vendor both illustrate how compromised access credentials, whether through direct attacks or supply-chain exposure, can cascade into massive data losses.

How Non-Human Identities and API Keys Are Becoming Prime Targets

One of the more forward-looking findings in the Sophos report is the attention it draws to non-human identities. This category includes API keys, service accounts, automation scripts, and increasingly, AI agents that are granted access to systems in order to perform tasks autonomously.

As organizations adopt AI-powered tools and automate more of their workflows, they are creating a growing inventory of non-human actors that hold credentials and permissions. The problem is that these identities are frequently mismanaged: permissions are overly broad, credentials are rarely rotated, and monitoring for anomalous behavior is inconsistent at best.

An API key embedded in a code repository, or an AI agent granted write access to a production database, represents a high-value target for attackers. Unlike human user accounts, non-human identities often lack the same lifecycle management, meaning they can persist long after they are needed and go unnoticed when compromised. The Sophos report identifies this mismanagement as one of the primary attack vectors driving the 71% figure.

Why Human Error Remains the Weakest Link in Identity Security

Alongside the rise of non-human identity risks, the Sophos findings confirm that human error continues to undermine even well-resourced security programs. Phishing remains remarkably effective. Credential reuse across personal and professional accounts creates avenues for attackers to pivot from a consumer breach into a corporate environment. And overprivileged accounts, created for convenience and never properly scoped, give attackers more access than they should ever be able to reach.

The human element is also evident in how quickly breaches scale once initial access is gained. A single compromised account used by someone with broad administrative rights can expose thousands of records within hours. Healthcare has proven particularly vulnerable, as seen in incidents like the NYC Health breach affecting 1.8 million individuals, where identity mismanagement at any level of a complex system can have outsized consequences.

Training and awareness programs help, but they are not sufficient on their own. The Sophos data suggests that organizations need structural controls that reduce the blast radius of human mistakes, not just policies that rely on employees doing the right thing every single time.

Defense-in-Depth: Where VPNs and Privacy Tools Fit in Identity Protection

No single tool solves the identity security problem, and that is precisely the point. The concept of defense-in-depth, layering multiple security controls so that a failure in one does not automatically mean a full compromise, is the framework that the Sophos findings argue for, even implicitly.

VPNs play a specific and important role in this stack. By encrypting network traffic and masking connection metadata, a VPN reduces the risk that credentials or session tokens are intercepted in transit, particularly on untrusted networks. For remote workers accessing corporate resources from hotels, airports, or shared workspaces, a VPN is a basic but meaningful control that closes an otherwise open window.

Beyond VPNs, a layered identity protection strategy includes multi-factor authentication on all accounts, the principle of least privilege for both human and non-human identities, regular auditing of active credentials and API keys, and monitoring for anomalous login patterns. The Sophos data reinforces that these are not optional extras for large enterprises; organizations of all sizes are being targeted.

What This Means For You

Whether you manage IT for a company or are simply an individual trying to protect your accounts, the Sophos report carries a direct message: identity is the perimeter now, and it needs to be defended accordingly.

Here are concrete steps to take:

Audit your credentials. Identify any accounts using reused or weak passwords and update them with unique, complex alternatives stored in a password manager.
Enable multi-factor authentication everywhere. Prioritize your email, financial, and work accounts first.
Review app permissions and API access. If you manage any software projects or business tools, audit which services hold active credentials and revoke anything no longer in use.
Use a VPN on untrusted networks. Encrypting your connection prevents credential interception when you are away from secured environments.
Stay informed about breaches. Services that notify you when your email appears in a known breach dataset give you an early warning to rotate affected credentials before attackers can exploit them.

The 71% figure from Sophos is not a reason for panic, but it is a reason for action. Identity-related security breaches in 2025 are not hypothetical risks; they are happening to the majority of organizations right now. Building layered defenses, combining strong identity practices with network-level protections, is the practical response that the data demands.