IAM Incident Patterns 2026

Methodology

Curated all publicly-disclosed identity-vector breaches between 2024-01-01 and 2026-10-31 from SEC 8-K filings, HHS-OCR breach portal, CISA advisories, Mandiant / Google TIG, Microsoft MSRC, CrowdStrike, Wiz, The Record, BleepingComputer, Krebs on Security. Each incident classified by initial vector and pattern type. Inclusion criteria: (a) primary disclosure source available, (b) identity was the initial vector or primary amplifier.

Full report publishes 2026-11-15. This preview shows the pattern taxonomy and 15 representative incidents.

The 12 patterns (sorted by frequency)

• Credential stuffing

  28% of incidents

  Attackers use credentials harvested from third-party breaches to gain access to high-value services where users have reused passwords.

  Prevention

  • Phishing-resistant MFA
  • Breach credential monitoring (HaveIBeenPwned)
  • Risk-based authentication on anomalous sign-ins
  • Mandatory password change after breach exposure

• MFA bombing / fatigue

  18% of incidents

  Attackers hold the password and repeatedly trigger MFA prompts hoping the user approves out of frustration. Notable in 2022 Uber breach; remains active vector through 2026.

  Prevention

  • Number matching (Microsoft Authenticator, Okta Verify)
  • Phishing-resistant factors (WebAuthn / passkeys)
  • Rate limiting MFA challenges
  • User education on suspicious prompts

• OAuth consent phishing

  14% of incidents

  Attackers trick users into granting OAuth consent to malicious applications that then access data via OAuth API without requiring re-authentication.

  Prevention

  • Admin-allowlist for third-party OAuth consent
  • Alert on new third-party consent by privileged users
  • Verified-publisher requirements
  • Periodic OAuth consent reviews

• SIM swap

  12% of incidents

  Attackers persuade mobile carriers to port the victim's phone number to attacker-controlled SIM, defeating SMS-based authentication and recovery.

  Prevention

  • Eliminate SMS OTP (use TOTP / WebAuthn)
  • Port-out PINs with carriers
  • Account takeover detection on carrier change events
  • Phishing-resistant MFA

• Service account abuse

  11% of incidents

  Service accounts with interactive sign-in enabled, broad permissions, and infrequent rotation become attacker backdoors when credentials leak.

  Prevention

  • Service account inventory
  • Block interactive sign-in for service accounts
  • Vault-only credential retrieval
  • Workload identity federation (eliminate static credentials)

• Helpdesk social engineering

  9% of incidents

  Attackers contact helpdesk pretending to be the user, requesting password reset or MFA reset. Helpdesk verification fails; attacker gains access. Notable in MGM 2023, multiple 2024-2025 incidents.

  Prevention

  • Documented verification protocol (multiple identifiers)
  • Recorded helpdesk calls
  • Mandatory call-back-to-known-number protocol
  • High-risk reset escalation to security team

• MFA bypass via recovery flow

  8% of incidents

  Attacker exploits weakly-protected recovery flows (email-based reset, security questions) to bypass MFA on the primary authentication path.

  Prevention

  • Phishing-resistant recovery (backup passkeys)
  • Mandatory step-up on recovery flow
  • Audit alert on recovery flow usage
  • Eliminate security questions

• OAuth access token theft

  7% of incidents

  Attackers steal access tokens via malware, MITM, or session hijacking; replay tokens from attacker infrastructure to access protected APIs.

  Prevention

  • Sender-constrained tokens (DPoP / mTLS)
  • Short access token TTL (5-15 min)
  • Refresh token rotation with reuse detection
  • IP / device pinning

• Misconfigured Conditional Access exclusions

  6% of incidents

  Break-glass / emergency-access accounts excluded from Conditional Access policies are forgotten, never monitored, and become backdoors.

  Prevention

  • Dedicated Conditional Access policy for break-glass with phishing-resistant MFA
  • Audit alert on every break-glass sign-in
  • Quarterly break-glass testing
  • Credentials split across multiple vaults

• Cross-tenant default-allow exploitation

  5% of incidents

  Microsoft Entra ID's default cross-tenant access settings allow inbound B2B from any Entra tenant; attackers invite victims who accept thinking the invitation is internal.

  Prevention

  • Explicit cross-tenant access policies
  • Inbound from named tenants only
  • Conditional Access requiring compliant device on user side
  • User education on B2B invitations

• Expired SAML signing certificate

  4% of incidents

  SAML signing certificate expires silently; SAML integration breaks; recovery scramble exposes systems to credential-bypass paths during the outage window.

  Prevention

  • Central registry of all SAML signing certs with expiry dates
  • Alert at 90 / 60 / 30 / 7 days before expiry
  • Documented rotation runbook
  • Automated rotation where possible

• SCIM endpoint replay

  2% of incidents

  SCIM endpoint without idempotency guards processes duplicate operations, creating duplicate accounts or breaking deactivation. Attackers exploit the inconsistency.

  Prevention

  • Idempotent SCIM endpoint (upsert keyed on externalId)
  • SCIM-spec conformance testing in CI
  • Audit trail of every SCIM operation
  • Rate limiting at the SCIM endpoint

15 representative incidents (full 124 in the published report)