In the world of cybersecurity, there are “loud” companies, the ones whose logos you see on every corner, and then there are the “backbone” companies. These are the giants that hum quietly in the background, processing healthcare claims, managing highway tolls, and cutting child support checks. Conduent is a titan of the latter category.

But as the dust settles in early 2026, Conduent is no longer quiet. It is currently at the center of what is being called the largest healthcare and government data breach in U.S. history. For those of us at Constella, this isn’t just another headline; it’s a masterclass in why identity risk is the new perimeter.

The Anatomy of an 8.5-Terabyte Heist

The details that have surfaced over the last year are staggering. What began as a “limited incident” detected on January 13, 2025, has ballooned into a national crisis. We now know that the SafePay ransomware group didn’t just knock on the door; they lived in the house for nearly three months, from October 21, 2024, until discovery.

During that period, they didn’t just encrypt files; they vacuumed up over 8.5 terabytes of sensitive data. We’re talking about the “Holy Grail” of Personally Identifiable Information (PII):

• Full Names and Physical Addresses
• Social Security Numbers (SSNs)
• Detailed Medical Histories and Diagnosis Codes
• Health Insurance Claim Amounts

The scale? Over 25 million individuals across nearly every state. In Texas alone, Attorney General Ken Paxton’s February 2026 investigation revealed that 15.4 million residents, roughly half the state’s population, were caught in the dragnet.

Why the “Supply Chain” Label Doesn’t Do It Justice

When we talk about supply chain attacks, we often think of software. But the Conduent breach highlights a different, more personal vulnerability: the Business Associate risk. Conduent acts as a third-party processor for Fortune 100 companies and state governments. This means millions of victims had never even heard of Conduent until they received a breach notification. They were impacted because their insurance provider (like Blue Cross Blue Shield) or their state’s Medicaid office relied on Conduent’s back-office infrastructure.

The Constella Insight: In the modern digital ecosystem, you are only as secure as the quietest vendor in your stack. When 25 million identities are stolen from a single source, the downstream risk of account takeover (ATO) and targeted spear-phishing becomes an exponential problem that lasts for years.

The “Identity Density Gap”: 2026’s Greatest Threat

At Constella, our 2026 Identity Breach Report  highlights a terrifying trend we call the Identity Density Gap. While the number of unique people on the planet is finite, the amount of data associated with each person is exploding.

The Conduent breach didn’t just leak “new” people; it added high-fidelity layers (medical records, SSNs, claim dates) to existing profiles already circulating on the dark web. Attackers are now using Agentic AI to correlate these attributes at machine speed.

When a hacker combines a leaked password from 2022 with a medical diagnosis from the 2025 Conduent breach, they aren’t just a “hacker” anymore, they are an impersonator with a script so convincing it can bypass even the most skeptical employee. This “industrialization of identity” is why traditional defenses are failing.

Why “Free Credit Monitoring” is a Relic of the Past

Conduent has already spent roughly $25 million on breach response, much of it going toward notification letters and credit monitoring services. While this is a standard legal requirement, let’s be candid: credit monitoring is like giving someone a smoke detector after their house has already burned down.

When medical records are combined with SSNs, threat actors aren’t just looking to open a new credit card. They are targeting:

1. Precision Phishing: Using known medical provider names and claim amounts to craft “urgent” emails that are virtually indistinguishable from legitimate insurance correspondence.
2. Medical Fraud: Filing false claims that can permanently corrupt a victim’s actual medical history, potentially leading to life-threatening errors in future treatment.
3. Credential Stuffing: Since 68% of breached credentials now arrive in plaintext (due to the “Infostealer Pandemic”), the risk of immediate, automated Account Takeover (ATO) has never been higher.

Shifting to an Identity Risk Posture (IRP)

The Conduent incident is a systemic warning. To survive in 2026, organizations must move away from event-based monitoring and toward a proactive Identity Risk Posture (IRP). This means:

• Continuous Exposure Monitoring: Don’t wait for a vendor to send a notification a year later. You need real-time visibility into the Deep and Dark Web to see when your employees’ or customers’ credentials appear in a leak.
• Operationalizing Identity Resolution: Use intelligence to map the relationships between your employees and the third-party ecosystem. If a vendor is breached, you should know exactly which of your users are most at risk within hours, not months.
• Hardening the Human Perimeter: With 8.5TB of PII in the wild, social engineering is now automated. Defensive strategies must include monitoring the digital footprints of high-value targets (executives and admins) who are the primary targets of these synthesized profiles.

The Bottom Line

The Texas AG’s probe, launched in February 2026, is a reminder that the regulatory fallout is only beginning. For Conduent, the $25 million in costs is just the tip of the iceberg when you factor in the dozens of class-action lawsuits currently moving through federal courts.

Data is a liability, and identity is the target. The only way to stay safe is to see what the attackers see, before they use it against you.

The 2026 Identity Breach Report marks a definitive shift in the cyber threat landscape, transitioning from simple data collection to what can only be described as the Industrialization of Identity. As adversaries adopt machine-scale automation, they are no longer just “leaking” data—they are running high-velocity pipelines designed to weaponize human identities at an unprecedented scale.

This report, based on the analysis of over 1 trillion identity attributes and billions of records, serves as a wake-up call for security leaders. Below is a summary of the most critical findings and the strategic shifts necessary to defend against this new era of industrialized attacks.

1. The Identity Density Gap: Weaponizing Enrichment

The most telling discovery of 2025 is the widening “Identity Density Gap”. While unique identifiers in our data lake grew by only 11%, the total volume of records surged by 135%.

What this means: Attackers are not simply finding new victims; they are building richer, more “attackable” profiles of existing ones. Every new breach is synthesized to add layers of density—correlating an average of 429 billion attributeslike home addresses, phone numbers, and professional hierarchies. This high-fidelity identity resolution allows for surgically precise, autonomous impersonation across multiple channels, including WhatsApp, LinkedIn, and corporate email.

2. The Plaintext Crisis: A Shift in Adversarial Tradecraft

Perhaps the most alarming statistic is the 261% year-over-year increase in plaintext credentials. Today, 68.89% of all breached passwords arrive in clear-text.

It is a common misconception that this represents a regression in organizational hygiene. Instead, it reflects an industrialization of the adversarial pipeline:

• Infostealer Exfiltration: Modern malware “scrapes” passwords directly from browser memory before they are hashed, rendering server-side security moot.
• High-Velocity Cracking Farms: Massive GPU-optimized clusters are now being used to “strip” legacy hashes from historical datasets at scale, converting billions of encrypted records into actionable plaintext weapon libraries.

With only 5.26% of credentials remaining properly hashed, the risk of immediate, automated Account Takeover (ATO) has reached its highest point in a decade.

3. Strategic Consolidation: The Rise of Delta Compilations

A curious trend emerged in the 2025 data: the number of “Combo Breaches” (massive, mixed-source leaks) actually decreased by 66%. However, this is not a sign of slowing activity.

Adversaries are moving away from fragmented, low-quality datasets in favor of Delta Compilations. These are high-density, synthesized libraries that focus specifically on newly exposed attributes, allowing attackers to operationalize “fresh” data at machine speed without the noise of deduplicated records.

4. The Top 10 High-Velocity Exposure Events

The report identifies the 10 largest global identity exposure events of 2025, which together fuel the automated credential-stuffing engines of 2026.

• songguo7.com (Transportation): 87.7M Records
• AT&T (Telecommunications): 86M Records
• xuexi.cn (Education): 85.2M Records
• UnitedHealth (Healthcare): 72M Records
• PowerSchool (Education/Tech): 62M Records

Notably, the Public and Education sectors saw a 569% increase in breach volume. These platforms are “identity goldmines” because they often link personal information—such as home addresses and phone numbers—directly to high-value corporate and government email addresses.

5. The “Infostealer Pandemic” and MFA Bypass

Infostealers have become the primary engine of modern identity theft. In 2025, Constella processed 51.7 million packages (+72% YoY), identifying 24.8 million unique infected devices.

The real danger lies in session cookies. Infostealer logs often include active cookies that allow adversaries to perform session hijacking. By cloning a user’s active login state, an attacker can bypass Multi-Factor Authentication (MFA) entirely and inherit “trusted device” status, making detection nearly impossible for legacy security tools.

The CISO Roadmap: Transitioning to Identity Risk Posture (IRP)

Traditional, perimeter-based security is no longer sufficient when an adversary knows your leadership team better than your own HR systems do. Organizations must shift from event-based monitoring to a proactive Identity Risk Posture (IRP).

Key Recommendations for 2026:

1. Continuous Surface Monitoring: Move from periodic audits to real-time surveillance of the surface, deep, and dark web to detect exposure as it happens.
2. Executive Digital Footprint Protection: High-value targets are often attacked via personal channels. Secure the “whole identity,” not just the corporate login.
3. Session-Level Vigilance: Implement controls that monitor behavior inside an active session to detect hijacked cookies and anomalous activity.
4. Operationalize Identity Resolution: Use your own intelligence to map relationships between employee identities and potential exposure points across the third-party ecosystem.

The 2026 Identity Breach Report proves that when threats move at machine speed, our defenses must be equally industrialized. The question is no longer if an identity is compromised, but how quickly you can neutralize the exposure.

Download the Full Report | Register for the Webinar