In the world of cybersecurity, there are “loud” companies, the ones whose logos you see on every corner, and then there are the “backbone” companies. These are the giants that hum quietly in the background, processing healthcare claims, managing highway tolls, and cutting child support checks. Conduent is a titan of the latter category.

But as the dust settles in early 2026, Conduent is no longer quiet. It is currently at the center of what is being called the largest healthcare and government data breach in U.S. history. For those of us at Constella, this isn’t just another headline; it’s a masterclass in why identity risk is the new perimeter.

The Anatomy of an 8.5-Terabyte Heist

The details that have surfaced over the last year are staggering. What began as a “limited incident” detected on January 13, 2025, has ballooned into a national crisis. We now know that the SafePay ransomware group didn’t just knock on the door; they lived in the house for nearly three months, from October 21, 2024, until discovery.

During that period, they didn’t just encrypt files; they vacuumed up over 8.5 terabytes of sensitive data. We’re talking about the “Holy Grail” of Personally Identifiable Information (PII):

• Full Names and Physical Addresses
• Social Security Numbers (SSNs)
• Detailed Medical Histories and Diagnosis Codes
• Health Insurance Claim Amounts

The scale? Over 25 million individuals across nearly every state. In Texas alone, Attorney General Ken Paxton’s February 2026 investigation revealed that 15.4 million residents, roughly half the state’s population, were caught in the dragnet.

Why the “Supply Chain” Label Doesn’t Do It Justice

When we talk about supply chain attacks, we often think of software. But the Conduent breach highlights a different, more personal vulnerability: the Business Associate risk. Conduent acts as a third-party processor for Fortune 100 companies and state governments. This means millions of victims had never even heard of Conduent until they received a breach notification. They were impacted because their insurance provider (like Blue Cross Blue Shield) or their state’s Medicaid office relied on Conduent’s back-office infrastructure.

The Constella Insight: In the modern digital ecosystem, you are only as secure as the quietest vendor in your stack. When 25 million identities are stolen from a single source, the downstream risk of account takeover (ATO) and targeted spear-phishing becomes an exponential problem that lasts for years.

The “Identity Density Gap”: 2026’s Greatest Threat

At Constella, our 2026 Identity Breach Report  highlights a terrifying trend we call the Identity Density Gap. While the number of unique people on the planet is finite, the amount of data associated with each person is exploding.

The Conduent breach didn’t just leak “new” people; it added high-fidelity layers (medical records, SSNs, claim dates) to existing profiles already circulating on the dark web. Attackers are now using Agentic AI to correlate these attributes at machine speed.

When a hacker combines a leaked password from 2022 with a medical diagnosis from the 2025 Conduent breach, they aren’t just a “hacker” anymore, they are an impersonator with a script so convincing it can bypass even the most skeptical employee. This “industrialization of identity” is why traditional defenses are failing.

Why “Free Credit Monitoring” is a Relic of the Past

Conduent has already spent roughly $25 million on breach response, much of it going toward notification letters and credit monitoring services. While this is a standard legal requirement, let’s be candid: credit monitoring is like giving someone a smoke detector after their house has already burned down.

When medical records are combined with SSNs, threat actors aren’t just looking to open a new credit card. They are targeting:

1. Precision Phishing: Using known medical provider names and claim amounts to craft “urgent” emails that are virtually indistinguishable from legitimate insurance correspondence.
2. Medical Fraud: Filing false claims that can permanently corrupt a victim’s actual medical history, potentially leading to life-threatening errors in future treatment.
3. Credential Stuffing: Since 68% of breached credentials now arrive in plaintext (due to the “Infostealer Pandemic”), the risk of immediate, automated Account Takeover (ATO) has never been higher.

Shifting to an Identity Risk Posture (IRP)

The Conduent incident is a systemic warning. To survive in 2026, organizations must move away from event-based monitoring and toward a proactive Identity Risk Posture (IRP). This means:

• Continuous Exposure Monitoring: Don’t wait for a vendor to send a notification a year later. You need real-time visibility into the Deep and Dark Web to see when your employees’ or customers’ credentials appear in a leak.
• Operationalizing Identity Resolution: Use intelligence to map the relationships between your employees and the third-party ecosystem. If a vendor is breached, you should know exactly which of your users are most at risk within hours, not months.
• Hardening the Human Perimeter: With 8.5TB of PII in the wild, social engineering is now automated. Defensive strategies must include monitoring the digital footprints of high-value targets (executives and admins) who are the primary targets of these synthesized profiles.

The Bottom Line

The Texas AG’s probe, launched in February 2026, is a reminder that the regulatory fallout is only beginning. For Conduent, the $25 million in costs is just the tip of the iceberg when you factor in the dozens of class-action lawsuits currently moving through federal courts.

Data is a liability, and identity is the target. The only way to stay safe is to see what the attackers see, before they use it against you.

The 2026 Identity Breach Report marks a definitive shift in the cyber threat landscape, transitioning from simple data collection to what can only be described as the Industrialization of Identity. As adversaries adopt machine-scale automation, they are no longer just “leaking” data—they are running high-velocity pipelines designed to weaponize human identities at an unprecedented scale.

This report, based on the analysis of over 1 trillion identity attributes and billions of records, serves as a wake-up call for security leaders. Below is a summary of the most critical findings and the strategic shifts necessary to defend against this new era of industrialized attacks.

1. The Identity Density Gap: Weaponizing Enrichment

The most telling discovery of 2025 is the widening “Identity Density Gap”. While unique identifiers in our data lake grew by only 11%, the total volume of records surged by 135%.

What this means: Attackers are not simply finding new victims; they are building richer, more “attackable” profiles of existing ones. Every new breach is synthesized to add layers of density—correlating an average of 429 billion attributeslike home addresses, phone numbers, and professional hierarchies. This high-fidelity identity resolution allows for surgically precise, autonomous impersonation across multiple channels, including WhatsApp, LinkedIn, and corporate email.

2. The Plaintext Crisis: A Shift in Adversarial Tradecraft

Perhaps the most alarming statistic is the 261% year-over-year increase in plaintext credentials. Today, 68.89% of all breached passwords arrive in clear-text.

It is a common misconception that this represents a regression in organizational hygiene. Instead, it reflects an industrialization of the adversarial pipeline:

• Infostealer Exfiltration: Modern malware “scrapes” passwords directly from browser memory before they are hashed, rendering server-side security moot.
• High-Velocity Cracking Farms: Massive GPU-optimized clusters are now being used to “strip” legacy hashes from historical datasets at scale, converting billions of encrypted records into actionable plaintext weapon libraries.

With only 5.26% of credentials remaining properly hashed, the risk of immediate, automated Account Takeover (ATO) has reached its highest point in a decade.

3. Strategic Consolidation: The Rise of Delta Compilations

A curious trend emerged in the 2025 data: the number of “Combo Breaches” (massive, mixed-source leaks) actually decreased by 66%. However, this is not a sign of slowing activity.

Adversaries are moving away from fragmented, low-quality datasets in favor of Delta Compilations. These are high-density, synthesized libraries that focus specifically on newly exposed attributes, allowing attackers to operationalize “fresh” data at machine speed without the noise of deduplicated records.

4. The Top 10 High-Velocity Exposure Events

The report identifies the 10 largest global identity exposure events of 2025, which together fuel the automated credential-stuffing engines of 2026.

• songguo7.com (Transportation): 87.7M Records
• AT&T (Telecommunications): 86M Records
• xuexi.cn (Education): 85.2M Records
• UnitedHealth (Healthcare): 72M Records
• PowerSchool (Education/Tech): 62M Records

Notably, the Public and Education sectors saw a 569% increase in breach volume. These platforms are “identity goldmines” because they often link personal information—such as home addresses and phone numbers—directly to high-value corporate and government email addresses.

5. The “Infostealer Pandemic” and MFA Bypass

Infostealers have become the primary engine of modern identity theft. In 2025, Constella processed 51.7 million packages (+72% YoY), identifying 24.8 million unique infected devices.

The real danger lies in session cookies. Infostealer logs often include active cookies that allow adversaries to perform session hijacking. By cloning a user’s active login state, an attacker can bypass Multi-Factor Authentication (MFA) entirely and inherit “trusted device” status, making detection nearly impossible for legacy security tools.

The CISO Roadmap: Transitioning to Identity Risk Posture (IRP)

Traditional, perimeter-based security is no longer sufficient when an adversary knows your leadership team better than your own HR systems do. Organizations must shift from event-based monitoring to a proactive Identity Risk Posture (IRP).

Key Recommendations for 2026:

1. Continuous Surface Monitoring: Move from periodic audits to real-time surveillance of the surface, deep, and dark web to detect exposure as it happens.
2. Executive Digital Footprint Protection: High-value targets are often attacked via personal channels. Secure the “whole identity,” not just the corporate login.
3. Session-Level Vigilance: Implement controls that monitor behavior inside an active session to detect hijacked cookies and anomalous activity.
4. Operationalize Identity Resolution: Use your own intelligence to map relationships between employee identities and potential exposure points across the third-party ecosystem.

The 2026 Identity Breach Report proves that when threats move at machine speed, our defenses must be equally industrialized. The question is no longer if an identity is compromised, but how quickly you can neutralize the exposure.

Download the Full Report | Register for the Webinar

Identity risk scoring has become a critical input for fraud prevention, security operations, and trust decisions. Organizations increasingly rely on risk scores to decide when to step up authentication, block access, or flag activity for investigation.

But despite widespread adoption, many identity risk programs struggle with the same problem:

Risk scores are generated, but teams don’t trust them.

At the center of this trust gap is attribution. Without defensible attribution, identity risk scoring becomes opaque, inconsistent, and difficult to act on. This post explains why attribution is the foundation of effective identity risk intelligence and what changes when attribution is done right.

What Identity Risk Scoring Is Supposed to Do

At its core, identity risk scoring aims to answer a simple question:

How risky is this identity right now?

That score may inform:

• Fraud controls and transaction decisions
• Account takeover prevention
• Access management and step-up authentication
• Investigative prioritization

When risk scores are reliable, they allow teams to automate decisions with confidence. When they aren’t, teams revert to manual review or ignore the score entirely.

Where Identity Risk Scoring Breaks Down

Many identity risk systems rely on limited or shallow attribution models. Common weaknesses include:

• Single-identifier matching (email-only, device-only, or IP-only)
• Static scoring models that don’t adapt to new intelligence
• Limited visibility into why a score changed
• No confidence indicator attached to the score

The result is a number without context. Teams see a risk score, but can’t explain:

• Which data points contributed to it
• Whether the identity linkage is accurate
• How confident the system is in its assessment

This creates friction across fraud, security, and operations teams.

What “Defensible Attribution” Actually Means

Defensible attribution goes beyond linking data points, it establishes confidence in identity resolution.

A defensible attribution model includes:

• Resolution across multiple identifiers (emails, usernames, credentials, devices)
• Continuous updating as new intelligence appears
• Transparency into how identities are linked
• Confidence scoring that reflects attribution strength

In practical terms, defensible attribution allows teams to say:

“This risk score is high because these verified identifiers resolve to the same entity.”

This is the difference between a score that exists and a score that drives action.

Why Attribution Is the Foundation of Identity Risk Intelligence

Identity risk intelligence is not just about detecting anomalies, it’s about understanding who is behind activity.

Without attribution:

• Risk scores drift over time
• False positives increase
• Legitimate users are penalized
• High-risk actors blend into the background

With strong attribution:

• Risk accumulates correctly across identities
• Exposure events enrich the same entity profile
• Teams gain a longitudinal view of identity behavior

This is where identity risk scoring transitions from tactical control to strategic intelligence.

Learn how Constella builds identity context across fragmented data.

How Verified Breach Data Strengthens Attribution

One of the most common attribution gaps occurs when exposed credentials or PII cannot be confidently tied to an identity.

Verified breach data helps close that gap by:

• Confirming the authenticity of exposed identifiers
• Providing temporal context around exposure events
• Reducing noise from recycled or fabricated breach data

When breach intelligence is verified and fused into identity profiles, risk scoring becomes more accurate and more explainable.

This connection between breach intelligence and attribution is critical for fraud and security teams alike.

The Operational Impact of Defensible Attribution

Fraud Operations

Fraud teams rely on identity risk scores to:

• Trigger step-up authentication
• Block transactions
• Prioritize manual reviews

When attribution is weak, fraud controls become overly aggressive or ineffective. Defensible attribution ensures risk follows the correct entity not isolated signals.

Security and Trust Teams

Security teams need to explain decisions internally and externally. Defensible attribution provides:

• Auditability
• Confidence in automated controls
• Stronger reporting to leadership

Risk decisions backed by clear attribution are easier to defend and refine.

Why Explainability Matters for Risk Scores

Explainability is what buyers are looking for.

Teams increasingly ask:

• “Why was this identity flagged?”
• “What changed since last week?”
• “How confident is this assessment?”

Risk scores without explainability slow investigations and erode trust. Attribution provides the narrative behind the number.

Moving from Risk Scores to Risk Decisions

The goal of identity risk scoring is not to produce numbers, it’s to support decisions.

Defensible attribution enables:

• Automated decisions with confidence
• Clear escalation paths
• Faster investigations
• Reduced friction for legitimate users

Without attribution, risk scoring remains a theoretical capability. With it, identity risk intelligence becomes operationally useful.

Frequently Asked Questions About Identity Risk Scoring

What is identity risk scoring?

Identity risk scoring assigns a dynamic risk level to an identity based on behavioral signals, exposure data, and contextual intelligence. It is used to inform fraud prevention, access controls, and investigative prioritization.

Why do identity risk scores produce false positives?

False positives occur when attribution is weak or based on limited identifiers. Without resolving signals to a real entity, risk may be incorrectly assigned to legitimate users or spread across unrelated identities.

What is defensible attribution in identity intelligence?

Defensible attribution is the ability to link identifiers to a real entity with measurable confidence. It includes entity resolution, transparent linkage logic, and confidence scoring that supports explainability.

How does breach data impact identity risk scores?

Exposed credentials and PII often increase identity risk. When breach data is verified and accurately attributed, it strengthens risk scores by tying exposure to the correct entity rather than generating isolated alerts.

Who uses identity risk scoring?

Identity risk scoring is used by fraud teams, security operations, trust and safety teams, and investigators who need to assess identity-based risk quickly and consistently.

Can identity risk scores be explained to auditors or executives?

Only if attribution is defensible. Explainable risk scores require clear visibility into contributing signals, confidence levels, and identity linkage—especially for audits or executive reporting.

How does Constella support identity risk intelligence?

Constella combines verified breach data, entity resolution, and attribution confidence to deliver identity risk intelligence teams can trust and explain.

Two similar terms — completely different outcomes

Security teams often hear “entity resolution” and “identity verification” used as if they mean the same thing.

They don’t — and that confusion can lead teams to invest in tools that solve the wrong problem.

A simple way to separate them:

• Identity verification answers: Is this person real and who they claim to be?
• Entity resolution answers: Do these identity fragments belong to the same person/entity?

Verification is a checkpoint.
Entity resolution is a connective layer.

And in modern identity-first breach paths, security teams need the connective layer more often than they think.

Constella’s perspective aligns with this: identity intelligence is about correlating exposure signals into actionable risk insight — not just verifying identities at the moment of transaction.

What identity verification is designed to do

Identity verification is built for transactional trust.

It typically includes:

• document verification
• biometrics/selfie checks
• KYC workflows
• proof of address
• real-time onboarding validation

It’s highly useful when:
• the user is present
• the moment matters (account opening, transaction)
• the goal is “prove this identity is real”

But it’s not designed to answer a different class of questions security teams face daily.

What identity verification does not solve for security

Verification does not tell you:

• whether credentials tied to this identity are exposed
• whether the identity appears repeatedly across breach assets
• whether the identity is linked to a risk cluster
• whether the identity is being traded or reused
• whether exposure signals suggest imminent account takeover risk

Identity verification can confirm legitimacy in the moment — but it can’t reveal the broader identity risk landscape.

Constella’s 2025 Identity Breach Report shows how exposure and credential theft continue scaling — which makes risk correlation and prioritization increasingly important for enterprises.

What entity resolution is — and why security relies on it

Entity resolution is about stitching identity fragments into one entity profile.

It connects:

• emails
• usernames
• phones
• name variants
• addresses
• social handles
• breach artifacts
• OSINT identifiers

Entity resolution answers questions like:

• Are these accounts linked to the same identity?
• Is this breach exposure tied to the same user across multiple services?
• Do these fragments form a coherent identity graph?
• Are we looking at one actor or multiple personas?

This is foundational for:
• investigations
• breach intelligence enrichment
• exposure monitoring
• identity risk scoring
• reducing false positives in identity-based alerts

Why security teams often need entity resolution more than verification

Most security risks aren’t “is this person real?”
They’re “how risky is this identity based on exposure, reuse, and linkage?”

This is why identity risk is now the front door to breaches: attackers increasingly rely on exposed credentials and identity fragments rather than technical exploits.

Entity resolution helps teams:

• unify identity fragments into higher-confidence profiles
• detect clusters tied to suspicious reuse
• triage exposure signals by credibility and relevance
• accelerate investigations and response actions

The missing layer: Identity Risk Intelligence

Entity resolution becomes even more valuable when paired with identity exposure intelligence — creating what Constella defines as identity risk intelligence.

Identity risk intelligence means:

• collecting exposure signals
• validating identity artifacts
• resolving identity fragments across sources
• scoring risk based on reuse + recency + linkage
• prioritizing action

It’s not just “who is this.”
It’s “what risk does this identity represent right now?”

For teams using OSINT and investigations workflows, this is where monitoring and investigative tooling converge.

A practical way to decide which you need

Ask one question:

Are we trying to prove identity — or understand identity risk?

Choose identity verification when you need:

• onboarding trust
• transaction legitimacy
• fraud prevention at the point of entry

Choose entity resolution + identity risk intelligence when you need:

• exposure monitoring
• credential reuse prioritization
• identity-based investigations
• threat actor profiling
• alert triage and risk scoring

Takeaway

Identity verification is a moment.
Entity resolution is a system.

Security teams dealing with exposure, credential reuse, investigations, and identity-based threat paths need entity resolution as the foundation — especially as identity risk becomes the primary breach path.

For more on how identity intelligence works operationally, Constella’s investigation tooling provides a clear example of resolution + linkage in action.

FAQs

1) Why do security teams confuse entity resolution with identity verification?

Because both deal with identity — but verification confirms legitimacy at a moment in time, while entity resolution connects identity fragments across datasets.

2) When does entity resolution matter most in security operations?

When teams need to understand exposure, link incidents through identity overlap, triage alerts, or investigate actors using alias and credential reuse.

3) How does entity resolution help reduce investigation time?

It enables faster pivots across identity attributes and highlights high-confidence linkages, reducing manual searching and false leads.

4) What kinds of data make entity resolution more reliable?

Data with recurring identifiers and validated exposure signals — such as verified breach identity assets, infostealer logs, and consistent OSINT identifier reuse.

5) What should security teams do after resolving identity fragments?

Score risk, prioritize response, improve monitoring, and use identity clusters to enrich future investigations and incident correlation.