Synthetic identities and stolen credentials: Constella Intelligence’s report warns of national security risks
By Isabella Egerton
Cyberattacks using stolen and fake identities have become one of the biggest threats facing national security, according to Constella Intelligence’s 2025 Identity Breach Report.
Instead of “hacking into” systems, attackers are increasingly just “logging in” using real or fake credentials. In 2024 alone, more than 219,000 breaches exposed over 107 billion records worldwide — double the level of previous years. IBM’s X-Force team noted that stolen logins and exploiting public websites each accounted for about 30 per cent of how hackers first gained access last year.
Constella Intelligence, a leading global digital risk protection company that helps organisations safeguard people and their data from cyberattacks, has observed a wave of attacks playing out visibly in the UK and US. In recent weeks, several high-street retailers, including luxury brands Cartier and Watches of Switzerland, reported being hit. Cartier confirmed that “an unauthorised party gained temporary access to our system,” and both brands said customer names and email addresses were stolen — though no payment card data was taken.
Similar attacks have struck other British retailers in a wave that experts say is fuelled by stolen credentials and automated “credential stuffing,” where hackers use stolen passwords to try logging in across many sites.
In the United States, the healthcare sector has been hit particularly hard, with several massive breaches this year exposing sensitive patient data and crippling hospital systems.
Constella’s report highlights some of the biggest breaches of the past two years. The largest ever was the 2023 breach of REWN — a Russian email and online service — which exposed 1.5 billion records. In 2024, two of the largest breaches involved Tencent.com (668 million records) — the Chinese tech giant that owns apps like WeChat — and National Public Data (647 million records), a major US-based public records service.
How attackers are succeeding
Breaches are no longer just about breaking in through firewalls. Many succeed because of malware infections — malicious software that secretly collects and “harvests” (steals) saved passwords, tokens, and files from infected computers. This stolen information is then sold on underground markets in bulk.
The report also warns about the rise of synthetic identities — fake but convincing identities created by mixing real and fake information. For example, a hacker might take a real Social Security number (often from a child or deceased person), combine it with a fake name and real address, and create a completely new, fraudulent person.
These synthetic identities are dangerous because they can:
• Open bank accounts, pass background checks, and even get security clearances — operating undetected for years.
• Funnel money to terrorism or hostile states.
• Obscure spies or saboteurs posing as insiders.
• Infiltrate supply chains for defence and critical infrastructure.
Constella analysts have seen thriving underground marketplaces selling “fullz” — complete identity kits (name, SSN, date of birth, address, email) — which fuel these schemes.
National security at a tipping point
Andres Andreu, Chief Operating Officer and Chief Information Security Officer at Constella, warns: “Constella’s Identity Breach Report underscores a critical inflection point for national security. The rise of AI-powered, identity-driven attacks, fuelled by tools like WormGPT and vast breaches of personal data, demands immediate action from governments and critical infrastructure operators.
Synthetic identities and credential reuse are eroding traditional perimeter defences and legacy investments. To counter this, nations must shift from the old models and invest in identity threat intelligence, mandate zero-trust architectures, use decentralised agent-based AI strategically, and establish rapid attribution and response capabilities to pre-empt AI-driven cyber campaigns.”
What can organisations do?
Constella and other experts recommend several steps to respond to these risks:
• Monitor for unusual login patterns and block suspicious activity.
• Use anomaly detection to spot logins from strange locations, devices, or times.
• Strengthen onboarding and vetting processes with document checks, biometrics, and device intelligence.
• Detect and block synthetic identities by using shared databases and real-time fraud detection.
• Enforce multi-factor authentication (MFA) and behavioural analytics.
• Join collective defence initiatives to share intelligence and stay ahead of threats.
The findings paint a stark picture: identity has become the weak link in cybersecurity. Stolen logins and synthetic identities let attackers pose as insiders, infiltrate organisations, and persist unnoticed — sometimes for years.
Governments, contractors, and critical sectors need to adapt quickly by strengthening identity controls, sharing intelligence, and investing in smarter technologies to protect against these growing threats.
For the full Constella 2025 Identity Breach Report, visit: https://constella.ai/2025-identity-breach-report/
