TL;DR: A January 2026 leak from BreachForums exposed registered users’ IP addresses, email domains, and login history, and Okta Threat Intelligence found that several of the most frequently observed networks in the leak failed authentication four to five times more often than they succeeded. The pattern reinforces that IP reputation can still inform risk-based access decisions, especially where anonymous networks are overrepresented.
At a glance
What this is: This analysis ties a BreachForums user-data leak to authentication behavior, showing how anonymizing networks and proxy-heavy traffic appear in cybercriminal login activity.
Why it matters: It matters to IAM and NHI practitioners because login policy, adaptive MFA, and network-zone controls can reduce exposure when threat actors reuse infrastructure that is already associated with high-risk access attempts.
By the numbers:
- Tor proxy traffic accounted for 42.7% of the top 10 VPN and proxy services used.
👉 Read Okta's analysis of BreachForums login patterns and risky network behavior
Context
BreachForums user data leaked IP addresses, email domains, and login history, creating a rare window into how cybercriminals try to hide their origin while accessing underground services. For IAM teams, the lesson is not that every anonymous network is malicious, but that access patterns can be evaluated for elevated risk when the same infrastructure repeatedly appears in abuse-heavy environments.
Identity controls often treat IP reputation as a secondary signal, yet this case shows why it still belongs in the access policy conversation. When non-human and human identities alike operate through VPNs, proxies, and anonymizing networks, security teams need a way to distinguish legitimate remote access from behavior that matches attacker tradecraft.
Key questions
Q: How should security teams handle logins from VPNs and proxies?
A: Treat them as risk signals, not automatic proof of malicious intent. Security teams should combine source reputation with device history, session behavior, and user context, then step up authentication when the full picture looks abnormal. That approach reduces false positives while still making anonymity expensive for attackers.
Q: When should organisations block anonymous network traffic at login?
A: Block anonymous network traffic when the access path is high risk, the identity is privileged, or the environment has enough baseline data to know what normal looks like. In mixed-user environments, a risk-based challenge is often safer than a blanket deny because it preserves legitimate remote access while still constraining attacker tradecraft.
Q: What is the difference between IP reputation and identity assurance?
A: IP reputation is a contextual clue about where a request came from, while identity assurance is the confidence that the requester should be trusted. A strong IAM program uses IP reputation to adjust the strength of authentication, but it never treats network origin as a substitute for verified identity or policy enforcement.
Q: Why does anonymous infrastructure matter for NHI governance?
A: Non-human identities often authenticate repeatedly from stable infrastructure, so a sudden shift to anonymous networks can indicate compromise, misuse, or policy drift. Monitoring source networks helps teams spot credential abuse early and keep automated access aligned with the identity’s intended operating pattern.
Technical breakdown
How IP reputation fits into authentication risk scoring
IP reputation is a contextual signal, not an identity by itself. In modern IAM, it is combined with device posture, session history, location, and velocity to decide whether a sign-in is normal or suspicious. The BreachForums data is useful because it clusters access from services that are already heavily used to mask origin, which makes those signals more informative than random internet traffic. The practical issue is not to block every proxy outright, but to decide when anonymous infrastructure should increase assurance requirements or trigger step-up verification.
Practical implication: Treat IP reputation as one input to adaptive policy, not as a standalone allow or deny rule.
Why anonymizing networks complicate trust decisions
VPNs, Tor, and proxy services are designed to conceal origin, so they reduce defender confidence in geolocation and ASN-based assumptions. That matters when the same infrastructure is used by legitimate privacy-conscious users, fraud actors, and threat researchers. The result is a trust problem rather than a pure detection problem. IAM programs need a policy model that can tolerate ambiguity by adding friction only when the broader signal set suggests elevated risk, instead of assuming that anonymity alone proves malicious intent.
Practical implication: Use network reputation to escalate authentication, not to make irreversible trust judgments on its own.
Why sign-in history matters for non-human identity governance
The leak includes both registration and last-login information, which makes it possible to compare how access patterns evolve over time. That is important for NHI governance because service accounts, tokens, and automated access paths often behave like recurring sessions with stable but poorly observed characteristics. If a workload or automation path suddenly appears from an unfamiliar ASN or through an anonymizing service, the control question becomes whether that identity has drifted out of policy. This is a lifecycle and monitoring problem, not only a perimeter problem.
Practical implication: Baseline expected sign-in patterns for high-risk identities and alert when those patterns change materially.
Threat narrative
Attacker objective: The attacker objective is to access accounts without exposing a traceable origin and to preserve operational anonymity while conducting further abuse.
- Entry occurs through credential reuse against underground services accessed via VPNs, proxies, and anonymity networks that obscure origin.
- Escalation follows when attackers use those same networks to blend into legitimate-looking login traffic and avoid simple IP-based controls.
- Impact is broader account abuse and easier movement toward identity-centric attacks because the same infrastructure often appears in stolen-credential campaigns.
Breaches seen in the wild
- OmniGPT breach — OmniGPT breach exposed API keys, email addresses and chat logs.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Anonymous infrastructure is now part of the identity risk model, not just the threat model. The BreachForums leak shows that attackers rely on VPNs, Tor, and proxies to obscure origin when they authenticate into criminal services. That means IAM teams should stop treating network anonymity as a peripheral signal and start treating it as part of the assurance calculation. The practical conclusion is to raise friction when anonymity combines with other high-risk indicators.
High-risk login policy should be contextual, not binary. A blanket block on proxy or VPN traffic will create false positives in distributed workforces and partner-heavy environments. But doing nothing leaves a gap when the same networks repeatedly appear in abuse-heavy activity. Security teams need policy that distinguishes acceptable privacy use from suspicious access behavior by combining source reputation, device history, and step-up authentication.
Identity telemetry must extend to the long tail of automated and semi-automated access. The article is framed around human threat actors, but the same control problem shows up in NHI estates, where service accounts and tokens can be used from unexpected networks or infrastructure. That makes session baselining and anomaly detection a governance issue, not just a fraud issue. Practitioners should build controls that can spot both credential misuse and identity drift.
Runtime network trust is a useful concept here: the value of an IP address changes once it is reused in abuse-heavy ecosystems. In other words, the question is not whether an IP is technically valid, but whether it should still be treated as low-risk in your access policy. That distinction helps teams move from static allowlists to evidence-based access governance.
Attackers’ operational security choices are a defensive signal. When many login attempts cluster around anonymizing infrastructure, the pattern can justify stronger controls at the edge and during authentication. That does not prove malicious intent in every case, but it does support a risk-based posture. The result is better policy calibration, especially where account takeover is a realistic concern.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which leaves many automation paths under-observed and hard to govern.
- For a broader view of how identity failures show up in real incidents, see 52 NHI Breaches Analysis.
What this signals
Runtime network trust will matter more as IAM programs absorb more remote, partner, and automated access. Security teams should expect to use source reputation as a gating signal, but only inside policy designs that also account for device posture, authentication strength, and identity purpose. The practical shift is toward context-aware access instead of static trust zones.
With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, any source anomaly on a privileged automation path should be treated as a governance event, not a log review exercise. That same control logic applies when source networks change unexpectedly, because privilege and origin together define blast radius.
Security teams should also watch the overlap between fraud controls and NHI monitoring. The same source-risk logic that helps identify suspicious human logins can help reveal compromised tokens or automation accounts that suddenly appear from unfamiliar infrastructure. That convergence makes identity telemetry more valuable, but only if programmes define ownership for both human and non-human access.
For practitioners
- Implement contextual access policies for anonymous networks Use IP reputation, ASN history, and proxy detection as one part of adaptive authentication so suspicious sources trigger step-up controls instead of full access by default.
- Baselined known-good sign-in patterns for privileged identities Create expected source, device, and geolocation profiles for admin and service access, then alert on material drift such as a new ASN or anonymizing service.
- Separate privacy use from abuse signals Do not hard-block every VPN or proxy by default. Instead, define policy tiers so routine remote work remains possible while high-risk sources face stricter verification and session controls.
- Review NHI paths for unexpected network origin Check service accounts, automation tokens, and API-driven sessions for source networks that differ from their normal execution environment, especially in partner-heavy or distributed architectures.
Key takeaways
- Anonymous networks are relevant to IAM because they reduce confidence in where a sign-in came from.
- Leaked login telemetry is most useful when it feeds contextual authentication and source baselining.
- NHI governance should treat unexpected network origin as a sign of possible credential misuse or policy drift.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access decisions depend on contextual identity and source risk. |
| NIST Zero Trust (SP 800-207) | Anonymous networks fit the zero-trust problem of untrusted source contexts. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Unexpected source networks can indicate NHI credential misuse or drift. |
Use contextual source signals to refine access decisions and enforce least privilege.
Key terms
- IP Reputation: IP reputation is the contextual trust score attached to a network source based on historical abuse, geolocation, and threat intelligence. In IAM, it is best used as a risk signal that can strengthen or weaken authentication requirements, not as a standalone decision about identity legitimacy.
- Anonymous Network: An anonymous network is infrastructure designed to obscure the source of traffic, such as VPNs, Tor, or proxy services. Security teams care about it because it reduces confidence in source attribution and can be used by both legitimate users and attackers.
- Adaptive Authentication: Adaptive authentication changes the strength of login checks based on context such as device, location, source network, and session history. It helps IAM teams respond to suspicious access without forcing every user through the same high-friction path.
- Identity Telemetry: Identity telemetry is the collection of signals generated by authentication, session, and access events across human and non-human identities. It becomes useful for governance when teams can baseline normal behavior and detect drift in source, privilege, or access frequency.
Deepen your knowledge
Network-based access risk and adaptive control design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme needs to govern both human and non-human access paths, it is worth exploring.
This post draws on content published by Okta covering the BreachForums data leak and risky login behavior. Read the original.
Published by the NHIMG editorial team on 2026-03-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
