Identity breaches and help desk hijacks are escalating globally

At a glance

What this is: This is RSA's 2026 global identity survey, and its key finding is that identity breaches, breach costs, and help desk hijacks are all rising sharply.

Why it matters: It matters because IAM, NHI, and human identity programmes now face the same pressure: weaker identity controls are translating into higher breach frequency, larger losses, and faster social engineering success.

By the numbers:

• 69% of organizations experienced an identity-related breach in the last three years.
• 45% of organizations said the cost of an identity-related breach exceeded the typical cost of a breach as defined by IBM.
• 24% of organizations said costs exceeded $10M.

👉 Read RSA Security's 2026 ID IQ Report on identity breach trends and help desk risk

Context

Identity security fails when attackers can turn authentication, support workflows, or credentials into durable access. In practice, that means the control plane around human accounts, service access, and support channels matters as much as perimeter security. RSA's survey points to a widening gap between the identity controls organisations think they have and the failures that actually drive loss.

For IAM leaders, the important signal is not only that breaches are more common, but that the attack paths are becoming easier to operationalise. Help desk hijacks, passwordless adoption gaps, and AI-driven optimism all point to a programme that is still built around discrete authentication events rather than the full identity lifecycle and support chain.

Key questions

Q: How should security teams reduce help desk hijack risk in identity programmes?

A: Treat the service desk as part of the identity boundary. Require stronger proofing for resets, re-enrolment, and account recovery, and make those workflows privileged, logged, and regularly tested. The goal is to stop social engineering from becoming an authorised route into the identity lifecycle.

Q: Why do identity-related breaches become so expensive so quickly?

A: Identity compromise often gives attackers legitimate access rather than a narrow technical foothold. That access can reach email, SaaS administration, cloud consoles, and business systems, which expands containment, investigation, and notification costs. The financial impact usually comes from blast radius, not from the first account alone.

Q: What do organisations get wrong about passwordless authentication?

A: They often treat passwordless as a finished control instead of a redesign of the full assurance chain. If recovery, device binding, and re-enrolment are weak, attackers can still reset or rebind identity state. Passwordless only lowers risk when the fallback paths are stronger than the password flow it replaces.

Q: How should teams govern identity support workflows after a major breach trend?

A: Govern support workflows like privileged access. Separate approval from execution, audit every reset and override, and test whether attackers can use help desk processes to change identity state. If they can, the identity programme still has a hidden escalation path that bypasses normal controls.

Technical breakdown

Why help desk hijacks bypass identity controls

Help desk hijacking works because support teams often become an alternate identity authority. Attackers do not need to defeat every authentication factor if they can socially engineer a reset, re-enrolment, or account recovery path. That makes the service desk part of the authentication boundary, even when it is not treated that way in policy. The breach pattern is especially dangerous when the support workflow can override normal step-up requirements, identity proofing, or out-of-band verification. Once that happens, the attacker has an authorised path into the account lifecycle rather than a technical exploit of the login screen.

Practical implication: treat account recovery and help desk overrides as privileged identity workflows, not routine support tasks.

Why identity breach costs rise faster than breach frequency

Identity-led incidents tend to be expensive because they unlock follow-on activity, not just a single compromised account. Once an attacker has valid access, they can move through email, cloud consoles, SaaS admin panels, and downstream systems with a lower chance of immediate detection. That expands the scope of containment, forensics, legal response, and customer notification. In survey terms, cost rises when identity failure is the entry point to a broader compromise rather than a narrow authentication event. This is why identity governance, privilege boundaries, and lifecycle controls drive financial exposure as much as incident response speed.

Practical implication: map identity incidents to downstream systems and cost centres, not just to the initially compromised account.

Passwordless adoption does not remove governance gaps

Passwordless authentication reduces dependence on reusable secrets, but it does not remove the need for identity proofing, recovery governance, device trust, and lifecycle controls. If recovery paths are weak, an attacker can still rebind a new factor, reset a session, or hijack a support workflow. That is why passwordless programmes can stall even when users are willing to adopt them. The real question is whether the organisation has replaced password risk with stronger identity assurance, or merely shifted the attack surface into provisioning and support processes.

Practical implication: review recovery, enrolment, and device-binding flows before treating passwordless as a completed control change.

Threat narrative

Attacker objective: The attacker aims to obtain trusted identity access that can be used to bypass authentication controls and expand into wider organisational systems.

1. Entry begins when an attacker targets help desk staff or support workflows with social engineering, using the service channel as a path around stronger authentication controls.
2. Escalation occurs when the attacker convinces support personnel to reset credentials, re-enrol a factor, or bypass normal verification, converting social trust into authorised access.
3. Impact follows when that authorised access is used to take over accounts, access downstream systems, or extend the compromise into broader identity and data environments.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity assurance now fails in the support channel as often as it fails at the login screen: The survey's help desk findings show that identity governance cannot stop at authentication policy. If support staff can override proofing, factor reset, or recovery logic without hardened checks, the organisation has created a second identity authority outside formal IAM controls. Practitioners should treat the service desk as part of the identity control plane, not a back-office exception.

Identity-related breach cost is a governance failure multiplier, not just an incident metric: When identity compromise opens mailboxes, SaaS admin consoles, cloud control planes, and downstream business systems, response scope expands quickly. That is why breach cost rises faster than breach frequency. The discipline problem is that many programmes still measure login success while ignoring the blast radius created by standing access, weak recovery, and over-broad privilege.

Passwordless progress stalls when recovery design remains legacy-shaped: Removing passwords does not eliminate account recovery, device binding, or assurance re-verification. If those fallback paths are weaker than the password flow they replace, the programme shifts risk rather than reducing it. The implication is that identity teams must evaluate the full assurance chain, not just the primary factor.

Help desk hijack is the named concept that security teams should track: It describes the takeover of identity support workflows as an access path, not a side effect of social engineering. Once attackers can rebind or reset identity state through the support function, traditional phishing awareness controls are not enough. Practitioners should make recovery governance measurable, testable, and auditable as a first-class identity control.

Identity failure is now a cross-domain problem spanning human IAM and machine access: The same governance blind spots that weaken human recovery and support processes also undermine NHI lifecycle control when credentials can be created, reset, or delegated without strong oversight. That means identity programmes should be designed around lifecycle trust, not around a single authentication mechanism. Practitioners should align human IAM, NHI governance, and privileged support paths under one control model.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• For a broader breach-intelligence view, see 52 NHI Breaches Analysis for recurring compromise patterns and governance failures.

What this signals

Help desk hijack is becoming a governance pattern, not an isolated fraud technique: RSA's survey suggests that identity programmes need to treat recovery, re-enrolment, and override paths as first-class control surfaces. For practitioners, the practical signal is clear: if support staff can change identity state without strong assurance, the programme still has an unmanaged escalation lane.

The governance response should extend beyond MFA and passwordless adoption. Organisations need lifecycle evidence for every recovery path, every privileged override, and every factor reset, especially where those processes affect human identity and high-risk administrative access.

With 69% of organisations reporting an identity-related breach in the last three years, the issue is no longer theoretical. The next maturity jump is not another authentication feature, but control over the full identity decision chain from proofing to support escalation and downstream access.

For practitioners

• Harden help desk recovery flows Require stronger identity proofing, dual approval for sensitive resets, and step-up verification before any factor re-enrolment or credential recovery is completed.
• Classify support overrides as privileged actions Log, review, and recertify all account recovery and factor-reset activities as privileged workflows, with named approvers and tamper-evident records.
• Measure identity blast radius Map which SaaS, cloud, email, and admin systems become reachable after one account is taken over, then use that map to prioritise privilege reduction.
• Test passwordless fallback paths Run abuse-case testing against enrolment, device replacement, and recovery processes so passwordless does not conceal weaker downstream controls.

Key takeaways

• Identity breaches are now frequent enough that support workflows must be treated as part of the attack surface, not as administrative back office.
• The cost signal is as important as the breach count, because identity compromise tends to widen into email, cloud, and SaaS admin exposure.
• Passwordless helps only when recovery, device binding, and help desk override controls are stronger than the legacy password process they replace.

Key terms

• Help Desk Hijack: A help desk hijack is when an attacker uses social engineering to get support staff to reset, re-enrol, or bypass identity controls. The tactic turns operational trust into access, making the support workflow part of the attack surface rather than a neutral service channel.
• Identity Recovery Workflow: An identity recovery workflow is the process used to restore access after credential loss, factor failure, or account lockout. It includes proofing, approvals, and re-enrolment steps, and it becomes a high-risk control point when those steps can change identity state without strong verification.
• Identity Blast Radius: Identity blast radius is the set of systems, data, and administrative actions an attacker can reach after compromising a single identity. It is a measure of how much damage valid access can create, and it is shaped by privilege scope, downstream trust, and lifecycle controls.
• Passwordless Fallback Path: A passwordless fallback path is the alternate process used when a user cannot use their primary passwordless factor, such as device replacement, recovery, or re-enrolment. If these paths are weak, passwordless shifts risk into support and recovery rather than removing it.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Brazil Leads the World in Global Identity Security Survey, RSA ID IQ Report Unveils Top Identity Threats. Read the original.