According to the Identity Theft Resource Center (ITRC) there were 1.1 billion breaches in the first half of 2024 — a 490 percent increase over the first half of the year before.
In addition, an enormous and unprecedented rate of credential stuffing and bot attacks have been spearheaded by ChatGPT’s debut. All of this means having intelligent and accurate fraud prevention techniques have never been so critical.
We spoke to Reed McGinley-Stempel, CEO and co-founder of identity management platform Stytch about what’s behind this wave of breaches and how organizations can address the threat.
BN: What are the underlying tech trends that are driving a 400 percent plus spike in data breaches in 2024 alone?
RMS: The 400 percent increase in data breaches reflects a convergence of factors. First, the rapid adoption of AI-driven automation has allowed bad actors to scale attacks with unprecedented precision and speed. Phishing, credential stuffing, and social engineering attacks are now hyper-targeted, leveraging personal data exposed in earlier breaches. Second, the ongoing shift to remote work and cloud-first architectures has expanded the attack surface, leaving legacy security models struggling to keep pace. Lastly, the fragmented adoption of modern authentication methods has left organizations reliant on outdated and vulnerable password-based systems, which remain a weak link in their defenses.
BN: In light of recent high-profile breaches at companies like Ticketmaster, 23andMe, Snowflake, and GitLab, what lessons can organizations learn about the importance of secure user access?
RMS: These breaches underscore that secure user access is not a ‘set it and forget it’ initiative — it’s an ongoing process that demands vigilance. First, it’s critical to implement passwordless authentication methods, which eliminate one of the most common points of failure. Multi-factor authentication (MFA) is no longer optional, but it must be paired with intelligent, context-aware systems that adapt based on risk signals like device, location, and behavioral patterns. Organizations must also prioritize transparency and education, ensuring that users understand how to protect their own data while navigating increasingly sophisticated threats.
BN: What do you believe these breaches reveal about current vulnerabilities in authentication systems and why is a live, in-depth signature of every user needed for today’s applications?
RMS: Current systems still treat authentication as a binary gate — users are either ‘in’ or ‘out’ — when modern threats demand continuous, adaptive evaluation. These breaches reveal the failure of static credentials and one-size-fits-all policies to address nuanced and evolving risks. A live, in-depth signature of every user — comprising device fingerprints, behavioral patterns, and contextual insights — allows for dynamic decision-making. By layering these signals, applications can intelligently determine whether access requests align with legitimate usage patterns, significantly reducing the likelihood of unauthorized access.
BN: In your view, what does the ‘next generation’ of authentication need to look like to effectively counteract today’s security threats and why?
RMS: The next generation of authentication must blend security and usability without compromise. This means moving beyond passwords to systems that are seamless for users yet impenetrable to bad actors. Passwordless solutions like WebAuthn, biometrics, and device-based authentication will serve as foundational elements. Additionally, authentication must become continuous, integrating behavioral biometrics and real-time risk assessments to adapt dynamically to threats. These systems must also be developer-friendly, allowing organizations to implement robust security measures without sacrificing time-to-market or user experience.
BN: How has the development of autonomous AI agents shifted the landscape of authentication, and what does it mean for companies working to protect user data?
RMS: The rise of autonomous AI agents introduces an entirely new class of entities that require authentication. Unlike human users, these agents interact programmatically, necessitating robust machine-to-machine authentication protocols. Companies must adopt new permissioning models that account for the dynamic roles and access scopes of these agents. This shift underscores the need for modern authentication frameworks that support both user and agent authentication while embedding fine-grained access control. Protecting user data in this landscape requires rethinking not just who can access a system, but also how and why access is granted.
Image credit: Jirsak/depositphotos
