The average corporate user now has 146 stolen records linked to their identity, an average 12x increase from previous estimates, reflecting a surge in holistic identity exposures.
SpyCloud, the leading identity threat protection company, today released its 2025 SpyCloud Annual Identity Exposure Report, highlighting the rise of darknet-exposed identity data as the primary cyber risk facing enterprises today. As cybercriminals move beyond single data points and leverage stolen data from a number of sources – breaches, malware and phishes – they are embracing a more sophisticated approach to identity exploitation, and organizations must shift their focus to a comprehensive and holistic defense strategy that accounts for the interconnected nature of digital identities.
Holistic Identity: The New Cyber Battleground
Organizations have traditionally focused on securing individual account credentials, but SpyCloud’s research indicates that cybercriminals have expanded their tactics beyond conventional account takeover. Attackers now have access to extensive identity data from multiple sources—including data breaches, infostealer malware infections, phishing campaigns, and combolists—posing a challenge for organizations whose security measures have not yet adapted to address the full scope of interconnected identity exposures holistically.
SpyCloud’s collection of recaptured darknet data grew 22% in the past year, now encompassing more than 53.3 billion distinct identity records and over 750+ billion total stolen assets that are now circulating in the criminal underground, fueling identity-based cybercrime. These assets are a vast array of personal and professional credentials, session cookies, personally identifiable information (PII), financial data, IP addresses, national IDs and more that criminals are weaponizing in attacks against individuals and businesses.
“The cybersecurity industry has spent years defending against traditional credential-based threats, but the reality is that attackers have advanced as the data they have access to has exploded in volume,” said Damon Fleury, Chief Product Officer, SpyCloud. “Identity is the ultimate frontier of cyber risk, with users’ exposure across past and present, personal and professional identities the new attack surface. It requires organizations to rethink the risks posed by employees, consumers, partners and suppliers.”Fleury continues, “At SpyCloud, we’ve created holistic identity analytics built on the industry’s largest collection of recaptured darknet data, enabling our customers to correlate disparate data points that encompass an individual’s digital footprint—providing a truly holistic view of identity risk.”
New Definition for Identity Risk Emerges
With the explosion of available identity data, attackers can now piece together historical and present-day records to bypass security barriers. Traditionally, cybersecurity teams were only able to see a fraction of an individual’s darknet exposures – primarily only the exposed assets tied to a corporate identity – which were not comprehensive nor in correlation with other exposures. SpyCloud’s report shows that an individual’s identity exposure is more expansive than traditional cyber risk tools would indicate; in fact, it’s a sprawling web of interrelated assets that provide cybercriminals with a roadmap to exploit vulnerabilities and the keys to unlock valuable access.
- Of particular concern for businesses, a single corporate user now has an average of 146 stolen records linked to their identity – across 13 unique emails and 141 credential pairs (a username or email and its associated password) per corporate user, which highlights how attackers correlate historical data to uncover active enterprise access points.
- In the consumer realm, the numbers are even higher with 229 records per consumer, frequently including exposed PII such as full names, dates of birth, and phone numbers, as well as Social Security/ID numbers, addresses, and credit card or bank information. Consumer exposure averages 27 unique emails and 227 credential pairs per user.
“The record-breaking breaches of 2024, including the Mother of All Breaches (MOAB) and the National Public Data Breach, along with the growing use of infostealing malware and crafty phishing campaigns illustrate just how vast the pool of exposed identity data has become,” said Trevor Hilligoss, Senior Vice President of Security Research, SpyCloud Labs at SpyCloud. “By understanding how cybercriminals aggregate stolen data and the new tactics and trends they are leveraging to assume even more valuable information and access, organizations can take proactive steps to mitigate identity-based threats from these large underground sources before they escalate.”
Additional Report Findings:
- 17.3 billion cookies were recaptured from malware-infected devices, enabling attackers to bypass MFA and hijack active user sessions.
- 548 million credentials were exfiltrated via infostealer malware, highlighting the growing role of stealthy, targeted data theft in enterprise attacks.
- 3.1 billion passwords were recaptured in 2024, marking a 125% increase from the previous year.
- 70% of users whose credentials were exposed in breaches last year reused previously compromised passwords, significantly increasing their risk of account takeover attacks – a 9+ jump from 2023.
- 44.8 billion PII assets – a 39% increase from 2023 are opening the door for new fraudulent activities.
- 97% of recaptured phished data logs in 2024, from popular phishing-as-a-service (PHaaS) platforms like ONNX, included an email address and 64% had an associated IP address, giving criminals direct opportunities to perpetrate as the user and make lateral movements within an organization.
- In the public sector, SpyCloud recaptured 127K .gov credentials and observed a 67% all-time password reuse rate – an increase of 13% over the previous year – highlighting persistent security risks for our federal agencies and national security.
Evolving Cybersecurity Strategies
The findings highlight that cybercriminals are moving well-beyond their own legacy tactics and businesses must recognize that traditional defenses are no longer enough. SpyCloud’s approach leverages holistic identity analytics, powered by the industry’s largest collection of recaptured darknet data, to help organizations correlate disparate identity elements and shore up identity threat protection measures, while mitigating risk more effectively.
For further insights, the full 2025 SpyCloud Identity Exposure Report is available here.
About SpyCloud
SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.
To learn more and see insights, users can visit spycloud.com.
Contact
Emily Brown
REQ on behalf of SpyCloud
Read More from This Article: SpyCloud’s 2025 Identity Exposure Report Reveals the Scale and Hidden Risks of Digital Identity Threats
Source: News