SpyCloud’s 2025 Identity Exposure Report Reveals Surging Identity-Based Threats as Stolen Identity Records Increase 22% from Last Year

Fueling the expanded cybercrime economy is a rise in infostealer malware, with nearly 50% of corporate users having been infected

/EIN News/ -- AUSTIN, Texas, March 19, 2025 (GLOBE NEWSWIRE) -- SpyCloud, the leader in identity threat protection, today released its 2025 SpyCloud Annual Identity Exposure Report, uncovering the staggering scale of digital identity sprawl, the growing risks organizations face, and actionable insights to combat cyber threats before they escalate.

SpyCloud has recaptured 53.3 billion distinct identity records, a 22% increase from 2023, underscoring the increasing prevalence of stolen data such as credentials and personally identifiable information (PII) circulating the darknet. These identity records, consisting of harvested employee, consumer, and supply chain data, are the fuel that power cyberattacks like ransomware, account takeover, and fraud – nearly 80% of breaches last year involved the use of stolen credentials. 

Despite this surge in identity-based threats, many organizations remain unaware of the massive breadth of digital identity data stolen from users, traded among cybercriminals, and leveraged to infiltrate organizations.

“Traditional security models focus on an isolated exposure data point, like a single stolen password or breached email, without accounting for the full picture of an individual’s digital footprint and other potential exposures,” said Damon Fleury, Chief Product Officer at SpyCloud. “But modern threats are far more complex. At SpyCloud, we’ve pioneered a holistic approach to identity security, mapping exposures across breaches, malware infections, phishing campaigns, and combolists to reveal the true scale of risk from compromised users. This shift is essential for defenders to proactively mitigate threats from stolen identity data before they escalate into full-scale cyberattacks.”

Key Findings from the 2025 Annual Identity Exposure Report:

The True Scale of Identity Exposure is Greater Than Previously Estimated

By applying proprietary holistic identity matching, SpyCloud researchers discovered that the actual scale of exposure is, on average, more than twelve times larger than previously estimated – providing security teams with a clearer, more actionable picture of identity risk:

• 146 identity records per corporate user → compared to just 11 using traditional methods
• 141 stolen credential pairs per user → versus just 7 with legacy visibility
• 74% of recaptured consumer records include location data, increasing risks of fraud and identity theft
  

With a holistic approach to identity security, enterprises can move beyond isolated credential leaks and better understand their interconnected exposures – empowering them to act before an attack occurs.

Infostealer Malware: The Primary Driver of Modern Cybercrime

Infostealer malware – stealthy, highly efficient tools that extract user information, browser cookies, and system details from infected devices – has emerged as one of the most persistent and dangerous threats to enterprise security. SpyCloud recaptures data from more than 75 different malware families including LummaC2, Redline Stealer, and Vidar. This year’s research into the recaptured data from those families found that:

• About 1 in 2 of corporate users were exposed through infostealer malware in the past year through a personal or corporate device
• 7 million stolen credentials for third-party applications were recaptured—a 48% increase from last year. Trending third-party application targets include:
  • 895,802 stolen credentials for enterprise AI tools, exposing sensitive business insights and proprietary data
  • 159,313 stolen credentials from password managers, undermining critical security layers
• 17 billion stolen cookies were recaptured, enabling attackers to side-step multi-factor authentication (MFA) and hijack active sessions
  

Infostealers' role in identity exposures has real, lasting effects on businesses and individuals. Last year, nearly one-third of companies that suffered a ransomware attack had previously experienced an infostealer infection.

Phishing: A Growing Threat Fueled by AI and Phishing-as-a-Service (PhaaS)

Phishing tactics evolved in 2024, becoming more sophisticated with AI-driven campaigns and turnkey PhaaS platforms. Attackers increasingly targeted high-value data, including personal and corporate credentials, financial accounts, and session cookies. SpyCloud’s 2025 research reveals:

• 97% of recaptured phished data contains email addresses
• 64% contains IP addresses
• 51% contains city or postal codes, increasing risks of location-based fraud
  

PII Exposure Surges, Fueling Identity Fraud

The exposure of PII reached 44.8 billion recaptured records in 2024 – a 39% increase from the previous year – due in large part to breaches such as the Mother of All Breaches (MOAB) and the National Public Data Breach. Both exploding the available PII circulating the criminal underground and still providing cybercriminals with the raw materials to commit identity fraud and financial crimes. Key exposed PII data points include:

• 3.05 billion Social Security and national ID numbers
• 4.4 billion full names
• 2.8 billion phone numbers
• 42.97 million passport and driver’s license numbers
• 36.97 million credit card numbers
  

Cybercriminals are also capitalizing on sprawling digital identities and expanding their targets to include other forms of credentials. SpyCloud also recaptured 33.1 million exposed API keys and 147,132 compromised cryptowallet addresses, highlighting critical vulnerabilities in modern digital ecosystems.

Weak Password Practices Continue to Undermine Security

Despite growing awareness of identity threats, weak password practices remain a constant source of risk, making users easy targets for automated credential stuffing and account takeover attacks:

• 3.1 billion exposed passwords were recaptured – a 125% increase from last year
• 70% of users exposed in breaches last year reused previously-exposed passwords across multiple accounts, up from 61% in 2023
• Most commonly exposed passwords include: “123456,” “Admin,” “Qwerty”
• Pop culture continues to drive popular password choices. While these passwords are personal to the users, they are predictable and continue to reign as a top entry point for threat actors.
  • Almost 3 billion referenced the fall season
  • 7.5 million referenced major international events in tennis 
  • Over 7 million referenced cats 
  • Passwords influenced by video games surged, including passwords related to The Legend of Zelda (2 million), Super Mario Brothers (almost 1.5 million) and Fortnite (almost 1 million)
  • Passwords influenced by the year’s hottest artists such as Taylor Swift (1.5 million) and Charli XCX (295,000) were also common
    

Looking Ahead: Proactive Identity Protection is Critical

As identity threats continue to evolve, organizations must adopt a proactive, holistic approach to identity security. Defending against cybercrime requires continuous monitoring for dark web identity exposures, rapid and automated remediation of stolen identity data, and enhanced security measures to combat emerging threats.

“The rise of infostealer malware and ever-evolving phishing attacks created a surge in the theft of sensitive identity data, but the size and scale of breaches like MOAB and NPD demonstrate traditional attack methods continue to be dangerous,” said Trevor Hilligoss, Senior Vice President of Security Research, SpyCloud Labs at SpyCloud. “In an era where identity data is cybercriminals’ most valuable currency, organizations must think beyond traditional security perimeters and leverage intelligence from the criminal underground to disrupt cybercrime before it strikes.”

Read the full 2025 SpyCloud Identity Exposure Report here.

About SpyCloud

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

Contact:
Emily Brown
REQ on behalf of SpyCloud
spycloud@req.co