SpyCloud’s 2025 Identity Exposure Report Reveals the Scale and Hidden Risks of Digital Identity Threats

Holistic Identity: The New Cyber Battleground

Organizations have traditionally focused on securing individual account credentials, but cybercriminals have expanded their tactics beyond conventional account takeover. Attackers now have access to extensive identity data from multiple sources – including data breaches, infostealer malware infections, phishing campaigns, and combolists – posing a challenge for organizations whose security measures have not yet adapted to address the full scope of interconnected identity exposures holistically.

SpyCloud’s collection of recaptured darknet data grew 22% in the past year, now encompassing more than 53.3 billion distinct identity records and over 750+ billion total stolen assets that are now circulating in the criminal underground, fueling identity-based cybercrime. These assets are a vast array of personal and professional credentials, session cookies, personally identifiable information (PII), financial data, IP addresses, national IDs, and more that criminals are weaponizing in attacks against individuals and businesses.

New Definition for Identity Risk Emerges

With the explosion of available identity data, attackers can now piece together historical and present-day records to bypass security barriers. Traditionally, cybersecurity teams were only able to see a fraction of an individual’s darknet exposures – primarily only the exposed assets tied to a corporate identity – which were not comprehensive nor in correlation with other exposures. SpyCloud’s report shows that an individual’s identity exposure is more expansive than traditional cyber risk tools would indicate; in fact, it’s a sprawling web of interrelated assets that provide cybercriminals with a roadmap to exploit vulnerabilities and unlock valuable access.

• Of particular concern for businesses, a single corporate user now has an average of 146 stolen records linked to their identity – across 13 unique emails and 141 credential pairs (a username or email and its associated password) per corporate user, which highlights how attackers correlate historical data to uncover active enterprise access points.
• In the consumer realm, the numbers are even higher with 229 records per consumer, frequently including exposed PII such as full names, dates of birth, and phone numbers, as well as Social Security/ID numbers, addresses, and credit card or bank information. Consumer exposure averages 27 unique emails and 227 credential pairs per user.

Additional Report Findings:

• 17.3 billion cookies were recaptured from malware-infected devices, enabling attackers to bypass MFA and hijack active user sessions.
• 548 million credentials were exfiltrated via infostealer malware, highlighting the growing role of stealthy, targeted data theft in enterprise attacks.
• 3.1 billion passwords were recaptured in 2024, marking a 125% increase from the previous year.
• 70% of users whose credentials were exposed in breaches last year reused previously compromised passwords, significantly increasing their risk of account takeover attacks – a 9+ jump from 2023.
• 44.8 billion PII assets – a 39% increase from 2023 – are opening the door for new fraudulent activities.
• 97% of recaptured phished data logs in 2024, from popular phishing-as-a-service (PHaaS) platforms like ONNX, included an email address and 64% had an associated IP address, giving criminals direct opportunities to perpetrate as the user and make lateral movements within an organization.
• In the public sector, SpyCloud recaptured 127K .gov credentials and observed a 67% all-time password reuse rate – an increase of 13% over the previous year – highlighting persistent security risks for our federal agencies and national security.

Evolving Cybersecurity Strategies

The findings highlight that cybercriminals are moving well-beyond their own legacy tactics and businesses must recognize that traditional defenses are no longer enough. SpyCloud’s approach leverages holistic identity analytics, powered by the industry’s largest collection of recaptured darknet data, to help organizations correlate disparate identity elements and shore up identity threat protection measures, while mitigating risk more effectively.

For further insights, the full 2025 SpyCloud Identity Exposure Report is available here.

About SpyCloud

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

Conclusion

As the cyber threat landscape continues to evolve, it is clear that traditional security measures are no longer sufficient. The rise of darknet-exposed identity data as the primary cyber risk facing enterprises today requires a more holistic approach to identity threat protection. At SpyCloud, we are committed to helping organizations proactively prevent identity-based threats and stay ahead of the evolving threat landscape.

FAQs

Q: What is the significance of the 22% growth in SpyCloud’s collection of recaptured darknet data?
A: This growth highlights the increasing volume of stolen identity data available to cybercriminals, which is fueling identity-based cybercrime.

Q: Why is the average number of stolen records linked to an individual’s identity so high?
A: The average number of stolen records linked to an individual’s identity is high because cybercriminals are now able to piece together historical and present-day records to bypass security barriers, making it easier for them to exploit vulnerabilities and unlock valuable access.

Q: What is the impact of the 125% increase in recaptured passwords on cybersecurity?
A: The 125% increase in recaptured passwords highlights the growing role of stealthy, targeted data theft in enterprise attacks, making it more challenging for organizations to secure their networks and protect sensitive data.

Q: How can organizations best protect themselves from identity-based threats?
A: Organizations can best protect themselves from identity-based threats by adopting a holistic approach to identity threat protection, leveraging advanced analytics and darknet data to correlate disparate identity elements and shore up security measures.