Enterprises today can face the unique security challenge of stolen, sometimes historical, identity data from various sources – through breaches, malware and phishing attacks – being linked to corporate users’ identities. The 2025 SpyCloud Annual Identity Exposure Report exposed how identity exploitation is being reinvented through data availability. And numerous tools enable hackers to tap historical and new data to uncover active enterprise access points.
For businesses, a single corporate user now has an average of 146 stolen records linked to their identity – across 13 unique emails and 141 credential pairs per corporate user.
Account takeover attacks on a single deposit of data are outdated as cybercriminals expand their tactics to multiple data sources. With organisational systems often adept at fighting only some security threats, the full scope of identity exposures can be overwhelming and above their technical capability.
Darknet data grew 22% in the past year, reported by SpyCloud. The saturation of 750+ billion stolen assets to 53.3 billion genuine identities explains how this identity-based cybercrime is perpetuating, and provides the difficult task of stopping fraudsters weaponizing real identity credentials. Some enterprises may have implemented excessive permissions, and lack identity governance with risk and operational insights.
These assets being tampered are a vast array of personal and professional credentials, session cookies, personally identifiable information (PII), financial data, IP addresses, national IDs and more that criminals are weaponizing in attacks against individuals and businesses.
“The cybersecurity industry has spent years defending against traditional credential-based threats, but the reality is that attackers have advanced as the data they have access to has exploded in volume,” said Damon Fleury, Chief Product Officer, SpyCloud.
“Identity is the ultimate frontier of cyber risk, with users’ exposure across past and present, personal and professional identities the new attack surface. It requires organizations to rethink the risks posed by employees, consumers, partners and suppliers.” Fleury continues.
The report shows that an individual’s identity exposure is more expansive than traditional cyber risk tools would indicate. It’s a “sprawling web of interrelated assets that provide cybercriminals with a roadmap to exploit vulnerabilities and the keys to unlock valuable access”.
A staggering 17.3 billion cookies were retrieved from malware-infected devices, allowing attackers to bypass multi-factor authentication (MFA) and hijack active user accounts. Additionally, 548 million credentials were stolen using infostealer malware, underscoring the rise of covert and targeted data theft in enterprise cyberattacks.
44.8 billion personal identifiable information assets – a 39% increase from 2023 – are enabling fraudulent activities.
