Close this search box.

Top 5 Takeaways from SpyCloud’s Annual Identity Exposure Report

SpyCloud’s 2022 Annual Identity Exposure Report dropped and is chock full of thought-provoking insights.

This year’s report expanded on previous years’ reports in which SpyCloud focused mainly on credential exposures. But as we’re seeing exposed personally identifiable information (PII) put more users at risk of identity fraud, our report sheds light on the kinds of data frequently leaked in breaches and siphoned from malware-infected devices that enable the creation of synthetic identities and other forms of fraud: social security numbers, credit card information, location data, marital status, and income level. So while credentials are a critical component of our recapture efforts, this year we also spotlighted the dangers of exposed PII.

The 2021 findings from our researchers prove that every year, digital identity exposure risk grows by leaps and bounds. The 1.7 billion exposed credentials, the 64% password reuse rate, the 13.8 billion recaptured PII records – all these data points and others show an increase from previous years.

Let’s take a closer look at the key takeaways from the 2022 SpyCloud Annual Identity Exposure Report:

Personally Identifiable Information (PII) – Just What the Fraudster Ordered

We continue to be amazed at the growing amount of PII that is available in the criminal underground. In 2021, SpyCloud recaptured 13.8 billion PII assets, a 200% increase from 4.6 billion the year before. This brings the total in our database to 44.7 billion pieces of PII. From names and social security numbers to birth dates and social media handles, fraudsters have a plethora of information at their fingertips to wreak havoc on enterprises and consumers.

PII recaptured in 2021

PII exposures make it all too easy for cybercriminals to piece together synthetic identities, which in turn are used to perpetuate other fraudulent activities. These activities are on the rise, especially in the financial services and ecommerce industries, with financial institutions alone enduring $20 billion in losses due to synthetic identity fraud in 2020. As losses related to fraud can be crippling, organizations are in dire need of fraud solutions that help identify a legitimate customer versus a criminal.

Eye-Opening Top Password Trends 

Credential pairs (email addresses or user names + passwords) continue to be the most highly sought after and lucrative asset in the criminal underground. And last year alone, we recaptured more than 1.7 billion of them. This year’s report includes password insights that would make any security professional cringe.

Are people still reusing the same password across multiple accounts? Unfortunately, yes – one of the most intriguing insights we gleaned from our analysis was this year’s password reuse rate: we observed a 64% password reuse rate among users exposed in 2+ data breaches last year, a 4-point jump from the prior year.

And are people still really using “password” as their password? Also yes. Despite efforts to encourage widespread education on cyber hygiene, “password” is one of the top three reused passwords of 2021. Make sure none of your passwords are on this list:

top 100 reused passwords of 2021

Are pop culture references still prevalent in passwords? You bet. It was no surprise when our recaptured data revealed millions of passwords incorporating popular topics. A huge pop culture influence on passwords in 2021 came from the Marvel franchise, with Loki, Falcon, and Wanda appearing frequently as keywords in exposed passwords. Political terms, pandemic themes, and sports team names also made appearances.

Popular passwords in the year 2021; keywords include Jeopardy, Mask, Marvel, Virus, Astros, Pandemic, and more.

Malware Data is on the Rise in the Criminal Underground

Not only is malware responsible for the fraud that’s hardest to proactively detect, it also poses the highest exposure severity for both consumers and enterprises. Once devices are infected, keyboard strokes and system information is siphoned, exposing details ranging from login credentials and browser history to geolocation, installed software, autofill info, and even web session cookies. This information can be used for account takeover (ATO), impersonating users with browser or device fingerprints, or bypassing fraud controls (including MFA) completely using stolen cookies.

Malware-siphoned data is becoming quite the hot commodity on the criminal underground. In 2021, we noticed a surge in infostealer (information-stealing malware) logs being distributed and shared on various forums and chat groups. In particular, RedLine Stealer accounted for more than 50% of all infections that we analyzed, followed closely by Raccoon, Vidar, and a handful of other malware families.

To help combat the effects of malware, we have sorted and parsed hundreds of thousands of post-infection bot logs resulting in hundreds of millions of stolen credential records over the last 12 months. This information helps our customers devalue the data faster and contain the potential damage.

Notable Breaches of 2021 Span Industries

From telecom to tech to entertainment, seemingly no industry was immune from breaches last year. In 2021 alone, SpyCloud recaptured data from 755 breaches with the average breach size of 6.7M records.

Breach collection count 2021, showing that SpyCloud collected 755 breaches with an average size if 6.7 million records each

This year’s report includes highlights from some of the year’s most notable breaches, spanning industries and geographies. While not all breaches make the headlines or get blasted in the media, they nonetheless have significant impacts on enterprises and consumers.

And not all breaches are equal in size: the largest breach included in our report is more than 501 million scraped Facebook user profiles from more than 100 countries that were posted on a hacking forum. At the opposite end of the spectrum, we also note a leak of 137,386 records stolen from a UK weapons marketplace and sold on the criminal underground. While this marketplace breach pales in comparison to the Facebook scraped profiles breach, the bottom line is sensitive data is constantly being leaked, affecting hundreds of millions of people around the world and revealing extremely sensitive information. The results can be even scarier than the breach size might imply.

How the “New Normal” Correlates With the Surge in Fraud and Ransomware

As the pandemic drove consumers and employees online and thrust enterprises and consumers into a  “new normal” way of life, the threat landscape expanded exponentially with increased digital transactions and the need to work from home. More digital identities breeds more opportunities for cybercriminals.

Hit hard during these times were financial institutions and ecommerce organizations. The costs of fighting fraud rose accordingly, and for every $1 of fraud, U.S. financial services spent $4 in 2021, compared to $3.64 in 2020 (and $3.25 in 2019). Fighting fraud also got more expensive for ecommerce merchants, rising from $3.36 in 2020 to $3.60 for every $1 of fraud.

But fraud isn’t the only challenge that resulted from this “new normal” – ransomware also continues to run rampant. In a SpyCloud survey of IT security professionals, 72% reported that their organization was affected by ransomware in the previous 12 months. Nearly one-fifth said they experienced 6 or more ransomware incidents during that time. Just one exposed password is enough to bring a business to its knees with data loss, financial impacts, and hits to brand reputation.


The findings from our researchers prove that the risk from digital identity exposure increases every year. The intertwining of personal and work lives, along with the expanding digital footprint, will continue to accelerate the rates of online fraud. 

We’ve found that the most effective way of protecting your enterprise from ATO, ransomware, and online fraud is to combine human intelligence, technology, and a breadth of recaptured data from the criminal underground to proactively stop fraud before it occurs. Individuals can help fight cyber threats by ensuring their passwords are strong and unique and implement MFA where possible. 

Download the full 2022 Annual Identity Exposure Report for additional insights from the analysis of our recaptured data, including a closer look at government risk, a deeper dive on RedLine Stealer, and more year-over-year trends.
Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

[What’s New] Check Your Exposure has been expanded with more recaptured data. See Your Results Now

Close this search box.