Close this search box.

SpyCloud Report: 2.27B Exposed Assets Tied to Fortune 1000 Employees; Cybercriminals Hit the Jackpot with Session Cookies

The technology sector had the highest number of malware-infected employees, most exposed corporate credentials and the majority of all stolen cookies.

Austin, TX – May 9, 2023 /Business Wire/ – SpyCloud, the leader in operationalizing Cybercrime Analytics (C2A), today released its 2023 Fortune 1000 Identity Exposure Report, an annual analysis of the darknet exposure of employees of Fortune 1000 enterprises across 21 industry sectors, including technology, financials, retailing and media. 

Drawing on SpyCloud’s database of 400+ billion recaptured assets from the criminal underground, researchers analyzed 2.27 billion exposed dark web assets (including 423.28 million personally identifiable information (PII) assets) found in data breaches and exfiltrated from malware-infected devices tied directly to Fortune 1000 employees’ email addresses. The asset count represents a 7% increase year-over-year and puts these organizations in jeopardy for cyber threats including account takeover, session hijacking, fraud, and ransomware from this stolen data. 

SpyCloud researchers uncovered 27.48 million pairs of credentials with Fortune 1000 corporate email addresses and plaintext passwords, with over 223,000 exfiltrated by malware, specifically enabling seamless access to over 56,000 cloud-based applications, including popular enterprise email, single sign-on (SSO), payroll management, hosting, and collaboration tools. SpyCloud also observed a 62% password reuse rate among Fortune 1000 employees who have been exposed more than once. 

Even more alarming are the revelations in this year’s report about browser session cookies – unquestionably the most prized data exfiltrated by malware. SpyCloud recaptured 1.87 billion malware cookie records tied to Fortune 1000 employees. These cookies allow cybercriminals to infiltrate organizations by impersonating legitimate users and gain access to an active web session, which effectively can bypass security best practices like multi-factor authentication (MFA).

“Cybercriminals continue to evolve their tactics from capturing as much data as possible to capturing high-quality data that practically guarantees success. By leveraging session cookies, criminals can take advantage of any active platforms that utilize SSO, which essentially allows them to move freely between numerous accounts.

Trevor Hilligoss, Director of Security Research at SpyCloud.

“This is a massive exposure risk and most organizations are unaware of the threat it poses or what to do to properly prevent or remediate.” 

SpyCloud’s researchers also identified over 171,500 Fortune 1000 employees who used an infostealer malware-infected device to log into corporate resources. Infostealers are an increasingly common variety of malware that siphons all manner of data from the affected machine, including data stored in the browser – login URLs, usernames, passwords, auto-fill data, and much more. 

This level of exposure is dangerous for industries across the board, as this siphoned data can continue to plague the security of user information and business systems long after a device is wiped clean.

“Employees using infected corporate or personal devices pose a risk for their organizations. As an employee, they may have access to their corporate networks and applications on those devices, and stolen data from these devices can be used to harm their employer,” said Hilligoss. “Fortune 1000 companies cannot bet solely on traditional solutions and cybersecurity training to keep them safe. Instead, to remediate malware infections, organizations must focus on resetting passwords for affected applications and invalidating active sessions to negate opportunities for session hijacking. This post-infection remediation approach is critical to shut down entry points for future attacks.”

SpyCloud additionally identified nearly 31 million malware-infected consumers of Fortune 1000 companies. Security teams continue to struggle to defend against fraud resulting from malware. Visibility into exfiltrated data from these devices places a lens on the information circulating on the dark web and how it can be used. Criminals can utilize credentials, PII and other sensitive details to fabricate synthetic identities, and use them to perpetrate fraud that affects a business’ bottom line. Knowing what was revealed from an infected-device allows organizations to take preventative steps to better authenticate legitimate users and minimize losses. 

To reduce the hazards of exposed employee and third-party identities, Fortune 1000 enterprises need a multi-layered strategy. Security teams should enforce strong password policies, mandate the use of password managers to create and store unique passwords for every account, enforce MFA, and implement a robust post-infection remediation approach to enhance their incident response.

Additional key findings from the report include:

The technology sector shows consistently poor cyber hygiene.
  • The technology sector has the highest number of malware-infected employees (67,723) and consumers (13.22 million); the highest number of exposed corporate credentials (7.52 million); and the most exposed malware cookie records of all industries, with 1.51 billion.
Malware poses a significant risk to employees in the financials sector.
  • SpyCloud uncovered a nearly 300% year-over-year increase in malware-infected employees tied to financial companies (15,274).
  • The financials sector had the worst password reuse rate (68%).
C-Suite exposures put sensitive data, intellectual property and financials at risk.
  • SpyCloud identified over 935,786 stolen assets from 87,741 exposed C-level employees.

To download the full report and discover how SpyCloud helps organizations disrupt cybercrime and defend against malware, ransomware and online fraud, visit:

About SpyCloud

SpyCloud transforms recaptured darknet data to protect businesses from cyberattacks. Its products operationalize Cybercrime Analytics (C2A) to produce actionable insights that allow enterprises to proactively prevent ransomware and account takeover, protect their business from consumer fraud losses, and investigate cybercrime incidents. Its unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings. SpyCloud customers include half of the ten largest global enterprises, mid-size companies, and government agencies around the world. Headquartered in Austin, TX, SpyCloud is home to nearly 200 cybersecurity experts whose mission is to make the internet a safer place.

To learn more and see insights on your company’s exposed data, visit

Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

[What’s New] Check Your Exposure has been expanded with more recaptured data. See Your Results Now

Close this search box.