Identity Threat Report 2025

2026 SPYCLOUD

IDENTITY

EXPOSURE REPORT

Over the last year, identity threats overran the berm. Spilled over and across the perimeter. Surging, seeping.

The identity landscape is flooded with opportunities for attackers, and threats to defenders

Cybercriminals now have more than

BILLION

opportunities to attack

In 2025, our datalake at SpyCloud expanded to 65.7B+ billion total distinct identity records recaptured from the criminal underground – a 23% increase from the previous year.

This surge in exposed identity data reflects a fundamental shift in the volume of identity-based attacks, driven by:

The sprawl of human and non-human digital identities across accounts, machines, applications, and systems.

The packaging and weaponization of credentials, session cookies, PII, and other identity data stolen in phishing attacks, malware infections, and data breaches.

Increased targeting of non-human identities (NHIs), such as API keys, tokens, and service accounts, and other high-value targets like password managers and AI tools.

Key findings in this report

An analysis of recaptured identity records from 2025 illustrates the vastness of identity data available to threat actors.

Phishing

MILLION

phished records

People typically think about phishing as a consumer problem, but 49% of victims are corporate users. It’s basically an even split – demonstrating that enterprise security controls alone are not preventing identity compromise.

Infostealer malware

MILLION

credentials from 13.2M new infections

40% of malware infections occurred on endpoints with EDR or antivirus tools installed, demonstrating that attackers routinely bypass traditional endpoint defenses to steal identity data

Data breaches

1000

breaches

averaging 457K identity records per breach

Key findings in this report

An analysis of recaptured identity records from 2025 illustrates the vastness of identity data available to threat actors.

Phishing

MILLION

phished records

Infostealer malware

MILLION

credentials from 13.2M new infections

40% of malware infections occurred on endpoints with EDR or antivirus tools installed, demonstrating that attackers routinely bypass traditional endpoint defenses to steal identity data

Data breaches

1000

breaches

averaging 457K identity records per breach

There is still a deluge of passwords and traditional credentials circulating the dark web…

5.3B

credential pairs recaptured

(a 65% increase year-over-year)

38.5M

third-party application credentials exposed

(a 450% increase year-over-year)

1.1M

master passwords for password managers

As well as a new wave of exposed session cookies, AI tools, and NHIs.

8.6B

stolen cookies recaptured

18.1M

API keys and tokens exposed

6.2M

authentication cookies or credentials for AI tools

Once identity data flows into the criminal underground, it takes on a life of its own, morphing and shaping potent downstream identity-based threats.

THE IDENTITY ATTACK SURFACE RUNS WIDE & DEEP – YOUR DEFENSES SHOULD TOO

SpyCloud’s Identity Threat Protection Maturity Model

Level 1

Level 2

Level 3

Get the full report

See all the findings in this year’s report, and get access to SpyCloud’s identity threat protection maturity model to benchmark your defenses.

Prefer to listen?

Press play for an audio recap of key findings.

Just like we're using AI to move faster, criminals are using it to move faster. Sometimes it's finding a needle within a haystack. But with the engines that we've created, we're able to do that. Just like we're using AI to move faster, criminals are using it to move faster. They are using it to create more synthetic identities at scale, which allows us to leverage AI to combat the same thing. That's one way that the depth of our data is really working in our advantage. Because we have so much of it and the actors are producing even more that we have to work with, we have many more signals that we're able to drive. I think a big thing is the bad actors, you know, they follow certain patterns, right, when they're creating passwords or creating email addresses. They're people Just like us. Exactly. And I think with our AI, we're able to detect those patterns. And so, you know, sometimes it's finding a needle within a haystack, but with the engines that we've created, we're able to do that. We have the opportunity to use those same tools to move just as quick or more quickly than those bad actors and take that information that they've collected and then bring it at that same light speed to our customers and bring it through our analytics so that everyone can understand what those bad actors are doing at the same speed at which they're moving.