Close this search box.

SpyCloud Annual
Identity Exposure Report 2024

Analysis of Next-Level Cyber Threats, Unlocked

Welcome to the Showdown: Cybercriminals Step Up Their Game

The Fight Over Digital Identities

Digital identities are embedded in our lives, and their expansiveness makes it harder and harder to protect our accounts and business systems from attacks. The body of data stolen by criminals and traded between bad actors has continued to scale dramatically, year over year. 

Case in point: SpyCloud’s total collection of recaptured data has grown to more than 43.7 billion distinct identity records collected.

To further complicate an already complex threat landscape, malicious actors are moving beyond the traditional use of stolen username and password pairs to perpetrate crimes against consumers and organizations. In targeted attacks, actors have developed the capability to search for information about their victims across many distinct stolen datasets. 

Using expanded datasets, criminals have dramatically increased the scope of their attack patterns, based upon identity records that come from different sources and that can be linked together using PII,  like social security numbers or social handles. In this way, users now have to worry about their combined digital identity, which can be formed by cross-referencing all of the information that has been stolen about them from dozens or hundreds of sources.  

To make matters even worse, criminals have responded to improved authentication technologies by sidestepping user authentication methods altogether. Bad actors can access stolen session cookies and 2FA secrets to impersonate their victims, making it extremely difficult to differentiate between legitimate users and criminals.  

As you’ll see in this report, we’ve observed an increase in next-generation identity attacks that force us to expand our definition of digital identities and the measures we use to protect ourselves.


Based on our analysis of the average digital identity exposed and traded in the criminal underground last year:

Why We Do This Report

Threats to digital identities are nothing new. However, the fast pace and stealthy nature of a dynamic criminal underground make it hard for security teams to keep up and proactively defend against new threats. 

SpyCloud researchers and data scientists examine the trends related to identity exposure in the criminal underground every year. We keep a tight pulse on darknet activity to understand how stolen data exposes organizations and consumers to cybercrimes like account takeover, session hijacking, fraud, and ransomware. 

While we consistently see the number of exposed identities growing, in recent years we’ve also detected a shift in the type of data that malicious actors rely on to compromise identities. In response to this shift, we continue to expand our data sets to explore how emerging and evolving threats put consumers and organizations at further risk.




1. Digital Identities are a Top Attack Vector

SpyCloud’s data shows that the scale of identity exposure today is massive. Our analysis of random email address samples recaptured in 2023 found that for a given person’s digital identity, there is, on average:


With malicious actors gathering and using data across many stolen datasets, this type of information and associated access details and PII provide a slew of opportunities for malicious actors to gain access into an organization or application.


2. Malware Infections as a Major Player in Identity Exposure

SpyCloud’s data illustrates how pervasive and considerable the infostealer threat is. Of the 3,478 breaches we analyzed, 2,115 – 61% of total breaches were malware-related and included 343.78 million stolen credentials. With valid credentials in hand, cybercriminals have a fast shortcut into employee and customer accounts.


3. Passwords on Replay

Password reuse rates remain incredibly high among users. 

We found a 74% reuse rate for users exposed in two or more breaches in the last year, an uptick from the previous year’s 72%. The all-time historical reuse rate – indicating continued reuse of old, previously-exposed passwords – has climbed as well: from 54% for all years through 2022, to 61% through 2023.

Organizations are spending a lot of effort and resources to change user behavior through security awareness and training, as well as the implementation of password policies. Our research unfortunately shows that those programs are not significantly improving password hygiene.

123456: Exposed Popular Passwords

Every year, it comes as no surprise to see “123456” and its variations at the top of the common passwords list, but commonly used passwords also give us a glimpse into burning topics that dominate pop culture. What preoccupied our collective minds last year?

SpyCloud recaptured a total of nearly 1.38 billion passwords circulating the darknet in 2023, an 81.5% year-over-year increase from 759 million in 2022.

the five-month hollywood writers’ strike
WGA / hollywood / SAG / AFTRA / strike
NBA / NBA basketball / bball / NBA playoffs
THE BIG “halo: the master chief” update

halo / master chief / xbox

global soccer legend leo messi signs to miami
inter miami / mls / leagues cup / messi
ufos create a stir in congress
aliens / UFO / area51
bethesda games launches a new universe
starfield / constellation / bethesda / xbox
miley cyrus’s top-charting year
miley / miley cyrus / used to be young / flowers
barbie / barbie movie / hi barbie / i am kenough / barbie world
taylor swift / taytay swift / swiftie / eras tour / tswift / midnights


4. Singled Out: The Government Sector

723 breaches containing .gov emails in 2023, compared to 695 in 2022 and 611 in 2021.

The story got worse when we analyzed password reuse rates among government employees.

We found a 67% reuse rate for .gov users exposed in two or more breaches in the last year, an uptick from the previous year’s 61%. The all-time .gov reuse rate remains high as well at 54% – meaning they aren’t just reusing older passwords but are potentially using exposed passwords from as far back as 2016.

Government employees are just as guilty as their commercial sector peers of using easy-to-guess passwords. The most common passwords associated with .gov emails were:


5. Pass Go, Collect 200 PII

SpyCloud recaptured 32.22 billion PII assets in 2023, a nearly 4X jump from 8.6 billion in 2022.

We found nearly 200 types of PII, ranging from everyday details like names and addresses to more concerning types like passport numbers, dates of birth, bank account data, credit cards, and social security numbers.

The categories with some of the largest numbers in 2023 included:

920.25 MILLION
171.61 MILLION

Malware Trumps All, Though

For this year’s report, we doubled down on our efforts to understand the impact of malware, following a notable shift in threat actors’ tactics and the amplified role of underground marketplaces.

Last year alone, we recaptured:

  • More than 343.78 million malware-exfiltrated credentials
  • More than 100,000 master passwords from eight market-leading password managers. Each of these master passwords represents the proverbial keys to the kingdom, unlocking access to hundreds of user accounts, and proving that no security tool is infallible. While password managers and other authentication controls like MFA are solid best practices, organizations need to think beyond traditional guardrails to address the risk of malware-exfiltrated data

Infostealer logs contain far more than credentials. The breadth of data includes not only everything cybercriminals need to emulate a device fingerprint and take over a digital identity, but also financial information such as credit card information, crypto wallet info, and even device screenshots.

Additionally, SpyCloud recaptured more than 4.7 million third-party application credentials harvested by malware on managed and unmanaged devices, including many popular business tools.

The top five most common categories of third-party tools in our recaptured data included:

Malware’s Next Move: Infostealer Families to Watch

Our analysis of data exfiltrated by LummaC2 showed that a log from a successful infection was three times as large as from other infostealers, including prominent families like Raccoon and RedLine Stealer.

And a New Character Enters the Game: Mobile Malware

We recaptured more than 10.58 million mobile records siphoned by malware between August and December of 2023. The implications go far beyond individual device users – and beyond financial losses. While financial fraud is a major motive behind mobile malware attacks, a successful attack can also lead to sensitive data compromise, disruption of operations, and reputational damage. Yet IT and SOC teams have limited or no visibility into mobile devices and struggle to secure them – leaving a massive gap in exposure.

Other Easter Eggs

The emerging trends we observed in 2023 had a recurring theme: malicious actors are taking full advantage of the expanding digital identity. Targeted data now ranges from financial information (easily obtainable via mobile malware) to API keys and webhooks.

Crypto wallet data: Several infostealers, including Raccoon and RedLine Stealer, have been modified to steal crypto wallet information. New families, like LummaC2, come ready with this capability. These stealers harvest keys from so-called hot wallets, which hold digital cryptocurrency. Many users of cryptocurrency assume their wallets are anonymous, but infostealers put PII and wallet details together in the hands of cybercriminals. With this data available in the criminal underground, the expectation people have of their identities being masked from their transaction history is no longer true.
macOS malware: Concerns about infostealers are no longer limited to Windows. SpyCloud researchers have observed an uptick in macOS infections, especially from Atomic macOS Stealer variants. This infostealer harvests system information, keychain passwords, files, crypto wallet info, and even macOS passwords. SOC teams need to watch these developments closely because personal devices like MacBooks are frequently used at home to access corporate networks and applications.

The Victory Token:
Stolen Session Cookies

All infostealer-siphoned data is immensely valuable due to its high fidelity, but session cookies and tokens stored in a browser are a true bonanza. With valid stolen authentication cookies in hand, cybercriminals can simply sidestep any authentication mechanism including MFA and hijack a session in an instant.

Last year, SpyCloud recaptured more than 20 billion cookie records, with an average of more than 2,000 records per infected device. This indicates that leveraging malware-siphoned session cookies for next-generation account takeover is quickly becoming a valued tactic. As more organizations adopt passwordless authentication, we expect to see this method escalate.

Gotta Recapture ‘Em All:
Notable Data Breaches in 2023

Plenty of high-profile data breaches make the news every year. But there are thousands of other large breaches that no one hears about – no one outside of a select group of criminals, that is. 

These breaches are first shared only in small, private criminal channels for fast, high-return monetization before they’re offered to a broader darknet audience. SpyCloud recaptures this data as quickly as possible; we ingest it into our data lake daily as a “sensitive source” until the breached organization reports it publicly.

Here are some of the data leaks that caught our attention circulating on the darknet last year:

364,664,942 records leaked
Twitter (now X)
203,873,329 records leaked