Welcome to the Showdown: Cybercriminals Step Up Their Game
The Fight Over Digital Identities
Digital identities are embedded in our lives, and their expansiveness makes it harder and harder to protect our accounts and business systems from attacks. The body of data stolen by criminals and traded between bad actors has continued to scale dramatically, year over year.
Case in point: SpyCloud’s total collection of recaptured data has grown to more than 43.7 billion distinct identity records collected.
To further complicate an already complex threat landscape, malicious actors are moving beyond the traditional use of stolen username and password pairs to perpetrate crimes against consumers and organizations. In targeted attacks, actors have developed the capability to search for information about their victims across many distinct stolen datasets.
Using expanded datasets, criminals have dramatically increased the scope of their attack patterns, based upon identity records that come from different sources and that can be linked together using PII, like social security numbers or social handles. In this way, users now have to worry about their combined digital identity, which can be formed by cross-referencing all of the information that has been stolen about them from dozens or hundreds of sources.
To make matters even worse, criminals have responded to improved authentication technologies by sidestepping user authentication methods altogether. Bad actors can access stolen session cookies and 2FA secrets to impersonate their victims, making it extremely difficult to differentiate between legitimate users and criminals.
Cybercriminals are clearly cashing in on this opportunity, which is why the global cost of cybercrime is forecasted to nearly triple by 2027, from $8.44 trillion in 2022 to $23.84 trillion.
We see this exponential growth reflected in our repository of data recaptured from the darknet, which totals more than 560 billion stolen assets as of the publishing of this report.
As you’ll see in this report, we’ve observed an increase in next-generation identity attacks that force us to expand our definition of digital identities and the measures we use to protect ourselves.
THE DIGITAL IDENTITY IN 2023
Based on our analysis of the average digital identity exposed and traded in the criminal underground last year:
Why We Do This Report
Threats to digital identities are nothing new. However, the fast pace and stealthy nature of a dynamic criminal underground make it hard for security teams to keep up and proactively defend against new threats.
SpyCloud researchers and data scientists examine the trends related to identity exposure in the criminal underground every year. We keep a tight pulse on darknet activity to understand how stolen data exposes organizations and consumers to cybercrimes like account takeover, session hijacking, fraud, and ransomware.
While we consistently see the number of exposed identities growing, in recent years we’ve also detected a shift in the type of data that malicious actors rely on to compromise identities. In response to this shift, we continue to expand our data sets to explore how emerging and evolving threats put consumers and organizations at further risk.
CREDIT CARDS
CRYPTO ADDRESSES
SESSION COOKIE
API KEYS
WEBHOOKS
Trends
1
1. Digital Identities are a Top Attack Vector
Cloud applications, remote work, mobile device use, and online services have placed digital identities at the heart of our personal and professional lives. Consequently, the digital identity has become a top attack vector – 90% of surveyed organizations reported an identity-related breach in the past year.
Stolen credentials are still a popular tool for criminals to gain initial entry to systems and applications. But digital identities have evolved well beyond the traditional username and password combination, and all signs point to malicious actors exploiting each piece of data they can steal.
SpyCloud’s data shows that the scale of identity exposure today is massive. Our analysis of random email address samples recaptured in 2023 found that for a given person’s digital identity, there is, on average:
DIGITAL IDENTITY
USERNAMES / OTHER
EMAILS
ASSOCIATED
BREACHES
BREACH
RECORDS
With malicious actors gathering and using data across many stolen datasets, this type of information and associated access details and PII provide a slew of opportunities for malicious actors to gain access into an organization or application.
2
2. Malware Infections as a Major Player in Identity Exposure
The rapid rise of malware, specifically infostealers, is one of the biggest trends we continue to observe. In 2023 alone, infostealer malware use tripled. We saw stealers skyrocket in our recaptured data lake, with as many as 1 in 5 people already the victims of an infostealer infection.
The reasons behind infostealers’ climb to stardom are clear. They are cheap, highly effective in exfiltrating a treasure trove of useful data, and yield a high return on investment. The shift to malware-as-a-service models is an additional boon – and research suggests that 24% of malware distributed as a service is from infostealer families.
SpyCloud’s data illustrates how pervasive and considerable the infostealer threat is. Of the 3,478 breaches we analyzed, 2,115 – 61% of total breaches –were malware-related and included 343.78 million stolen credentials. With valid credentials in hand, cybercriminals have a fast shortcut into employee and customer accounts.
3
3. Passwords on Replay
Password reuse rates remain incredibly high among users.
We found a 74% reuse rate for users exposed in two or more breaches in the last year, an uptick from the previous year’s 72%. The all-time historical reuse rate – indicating continued reuse of old, previously-exposed passwords – has climbed as well: from 54% for all years through 2022, to 61% through 2023.
Organizations are spending a lot of effort and resources to change user behavior through security awareness and training, as well as the implementation of password policies. Our research unfortunately shows that those programs are not significantly improving password hygiene.
123456: Exposed Popular Passwords
Every year, it comes as no surprise to see “123456” and its variations at the top of the common passwords list, but commonly used passwords also give us a glimpse into burning topics that dominate pop culture. What preoccupied our collective minds last year?
SpyCloud recaptured a total of nearly 1.38 billion passwords circulating the darknet in 2023, an 81.5% year-over-year increase from 759 million in 2022.
The hottest pop culture trend is fantasy football. As of 2023, an estimated 29.2 million Americans play it, which perhaps explains why football/fantasy football/ffl/NFL showed up over 1.1 million times on our list of most commonly exposed passwords.
Other pop culture topics that wormed their way into hearts and passwords last year included:
1,134,737
the five-month hollywood writers’ strike
WGA / hollywood / SAG / AFTRA / strike
1,006,519
THE NBA PLAYOFFS - MOST WATCHED IN 5 YEARS
NBA / NBA basketball / bball / NBA playoffs
717,032
THE BIG “halo: the master chief” update
halo / master chief / xbox
398,464
global soccer legend leo messi signs to miami
inter miami / mls / leagues cup / messi
335,989
ufos create a stir in congress
aliens / UFO / area51
268,318
bethesda games launches a new universe
starfield / constellation / bethesda / xbox
257,885
miley cyrus’s top-charting year
miley / miley cyrus / used to be young / flowers
149,273
The billioN-DOLLAR BOX-OFFICE HIT: “BARBIE”
barbie / barbie movie / hi barbie / i am kenough / barbie world
119,289
TAYLOR SWIFT REMAINS TOP-OF-MIND
taylor swift / taytay swift / swiftie / eras tour / tswift / midnights
4
4. Singled Out: The Government Sector
Digital identity exposure may have even bigger implications for the government sector, given thatnation-statesand other sophisticated actors target critical infrastructure agencies. Yet SpyCloud data shows that government identity exposure has not improved.
To learn how government agencies fared in breaches last year, we analyzed our recaptured data for emails associated with government domains.
723 breaches containing .gov emails in 2023, compared to 695 in 2022 and 611 in 2021.
The story got worse when we analyzed password reuse rates among government employees.
We found a 67% reuse rate for .gov users exposed in two or more breaches in the last year, an uptick from the previous year’s 61%. The all-time .gov reuse rate remains high as well at 54% – meaning they aren’t just reusing older passwords but are potentially using exposed passwords from as far back as 2016.
Government employees are just as guilty as their commercial sector peers of using easy-to-guess passwords. The most common passwords associated with .gov emails were:
5
5. Pass Go, Collect 200 PII
Nearly 70%of surveyed businesses say their fraud losses have risen in recent years. Vast amounts of exposed PII fuel these trends.
SpyCloud recaptured32.22 billion PII assets in 2023, a nearly 4X jump from 8.6 billion in 2022.
We found nearly 200 types of PII, ranging from everyday details like names and addresses to more concerning types like passport numbers, dates of birth, bank account data, credit cards, and social security numbers.
The categories with some of the largest numbers in 2023 included:
3.16 BILLION
FULL NAME
2.14 BILLION
PHONE NUMBER
920.25 MILLION
DATE OF BIRTH
171.61 MILLION
SOCIAL SECURITY & NATIONAL ID NUMBER
36.97 MILLION
CREDIT CARD NUMBER
16.03 MILLION
DRIVER’S LICENSE & PASSPORT NUMBERS
Malware Trumps All, Though
For this year’s report, we doubled down on our efforts to understand the impact of malware, following a notable shift in threat actors’ tactics and the amplified role of underground marketplaces.
Last year alone, we recaptured:
More than 343.78 million malware-exfiltrated credentials
More than 100,000 master passwords from eight market-leading password managers. Each of these master passwords represents the proverbial keys to the kingdom, unlocking access to hundreds of user accounts, and proving that no security tool is infallible. While password managers and other authentication controls like MFA are solid best practices, organizations need to think beyond traditional guardrails to address the risk of malware-exfiltrated data
Infostealer logs contain far more than credentials. The breadth of data includes not only everything cybercriminals need to emulate a device fingerprint and take over a digital identity, but also financial information such as credit card information, crypto wallet info, and even device screenshots.
Additionally, SpyCloud recaptured more than 4.7 millionthird-party application credentials harvested by malware on managed and unmanaged devices, including many popular business tools.
The top five most common categories of third-party tools in our recaptured data included:
Malware’s Next Move: Infostealer Families to Watch
The records we recaptured in 2023 were siphoned by 52 infostealer families. Four of these families were new to the scene last year: Atomic Stealer, Mystic, Exela, and Atlantida. Two others, LummaC2 and RisePro, emerged in the second half of 2022 but grew exponentially in 2023. For instance, LummaC2 records in our data lake skyrocketed by more than 2,000% in less than six months.
Our analysis of data exfiltrated by LummaC2 showed that a log from a successful infection was three times as large as from other infostealers, including prominent families like Raccoon and RedLine Stealer.
And a New Character Enters the Game: Mobile Malware
We recaptured more than 10.58 million mobile records siphoned by malware between August and December of 2023. The implications go far beyond individual device users – and beyond financial losses. While financial fraud is a major motive behind mobile malware attacks, a successful attack can also lead to sensitive data compromise, disruption of operations, and reputational damage. Yet IT and SOC teams have limited or no visibility into mobile devices and struggle to secure them – leaving a massive gap in exposure.
Other Easter Eggs
The emerging trends we observed in 2023 had a recurring theme: malicious actors are taking full advantage of the expanding digital identity. Targeted data now ranges from financial information (easily obtainable via mobile malware) to API keys and webhooks.
API keys and webhooks are of particular concern because they enable service provider abuse that unlocks sensitive data. Cybercriminals steal API keys through malware infections and distribute them to other bad actors. Even if an infected device is remediated, the stolen keys can be used for follow-on attacks for as long as they remain active. But SOC teams usually don’t know when this data is stolen and consequently cannot undertake proper post-infection remediation, like rotating exposed keys.
Crypto wallet data: Several infostealers, including Raccoon and RedLine Stealer, have been modified to steal crypto wallet information. New families, like LummaC2, come ready with this capability. These stealers harvest keys from so-called hot wallets, which hold digital cryptocurrency. Many users of cryptocurrency assume their wallets are anonymous, but infostealers put PII and wallet details together in the hands of cybercriminals. With this data available in the criminal underground, the expectation people have of their identities being masked from their transaction history is no longer true.
macOS malware: Concerns about infostealers are no longer limited to Windows. SpyCloud researchers have observed an uptick in macOS infections, especially from Atomic macOS Stealer variants. This infostealer harvests system information, keychain passwords, files, crypto wallet info, and even macOS passwords. SOC teams need to watch these developments closely because personal devices like MacBooks are frequently used at home to access corporate networks and applications.
2FA tokens: Organizations have made strides toward hardening their credentials, adding 2FA/MFA as an additional protection layer. So of course malicious actors are adapting and looking for vulnerabilities in these same tools. As noted earlier, newer infostealer families like LummaC2 are already stealing 2FA tokens. Criminals are also adapting to a passwordless future, developing ways to steal passkeys or sidestepping authentication altogether through session hijacking and other forms of next-generation account takeover.
The Victory Token: Stolen Session Cookies
All infostealer-siphoned data is immensely valuable due to its high fidelity, but session cookies and tokens stored in a browser are a true bonanza. With valid stolen authentication cookies in hand, cybercriminals can simply sidestep any authentication mechanism including MFA and hijack a session in an instant.
Last year, SpyCloud recaptured more than 20 billion cookie records, with an average of more than 2,000 records per infected device. This indicates that leveraging malware-siphoned session cookies for next-generation account takeover is quickly becoming a valued tactic. As more organizations adopt passwordless authentication, we expect to see this method escalate.
Gotta Recapture ‘Em All: Notable Data Breaches in 2023
Plenty of high-profile data breaches make the news every year. But there are thousands of other large breaches that no one hears about – no one outside of a select group of criminals, that is.
These breaches are first shared only in small, private criminal channels for fast, high-return monetization before they’re offered to a broader darknet audience. SpyCloud recaptures this data as quickly as possible; we ingest it into our data lake daily as a “sensitive source” until the breached organization reports it publicly.
Here are some of the data leaks that caught our attention circulating on the darknet last year: