SpyCloud, the leader in identity threat protection, today released the 2025 SpyCloud Identity Threat Report, revealing that while 86% of security leaders report confidence in their ability to prevent identity-based attacks, 85% of organizations were affected by a ransomware incident at least once in the past year – with over one-third affected between six and ten times.
Further illustrating the gap between perceived confidence and actual exposure, the market survey of over 500 security leaders across North America and the UK revealed that over two-thirds of organizations are significantly or extremely concerned about identity-based cyberattacks, yet only 38% can detect historical identity exposures that create risk due to poor cyber hygiene like credential reuse. As organizations grapple with sprawling digital identities across SaaS platforms, unmanaged devices, and third-party ecosystems, attackers are capitalizing on these gaps.
“From phishing and infostealer infections to reused credentials and unmanaged access, today’s threat actors are exploiting overlooked identity exposures,” said Damon Fleury, SpyCloud’s Chief Product Officer. “These tactics allow adversaries to bypass traditional defenses and quietly establish access that can lead to follow-on attacks like ransomware, account takeover, session hijacking, and fraud. This report surfaces the critical truth that many organizations feel prepared but their defenses don’t extend to the places adversaries are now operating.”
Identity Sprawl is Expanding the Attack Surface
Identity has become the gravitational center of modern cyber threats. An individual’s digital identity now spans hundreds of touchpoints, including corporate and personal credentials, session cookies, financial data, and personally identifiable information (PII) across SaaS platforms, managed and unmanaged devices, and third-party applications.
These elements when exposed on the darknet create a vast, interconnected attack surface ripe for exploitation. SpyCloud has recaptured 63.8 billion distinct identity records from the dark web, a 24% increase year-over-year. This illustrates the unprecedented scale of data circulating in the criminal underground, leaving organizations vulnerable because they lack the visibility and automation needed to shut down these exposures before they become additional entry points for follow-on identity-based attacks.
This surge in exposure is fueling broad concern. Nearly 40% of organizations surveyed identified four or more identity-centric threats as “extreme” concerns, with phishing (40%), ransomware (37%), nation-state adversaries (36%), and unmanaged or unauthorized devices (36%) leading the list.
Insider Threats Begin with Identity Compromise
The report also highlights that insider threats, whether malicious or unwitting, often share a common origin: identity compromise.
Nation-state actors, including North Korean IT operatives, are leveraging stolen or synthetic identities to infiltrate organizations by posing as legitimate contractors or employees. SpyCloud’s investigative findings show that attackers are assembling synthetic identities using phished cookies, malware-exfiltrated API keys, and reused credentials to pass background checks and weak screening processes. Further emphasizing this point, previous SpyCloud research found that 60% of organizations still rely on manual, ad-hoc communication between HR and security teams. Without hardened security screening that gives organizations visibility into candidates’ historical identity misuse and connections to criminal infrastructure, these actors can remain undetected until it’s too late.
At the same time, legitimate employees, contractors, or partners may unknowingly introduce risk when their identities are compromised. These unwitting insiders are frequently targeted through phishing and infostealer malware, resulting in stolen credentials and session cookies that provide persistent access to internal systems.
Phishing, in particular, was cited as the leading entry point for ransomware in 2025, accounting for 35% of incidents – a 10-point increase over the previous year.
Defenses Fall Short in Responding to Identity-Based Threats
Despite growing awareness of identity-driven threats, most organizations are not equipped to respond effectively:
- 57% lack strong capabilities to invalidate exposed sessions
- Nearly two-thirds lack repeatable remediation workflows
- About two-thirds do not have formal investigation protocols
- Less than 20% can automate identity remediation across systems
Only 19% of organizations have automated identity remediation processes in place. The rest rely on case-by-case investigation or incomplete playbooks that leave gaps attackers can exploit.
“The defense mission has changed,” said Trevor Hilligoss, SpyCloud’s Head of Security Research. “Attackers are opportunistic, chaining together stolen identity data to find any available access point. Yet traditional defenses remain narrowly focused on behavior and endpoints – missing the identity exposures that enable persistent, undetected access. The data shows organizations must extend protection to the identity layer, and keep a continuous eye on exposures and remediation to shut down threats before follow-on attacks can occur.”
Closing Identity Gaps Before Insider Threats Escalate
The report underscores the need for a holistic approach to identity protection. This means continuously correlating exposures across users’ full digital footprint – including past and present, personal and corporate identities – and automating remediation of compromised credentials, cookies, PII, and access tokens. In doing so, organizations move beyond account-level protection and gain visibility into identity risks threat actors were previously exploiting.
SpyCloud’s holistic identity intelligence empowers organizations to prevent identity-based threats by:
- Detecting fraudulent job candidates before access is granted
- Identifying compromised employees and users across devices and environments
- Invalidating exposed sessions and credentials at scale
- Accelerating investigations through automated correlation of darknet exposure data
“Teams that excel in identity security know exactly where exposures exist, can address them at scale, operate with clearly defined responsibilities, and continually adapt rather than simply react,” added Fleury. “The future belongs to those who treat identity as mission-critical – building systems that detect compromise early, respond decisively, and beat threat actors from launching further attacks while keeping a strong and secure workforce.”
Users can click here to access the full report or contact SpyCloud to learn more.
About SpyCloud
SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics and AI to proactively prevent ransomware and account takeover, detect insider threats, safeguard employee and consumer identities, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.
To learn more and see insights on your company’s exposed data, users can visit spycloud.com.
Contact
Emily Brown
REQ on behalf of SpyCloud
ebrown@req.co
