SpyCloud, the chief in id risk safety, in the present day launched the 2025 SpyCloud Id Risk Report, revealing that whereas 86% of security leaders report confidence of their capability to stop identity-based assaults, 85% of organizations had been affected by a ransomware incident not less than as soon as previously 12 months – with over one-third affected between six and ten occasions.
Additional illustrating the hole between perceived confidence and precise publicity, the market survey of over 500 security leaders throughout North America and the UK revealed that over two-thirds of organizations are considerably or extraordinarily involved about identity-based cyberattacks, but solely 38% can detect historic id exposures that create threat attributable to poor cyber hygiene like credential reuse. As organizations grapple with sprawling digital identities throughout SaaS platforms, unmanaged gadgets, and third-party ecosystems, attackers are capitalizing on these gaps.
“From phishing and infostealer infections to reused credentials and unmanaged entry, in the present day’s risk actors are exploiting neglected id exposures,” stated Damon Fleury, SpyCloud’s Chief Product Officer. “These techniques enable adversaries to bypass conventional defenses and quietly set up entry that may result in follow-on assaults like ransomware, account takeover, session hijacking, and fraud. This report surfaces the vital reality that many organizations really feel ready however their defenses don’t lengthen to the locations adversaries are actually working.”
Id Sprawl is Increasing the Attack Floor
Id has turn into the gravitational heart of recent cyber threats. A person’s digital id now spans lots of of touchpoints, together with company and private credentials, session cookies, monetary knowledge, and personally identifiable info (PII) throughout SaaS platforms, managed and unmanaged gadgets, and third-party purposes.
These parts when uncovered on the darknet create an enormous, interconnected assault floor ripe for exploitation. SpyCloud has recaptured 63.8 billion distinct id data from the darkish internet, a 24% improve year-over-year. This illustrates the unprecedented scale of information circulating within the prison underground, leaving organizations susceptible as a result of they lack the visibility and automation wanted to close down these exposures earlier than they turn into further entry factors for follow-on identity-based assaults.
This surge in publicity is fueling broad concern. Almost 40% of organizations surveyed recognized 4 or extra identity-centric threats as “excessive” considerations, with phishing (40%), ransomware (37%), nation-state adversaries (36%), and unmanaged or unauthorized gadgets (36%) main the checklist.
Insider Threats Start with Id Compromise
The report additionally highlights that insider threats, whether or not malicious or unwitting, typically share a typical origin: id compromise.
Nation-state actors, together with North Korean IT operatives, are leveraging stolen or artificial identities to infiltrate organizations by posing as respectable contractors or staff. SpyCloud’s investigative findings present that attackers are assembling artificial identities utilizing phished cookies, malware-exfiltrated API keys, and reused credentials to move background checks and weak screening processes. Additional emphasizing this level, earlier SpyCloud analysis discovered that 60% of organizations nonetheless depend on guide, ad-hoc communication between HR and security groups. With out hardened security screening that provides organizations visibility into candidates’ historic id misuse and connections to prison infrastructure, these actors can stay undetected till it’s too late.
On the similar time, respectable staff, contractors, or companions might unknowingly introduce threat when their identities are compromised. These unwitting insiders are continuously focused by way of phishing and infostealer malware, leading to stolen credentials and session cookies that present persistent entry to inside programs.
Phishing, particularly, was cited because the main entry level for ransomware in 2025, accounting for 35% of incidents – a 10-point improve over the earlier 12 months.
Defenses Fall Quick in Responding to Id-Primarily based Threats
Regardless of rising consciousness of identity-driven threats, most organizations aren’t geared up to reply successfully:
- 57% lack robust capabilities to invalidate uncovered classes
- Almost two-thirds lack repeatable remediation workflows
- About two-thirds shouldn’t have formal investigation protocols
- Lower than 20% can automate id remediation throughout programs
Solely 19% of organizations have automated id remediation processes in place. The remainder depend on case-by-case investigation or incomplete playbooks that go away gaps attackers can exploit.
“The protection mission has modified,” stated Trevor Hilligoss, SpyCloud’s Head of Safety Analysis. “Attackers are opportunistic, chaining collectively stolen id knowledge to search out any out there entry level. But conventional defenses stay narrowly targeted on conduct and endpoints – lacking the id exposures that allow persistent, undetected entry. The info exhibits organizations should lengthen safety to the id layer, and maintain a steady eye on exposures and remediation to close down threats earlier than follow-on assaults can happen.”
Closing Id Gaps Earlier than Insider Threats Escalate
The report underscores the necessity for a holistic method to id safety. This implies constantly correlating exposures throughout customers’ full digital footprint – together with previous and current, private and company identities – and automating remediation of compromised credentials, cookies, PII, and entry tokens. In doing so, organizations transfer past account-level safety and achieve visibility into id dangers risk actors had been beforehand exploiting.
SpyCloud’s holistic id intelligence empowers organizations to stop identity-based threats by:
- Detecting fraudulent job candidates earlier than entry is granted
- Figuring out compromised staff and customers throughout gadgets and environments
- Invalidating uncovered classes and credentials at scale
- Accelerating investigations by way of automated correlation of darknet publicity knowledge
“Groups that excel in id security know precisely the place exposures exist, can handle them at scale, function with clearly outlined duties, and regularly adapt quite than merely react,” added Fleury. “The long run belongs to those that deal with id as mission-critical – constructing programs that detect compromise early, reply decisively, and beat risk actors from launching additional assaults whereas protecting a robust and safe workforce.”
Customers can click on right here to entry the total report or contact SpyCloud to be taught extra.
About SpyCloud
SpyCloud transforms recaptured darknet knowledge to disrupt cybercrime. Its automated id risk safety options leverage superior analytics and AI to proactively forestall ransomware and account takeover, detect insider threats, safeguard worker and client identities, and speed up cybercrime investigations. SpyCloud’s knowledge from breaches, malware-infected gadgets, and profitable phishes additionally powers many standard darkish internet monitoring and id theft safety choices. Prospects embrace seven of the Fortune 10, together with lots of of worldwide enterprises, mid-sized firms, and authorities businesses worldwide. Headquartered in Austin, TX, SpyCloud is residence to greater than 200 cybersecurity consultants whose mission is to guard companies and customers from the stolen id knowledge criminals are utilizing to focus on them now.
To be taught extra and see insights in your firm’s uncovered knowledge, customers can go to spycloud.com.
Contact
Emily Brown
REQ on behalf of SpyCloud
ebrown@req.co
