SpyCloud report: 61% of data breaches in 2023 were malware related

March 26, 2024
The average identity has a 1 in 5 chance of already being a victim of infostealer malware infection.

SpyCloud today released its 2024 SpyCloud Identity Exposure Report, an annual report examining the latest trends in cybercrime and their impact on individuals and organizations. SpyCloud researchers recaptured 43.7 billion distinct identity assets in 2023, including nearly four times more personally identifiable information (PII) assets than in 2022  over 32 billion, compared to last year’s 8.6 billion.

Taking a deeper look into how stolen data empowers bad actors to perpetrate cybercrimes including account takeover, fraud, and ransomware, SpyCloud researchers analyzed the exposures of the average digital identity being traded in the criminal underground and found that the average identity appears in as many as nine breaches and is associated with 15 breach records.

The rise in identity-based attacks can be attributed to a rapid increase in malware. SpyCloud found that 61% of data breaches in 2023, involving over 343 million stolen credentials, were infostealer malware-related. Of these compromised identity records, one in four contained information about the user's network or physical location, putting the individual's identity, platforms they have access to, and physical well-being at risk.

Researchers also found that the average identity had a 1 in 5 chance of already being the victim of an infostealer infection. Infostealer malware enables criminals to collect vast amounts of information about the user and the device, including a user’s session cookies, API keys and webhooks, crypto wallet addresses, and more. This stolen authentication data enables cybercriminals to bypass protections including MFA and even passkeys to hijack their victim's identity and take over digital sessions.

"Cheap and easy-to-use infostealers combined with the ubiquity of stolen data online can make cyber defense seem like an impossible task," said Trevor Hilligoss, VP of SpyCloud Labs, SpyCloud’s research team responsible for recapturing data and analyzing patterns from the criminal underground. "Protecting digital identities and beating cybercriminals at their own game requires a multi-layered approach. It starts with quickly identifying exposed identities and immediately moves to post-infection remediation – invalidating compromised authentication data for all applications exposed by the infection. It’s a sure-fire way to prevent future cyberattacks resulting from the stolen information."

SpyCloud researchers also recaptured nearly 200 different types of PII in 2023, ranging from full names (3.16 billion) and phone numbers (2.14 billion) to dates of birth (920.25 million), social security and national ID numbers (171.61 million) and credit card numbers (36.97 million).

Additionally, mobile malware is becoming an attractive attack vector for criminals. Between August and December 2023, SpyCloud recaptured 10.58 million mobile records exfiltrated by malware. While the goal of mobile malware is often financial fraud, compromised devices can also result in sensitive data compromise, disruption of operations, and reputational damage.

“Cloud applications, mobile devices and online services have become essential to both our personal and professional lives. When you consider the vast amounts of information that we put online and the likelihood of that information ending up in the wrong hands, our digital valuables have evolved beyond traditional credentials," said Damon Fleury, Chief Product Officer of SpyCloud. "Threat actors are linking together identity records from hundreds of sources to impersonate their victims, making it extremely difficult for platforms to differentiate between legitimate users and criminals."

Additional key findings from the 2024 report include:

Poor password hygiene persists with pop culture still influencing password choices.

  • SpyCloud recaptured nearly 1.38 billion passwords circulating the darknet in 2023, an 81.5% year-over-year increase from 759 million in 2022.
    • Within these passwords, the report finds a 74% password reuse rate for users exposed in two or more breaches in the last year—a 2 point increase from the prior year.
  • Pop culture continues to drive popular password choices.
    • 1.1 million passwords were related to American fantasy football.
    • 1.1 million were related to the Hollywood writers’ strike.
    • 1 million were related to the NBA playoffs.
    • Passwords influenced by artists such as Shakira (508,000), Miley Cyrus (257,000), and Taylor Swift (119,000) were also common.

The U.S. government continues to struggle with bad password practices.

  • SpyCloud researchers found 723 breaches containing .gov emails in 2023, up from 695 in 2022 and 611 in 2021. The recaptured records contained over 281,000 .gov credentials.
  • The most common passwords associated with .gov emails were password, pass1, and 123456.
  • Password reuse rates for .gov users increased this year, rising to 67% from 61% in 2022.

The most noteworthy data leaks recaptured by SpyCloud last year:

  • WhatsApp: 364 million records leaked
  • Twitter (now X): 203 million records leaked
  • Luxottica: 203 million records leaked
  • UnionPay China: 127 million records leaked

To view the full report, visit spycloud.com.

To learn more about SpyCloud Labs’ analysis of active cybercriminal tactics, visit https://spycloud.com/resources/spycloud-labs/.