Research
SpyCloud 2025: 18 Billion Stolen Credentials Tracked
SpyCloud's intelligence platform tracks credentials harvested by infostealer malware and aggregated into the criminal ecosystem. The 2025 report puts cumulative tracked credentials past 18 billion, with infostealer-derived corporate credentials a fast-growing slice.
Key Finding
The credential black market is not a backlog to be cleaned up; it is a live, replenished supply. Any defence that assumes the attacker cannot afford to try has the threat model wrong.
SpyCloud's Annual Identity Exposure Report aggregates stolen-credential intelligence from breach corpora, infostealer logs, and underground marketplaces. The 2025 edition reports a cumulative tracked-credential figure past 18 billion, with infostealer-derived corporate credentials growing the fastest. Constella, a separate identity-intelligence vendor, reported processing 51.7 million infostealer packages in 2025 alone (a 72% YoY rise) and identifying 24.8 million unique infected devices.
The architectural framing this dataset supports is that credentials are no longer scarce on the offensive side. The cost of attempting one is approximately zero; the cost of trying every combination is bounded only by the target's rate-limiting. Any control that assumes attacker scarcity — for example, lockout policies sized for human-scale errors, or anomaly thresholds tuned for low-volume attacks — is mismatched to the threat.
The defensive responses that work at scale are phishing-resistant authentication (FIDO2, certificate-based), continuous session evaluation, and behavioural identity analytics. The defensive responses that do not are stronger passwords, more frequent rotation of those passwords, and email-based MFA.
Need help with your identity architecture?
Every incident on this page was preventable with the right architecture. Let's talk about yours.
Book a Conversation