-Content by CyberNewswire-
SpyCloud, the leader in identity threat protection, today released the 2025 SpyCloud Identity Threat Report, revealing that while 86% of security leaders report confidence in their ability to prevent identity-based attacks, 85% of organisations were affected by a ransomware incident at least once in the past year, with over one-third affected between six and ten times.
Further illustrating the gap between perceived confidence and actual exposure, the market survey of over 500 security leaders across North America and the UK revealed that over two-thirds of organisations are significantly or extremely concerned about identity-based cyberattacks, yet only 38% can detect historical identity exposures that create risk due to poor cyber hygiene like credential reuse.
As organisations grapple with sprawling digital identities across SaaS platforms, unmanaged devices, and third-party ecosystems, attackers are capitalising on these gaps.
“From phishing and infostealer infections to reused credentials and unmanaged access, today’s threat actors are exploiting overlooked identity exposures,” said Damon Fleury, SpyCloud’s Chief Product Officer. “These tactics allow adversaries to bypass traditional defences and quietly establish access that can lead to follow-on attacks like ransomware, account takeover, session hijacking, and fraud. This report surfaces the critical truth that many organisations feel prepared but their defences don’t extend to the places adversaries are now operating.”
Identity Sprawl is Expanding The Attack Surface
Identity has become the gravitational center of modern cyber threats. An individual’s digital identity now spans hundreds of touchpoints, including corporate and personal credentials, session cookies, financial data, and personally identifiable information (PII) across SaaS platforms, managed and unmanaged devices, and third-party applications.
These elements when exposed on the darknet create a vast, interconnected attack surface ripe for exploitation. SpyCloud has recaptured 63.8 billion distinct identity records from the dark web, a 24% increase year-over-year. This illustrates the unprecedented scale of data circulating in the criminal underground, leaving organisations vulnerable because they lack the visibility and automation needed to shut down these exposures before they become additional entry points for follow-on identity-based attacks.
This surge in exposure is fueling broad concern. Nearly 40% of organisations surveyed identified four or more identity-centric threats as “extreme” concerns, with phishing (40%), ransomware (37%), nation-state adversaries (36%), and unmanaged or unauthorised devices (36%) leading the list.
More from Cybersecurity
- 7 Tips To Train Your Employees on Phishing Attacks
- Check Point Acquires Lakera To Build End-To-End AI Security Stack
- These Are Some Interesting Innovations That Have Come From Women In Cyber
- How Top Threat Intelligence Platforms Strengthen Your Cybersecurity Strategy
- Ways Small DeFi Projects Can Improve Their Cybersecurity
- INE Named in Training Industry’s 2025 Top 20 Online Learning Library List
- Experts Share: Are Passkeys The Solution To Cyber Vulnerabilities?
- Can Cyber Essentials Help Businesses Comply with Industry Regulations?
Insider Threats Begin With Identity Compromise
The report also highlights that insider threats, whether malicious or unwitting, often share a common origin: identity compromise.
Nation-state actors, including North Korean IT operatives, are leveraging stolen or synthetic identities to infiltrate organisations by posing as legitimate contractors or employees. SpyCloud’s investigative findings show that attackers are assembling synthetic identities using phished cookies, malware-exfiltrated API keys and reused credentials to pass background checks and weak screening processes.
Further emphasising this point, previous SpyCloud research found that 60% of organisations still rely on manual, ad-hoc communication between HR and security teams. Without hardened security screening that gives organisations visibility into candidates’ historical identity misuse and connections to criminal infrastructure, these actors can remain undetected until it’s too late.
At the same time, legitimate employees, contractors, or partners may unknowingly introduce risk when their identities are compromised. These unwitting insiders are frequently targeted through phishing and infostealer malware, resulting in stolen credentials and session cookies that provide persistent access to internal systems.
Phishing, in particular, was cited as the leading entry point for ransomware in 2025, accounting for 35% of incidents; a 10-point increase over the previous year.
Defences Fall Short In Responding To Identity-Based Threats
Despite growing awareness of identity-driven threats, most organisations are not equipped to respond effectively:
- 57% lack strong capabilities to invalidate exposed sessions
- Nearly two-thirds lack repeatable remediation workflows
- About two-thirds do not have formal investigation protocols
- Less than 20% can automate identity remediation across systems
Only 19% of organisations have automated identity remediation processes in place. The rest rely on case-by-case investigation or incomplete playbooks that leave gaps attackers can exploit.
“The defence mission has changed,” said Trevor Hilligoss, SpyCloud’s Head of Security Research. “Attackers are opportunistic, chaining together stolen identity data to find any available access point. Yet traditional defences remain narrowly focused on behavior and endpoints – missing the identity exposures that enable persistent, undetected access. The data shows organisations must extend protection to the identity layer, and keep a continuous eye on exposures and remediation to shut down threats before follow-on attacks can occur.”
Closing Identity Gaps Before Insider Threats Escalate
The report underscores the need for a holistic approach to identity protection. This means continuously correlating exposures across users’ full digital footprint, including past and present, personal and corporate identities – and automating remediation of compromised credentials, cookies, PII, and access tokens. In doing so, organisations move beyond account-level protection and gain visibility into identity risks threat actors were previously exploiting.
SpyCloud’s holistic identity intelligence empowers organisations to prevent identity-based threats by:
- Detecting fraudulent job candidates before access is granted
- Identifying compromised employees and users across devices and environments
- Invalidating exposed sessions and credentials at scale
- Accelerating investigations through automated correlation of darknet exposure data
“Teams that excel in identity security know exactly where exposures exist, can address them at scale, operate with clearly defined responsibilities, and continually adapt rather than simply react,” added Fleury. “The future belongs to those who treat identity as mission-critical; building systems that detect compromise early, respond decisively and beat threat actors from launching further attacks while keeping a strong and secure workforce.”
-This is a paid press release published via CyberNewswire-
