Spycloud Report Fortune 1000 Identity Exposure Report
Spycloud Report Fortune 1000 Identity Exposure Report
10 0 0
IDENTI TY
EXPOSURE
REPORT
TABLE OF CONTENTS
Overview 3
Key Findings 5
The number of exposed identities continues to soar every year, providing cybercriminals with new
opportunities to monetize stolen data in lucrative ways. With digital identities now a ubiquitous part of
employees’ lives, keeping up with the evolving threat tactics is more critical than ever for any organization –
yet increasingly challenging, despite hefty investments in security and anti-fraud measures. To understand
how exposed employee identities impact organizations, SpyCloud combs through our entire database of
assets recaptured from the criminal underground every year and analyzes the darknet exposure of employees
While stolen credentials have long been malicious actors’ favorite pathway for infiltrating organizations and
perpetrating fraud and other crimes, we have been observing a new development in recent years: they are
moving from using “traditional” breach databases and combo lists toward credentials and other
authentication data stolen by malware. What makes this tactic a favorite for cybercriminals is its extremely
high return on investment – malware-exfiltrated data is not only abundant, but it’s incredibly fresh and
In response to this shift, the trends observed by SpyCloud researchers in this year’s annual Fortune 1000
Identity Exposure Report have evolved as well, and in our fourth year for this report, we take a closer look at
malware infections and how they affect identity exposure. For this year’s analysis, we looked at more than
2.27 billion breach and malware-exfiltrated assets in our database that are tied directly to Fortune 1000
employee accounts and were recaptured from the criminal underground over the course of 2022.
To perform our analysis, we searched for records containing Fortune 1000 corporate email domains,
excluding “freemail” domains that are available to consumers. For example, if a Fortune 1000 employee
signed up for a breached third-party site using their corporate email address, such as [email protected],
In this report, we look at the top patterns across all 21 industry sectors, identify the ones with the highest
through no fault of their own. SpyCloud recaptures this data from darknet
IDENTIFY
POTENTIAL
I N S I D E R T H R E AT S
R E M E D I AT E
M A LW A R E
INFECTIONS
a 62% password reuse rate among Fortune 1000 employees that have been exposed
more than once. This is only 2 points lower than last year – not much of an
improvement. We see this trend at Fortune 1000 enterprises every year, indicating
that most user education and training falls on employees’ deaf ears. The industry
that carries the torch as the worst offender in this category is financials (68%
password reuse rate), which is alarming considering the kind of sensitive data
2
consumers entrust to financial institutions that can impact not only the individual,
records associated with Fortune 1000 employees, a 4.6% increase from 2021. This
amounts to 725.63 million breach assets (individual data points), a 5.6% increase
compared to last year. The technology, financials, and retailing sectors are leading
with the highest numbers of total breach assets. Retailing, in particular, stood out: it’s
also in the top three industries for the average number of breach records per
company (197,205) and the average number of assets per company (nearly 1.22
million).
whopping 1.87 billion cookie records have been exfiltrated from infected devices.
With stolen cookies, criminals can perform session hijacking of active sessions
without the need for credentials and can bypass MFA. The exposure stemming from
this insidious tactic appears to have spiraled out of control, and cybercriminals are
only getting started. Infostealers – malware designed specifically for stealing all
popularity, as are underground marketplaces that cater to malicious actors like initial
operators.
Technology has the highest number of infected employees (67,723) across 119
cybercriminals can gain to confidential and valuable systems and assets is scary at
many levels. The breakdown of the four sectors rounding out the top five for the
Health Care: Not far behind with 9,884 malware-infected employees across 76
companies.
Telecommunications: In fifth place with more than 8,000 infected employees across
the 9 companies on the Fortune 1000 list.
Of all malware-exfiltrated authentication data, browser session cookies are the most
prized. Each cookie allows a cybercriminal to become a legitimate user’s clone and
1.87 billion malware cookie records last year, with the lion’s share coming from
technology (1.51 billion), followed by retailing (200.12 million) and business services
(61.70 million). With these tokens in hand, bad actors can gain unfettered access to
attacks including ransomware, access sensitive data, and perpetrate fraud. While
5
cybercriminals’ mindset in the past may have been “more is more” in terms of stolen
data, this is no longer the case with session cookies – this data is of such high quality
Exposed PII puts organizations at risk by arming cybercriminals with data to use in
perpetrate fraud. Technology and financials remained in the top spots among sectors
with the most PII exposure last year, albeit they swapped places. With 77.41 million
PII assets exposed, technology bumped financials (74.61 million) down a notch in
terms of the most PII-exposed industries, while retailing maintained third place with
71.39 million PII assets. Each of these industries saw growth in exposure from 2021,
while overall, the total number of PII assets exposed across all industries, 423.28
the second- and third-highest number of average PII assets exposed per company
telecommunications, also repeated the previous year’s feat: with an average of 3.21
million exposed PII assets per company, the sector far surpasses the average of
Just like with our findings about password reuse rates, our list of the top recaptured
training, habits are not changing. We saw a recurring theme, with “password” and
“123456” as the most common recaptured plaintext passwords, but also noted a new
trend: a lot of first names in the top 100 exposed passwords list. This finding aligns
with the 7 million passwords recaptured across our entire database in 2022
containing the words love, family, kids, wife, husband, and boyfriend. This indicates,
perhaps, that Fortune 1000 employees, like many of us, were a bit more sentimental
last year after surviving two brutal years of pandemic chaos. Regardless of their
reasons for using names in their passwords, employees are putting their companies
in danger by choosing passwords that cybercriminals can easily guess after casually
TOTAL BREACH SOURCES Total number of breaches in the SpyCloud database that include records tied to
19,661
Fortune 1000 corporate email addresses.
TOTAL CORPORATE
BREACH RECORDS A breach record is the set of data tied to a single user within a given breach.
Ex: Information tied to [email protected] within a set of data stolen in a breach
132,429,971 of example.com.
TOTAL BREACH ASSETS A breach asset is a piece of information contained within a breach record. Ex: a
725,634,806
password, an address, a phone number, credit card, etc.
TOTAL SESSION
COOKIE RECORDS A session cookie or token is a string of characters that a website or server uses to
1,865,557,005
remember visitors, making it easier to visit the site again without authenticating.
Similar to a breach record, a cookie record can contain a set of data tied to a
single session or cookie that can be a combination of the cookie’s ID, value,
expiration, domain, etc. With a valid cookie in hand, cybercriminals can simulate a
user and bypass authentication to seamlessly hijack a session, allowing them to
access sensitive data, escalate employee privileges, and much more.
TOTAL PLAINTEXT CORPORATE
BREACH & MALWARE-
EXFILTRATED CREDENTIALS Total number of Fortune 1000 corporate email address and plaintext password
27,475,565
pairs that are available to criminals. If employees have reused these passwords,
criminals can easily exploit the exposed credential pairs to gain access to
corporate systems.
TOTAL C-LEVEL
EXECUTIVES EXPOSED Exposed corporate credentials that are tied to Fortune 1000 executives with
87,741
high-ranking titles, putting them at increased risk of targeted account takeover
and business email compromise (BEC) fraud.
PASSWORD REUSE Among the Fortune 1000 employees, this is the rate at which a password was
62%
exposed more than once compared to the total exposed passwords for Fortune
1000 employees. This includes exact passwords and slight variations that
criminals can easily match.
MALWARE-INFECTED
EMPLOYEES Fortune 1000 employees whose data appears in logs exfiltrated from
171,528
infostealer malware-infected devices. These high-severity exposures put them
at risk of ATO and fraud, and make the enterprise vulnerable to ransomware
attacks.
corporate email addresses and plaintext passwords. Similar to last year, the three sectors with the highest
exposure by far are technology (7.52 million), telecommunications (6.34 million), and financials (3.64 million).
While the high numbers for financials and technology may be partially due to the sector size (167 and 119
companies, respectively), the telecommunications sector’s exposure is extreme given it only includes nine
enterprises.
While not every credential pair will match corporate login details, the ones that do match or even have a partial
match represent substantial risk for these enterprises – and their customers and partners – with criminals'
When credentials are exposed in a data breach, cybercriminals inevitably test them against a variety of other
online sites, taking over any other accounts protected by the same login information. If those stolen credentials
contain a corporate email domain, criminals have an obvious clue that they could provide access to valuable
enterprise systems, customer data, and intellectual property. And some of the most valuable are credentials
belonging to members of an organization’s C-suite. Cybercriminals target C-suite executives and senior leaders to
attempt account takeover and business email compromise (BEC) fraud. These scams cost enterprises an
enormous amount: according to the FBI, total BEC losses in 2022 reached $2.7B from nearly 22,000 complaints.
In our dataset, we found 935,786 stolen assets from 87,741 exposed C-level employees. Fraudsters use this
data for phishing and social engineering to take control over an executive’s email account, then use that email
account to impersonate the executive and compel employees, vendors, or other trusted partners to pay fraudulent
invoices, transfer funds illegally, reveal sensitive information, and more. BEC fraud has wide implications, putting
at risk everything from sensitive data and intellectual property to a company’s financials.
In theory, passwords associated with corporate accounts should be strong given the importance of the assets
they protect and the robust guidance often provided by corporate security teams. In practice, many employees
use bad password hygiene at work simply out of perceived ease, and some corporate password policies (such as
Our analysis found a 62% average reuse rate last year, only a 2 point decrease from 2021 and a 10 point difference
Employees with multiple reused passwords in our dataset may or may not reuse passwords at work – we can’t tell for
sure without checking their actual work passwords. However, password reuse across their third-party breach and
AVERAGE
FORTUNE 1000 SECTOR PASSWORD REUSE
FINANCIALS 68%
ENERGY 61%
TECHNOLOGY 60%
TELECOMMUNICATIONS 59%
123456
Bkkux33lMgsk13jl
slideteam
matthew
board1 CHARLIE55 6V21wbgad
jessica
uQA9Ebw445
FQRG7CS493
20100728 david1027
Welcome123 1qaz2wsx
Password Tomas0707
zinch Whrhswhrhs1!
password
jennifer
Kh@khund@_202392 rmak123456
zzzzzzzz michael ginger
12345 123456789 michelle
aaron431
http jordan
password1
quetico01
1234567 summer Ready2wrk@ abc123 1234567890
jackson
charlie AshS0115 Hamkew@143 11111
Welcome1 P@ssw0rd welcome qwerty
research itodemo
shadow 125800 Welcome@123 123123 passw0rd 19weed
bull****password
old123ma
tacotime
taylor
h54rsjrF5J46788998 1234 sunshine 12345678
3xp3rt444
30media
baseball
default
Tykie@1234
c00lyB7474 hunter
zaq12wsx
maggie 111111 Iworkedin***for14years
parker Wiliby13! Content2020!!
chaselo Password1
z1z1rbat
buster
CCresearch20* princess
XVNP@357 hannah
LastMile##123 Leandro@Leticia17d
abcd1234 football
With hundreds of accounts to keep track of, it’s no wonder people take shortcuts to remember their login credentials. In
addition to recycling variations of a few favorites across every account, people often use simple passwords that are easy to
remember – and easy for criminals to guess. Criminals often use lists of common passwords in password spraying attacks,
putting accounts with weak passwords at risk even if the user hasn’t intentionally reused that password.
One of the worst shortcuts employees can take is to include their company’s name in their passwords; it’s one of the first
things criminals will enter into their account checker tools when trying to crack corporate passwords. However, banning the
use of the company name in passwords may not be enough. Organizations need to find ways of protecting employees from
themselves.
Fortune 1000 employees follow the same patterns as the rest of us. Most of the passwords above appeared hundreds or
even thousands of times within our dataset. We’ve redacted company names, as well as several variations of a popular
four-letter word that we opted not to print. Interestingly, we observed that this particular word, year after year, is mostly
popular – and very prominent – with media companies, and employees at Fortune 1000 enterprises have a much higher
While most of these examples would fail to pass basic corporate password policies, people tend to transform a base
password in predictable ways to bypass complexity rules. For example, “password” might become “Password1” or
“Passw0rd!” at work.
Unfortunately, criminals are well aware of these patterns, and automated tools make it easy for them to test variations of
With the growing focus of criminals to leverage hard-to-detect measures like infostealer malware to extract information
from unsuspecting users, our report is inclusive of this recaptured data as well as data from third-party breaches.
Infostealer malware exfiltrates all manner of information from the infected device, including browser history, autocomplete
data, session cookies, screenshots, system information, crypto addresses, target URLs, and login credentials. This type of
malware poses a significant threat because not only does it harvest fresh, accurate authentication data, but an
increasingly common type of malware is configured to be non-persistent, meaning it deletes itself after data is stolen from
a victim’s machine.
Many people don’t realize that credentials available on the criminal underground are just as likely to come from
infostealers as they are from large data breaches – across our entire dataset, we recaptured 27.48 million exposed
credentials belonging to Fortune 1000 employees from the criminal underground and nearly 340,000 of those came from
malware logs. High-value information stolen through malware infections is typically shared in small circles or sold at a
When SpyCloud recaptures malware-exfiltrated data, we parse out the infected victim’s usernames, passwords, target
URLs, cookies, and other types of stolen assets in order to help organizations protect themselves and their users. For this
report, we searched these records for Fortune 1000 corporate email addresses to identify employees who may be using
infected managed devices or personal/unmanaged devices to access the corporate network or work applications.
Like last year, the technology sector once again leads all industries for the number of infected employees
from Fortune 1000 companies with 67,723, which represents 39.5% of all those observed in our database.
Financials, retailing, health care, and telecommunications also maintained their lead to round out the top
five sectors with infected employees in our findings.
The breadth of data captured by infostealers can have disastrous consequences for enterprises, whether the affected
device is personal or corporate, since this malware exfiltrates everything from browser history to login data for work and
third-party resources. Bad actors use this information to bypass multi-factor authentication, log into corporate networks,
malware infections as the basis for ransomware attacks. Attackers are exploiting infected systems to exfiltrate data that
can aid an attack, identify potential entry points to corporate resources, and deliver executable files.
Keep in mind that one infected device can expose hundreds of credential pairs given the prolific number of applications
and work accounts each employee has. Even after an infected device is cleaned up or wiped, those exposed credentials are
already in criminals’ hands and continue to put the organization and individual at further risk unless proper post-infection
Additionally, we recaptured a total of 223,098 credential pairs exfiltrated by malware that specifically
allow access to over 56,000 cloud-based applications, including popular enterprise apps like email, SSO,
cloud hosting environments, customer relationship management software, payroll management, video
conference platforms, source code repositories, and much more. Since these third-party applications are
typically outside of IT’s control, their exposure is a blind spot for most enterprise security teams.
Data stolen from these applications can be used to aid attacks or can be the goal of the attack itself, such as when source
code is stolen.
While credential exposures plague enterprises, it's the growing threat of stolen session cookies that needs more mindshare.
As criminal tactics evolve, bad actors are finding that the level of effort to hijack a session with malware-stolen cookies is
significantly less than social engineering methods like phishing that require an action from the victim.
Session hijacking is a risk facing both employees and consumers. For organizations, stolen cookies can give
cybercriminals an all-access pass to enterprise networks, allowing them to view sensitive information, escalate privileges,
encrypt files, and launch ransomware. On the consumer side, fraudsters use stolen session cookies to take over accounts
to make fraudulent purchases, drain loyalty cards and points, and more. With close to 2 billion stolen session cookie records
tied to employees and consumers of Fortune 1000 companies that make authentication measures like MFA easy to bypass,
it’s no wonder cybercriminals are quick to use this data to continually circumvent existing defense measures. Preventing
session hijacking is not impossible. It requires rapid identification of stolen cookies and invalidation of active sessions that
In addition to infected employees, we also identified nearly 30.75 million infected consumers of Fortune 1000
These are users of Fortune 1000 consumer-facing sites where our recaptured data shows that they were infected
while entering their username and password on the login page (e.g., [email protected] was infected while logging
into signin.fortune1000company.com).
Consumers with infected devices and the resulting exposed data cost enterprises a lot of internal resources and
money in customer service hours and fraud losses, impacting their bottom line.
The risk of fraud and identity theft is especially high because malware often siphons data that establishes a browser
or device fingerprint (a combination of operating system, IP address, browser type, system fonts, browser
extensions, bookmarks, and other data). Companies frequently use browser fingerprints to authenticate customers,
and cybercriminals can use the fingerprints to successfully impersonate consumers without raising any red flags.
The true number of infected consumers for these sectors is likely higher; for example, we excluded many
consumer-only domains from this analysis. We’ve also nixed credentials with usernames instead of email addresses
because it’s unclear whether they are employee or consumer records. However, each one of these infected
consumers is at extremely high risk of account takeover, identity theft, and online fraud, which can result in
While tech is the industry with the largest malware exposure this year, the 35% decline from last year is
due to the ebb and flow of organizations included in the annual Fortune list.
MEDIA
Nearly 6 MILLION:
+49% Almost double the previous year’s 2.9 million.
RETAILING
5.88 MILLION:
+56% More than double 2.56 million in 2021.
BUSINESS
SERVICES
4.04 MILLION:
+49% Almost double 2.15 million in 2021.
FINANCIALS
551,879:
+794% Almost 8x the previous year’s 61,735.
The increase in the financials sector is astonishing, yet it reflects global identity cyber threats and fraud trends. In recent
years, synthetic identity fraud (the mixing of stolen and fake identity data from multiple consumers) has become the largest
form of identity theft. The massive amount of consumers’ personally identifiable information (PII) available on the criminal
underground makes it far too easy for fraudsters to create synthetic identities to open new accounts, apply for credit, and
In addition to login credentials, breach or malware-exfiltrated assets can include phone numbers, addresses, social
security numbers, credit ratings, browser session tokens and much more. While stolen credentials provide an obvious
entry point for malicious actors, other types of darknet exposed assets can also create tremendous value for
cybercriminals, whether for consumer fraud or as a means of gaining access to enterprise networks, data, intellectual
Criminals may engage in highly-targeted, manual attacks against victims with privileged access to corporate
resources, such as C-suite leaders, senior executives, system administrators, and developers. Given the potential
payoff associated with these targets, it’s no wonder criminals are willing to invest substantial effort and creativity to
In total, SpyCloud has collected more than 725.63 million breach assets and 1.87 billion malware-exfiltrated
session cookie records tied to Fortune 1000 employees last year. Within the SpyCloud dataset, we have segmented
certain types of assets into categories to help quantify different types of exposure. Let’s break down how a few of
these asset types can be used by cybercriminals and look at Fortune 1000 employee exposure for each asset type by
sector.
725.63 MILLION
TOTAL ASSETS
423.28 MILLION
32.41 MILLION TOTAL PII ASSETS
TOTAL ACCOUNT ASSETS
2.4 MILLION
TOTAL FINANCIAL ASSETS
WHAT IT IS Personally identifiable information (PII) is data that could be used to identify an
individual person. For the purposes of this report, SpyCloud has excluded some
forms of PII that have been broken out into separate categories below, such as
phone and financial assets. However, this category includes many other types
of personal data such as addresses, social security numbers, and credit ratings.
HOW IT HELPS
CRIMINALS PII can provide criminals with many lucrative paths for committing fraud or
stealing corporate data, particularly when they have access to full packages of
victims’ information, or “fullz.”
80 MILLION
70 MILLION
60 MILLION
50 MILLION
40 MILLION
30 MILLION
PII
20 MILLION
10 MILLION
0
ENGINEERING & CONSTRUCTION
HEALTH CARE
HOUSEHOLD PRODUCTS
INDUSTRIALS
MATERIALS
MEDIA
RETAILING
TECHNOLOGY
TELECOMMUNICATIONS
TRANSPORTATION
AEROSPACE & DEFENSE
APPAREL
BUSINESS SERVICES
CHEMICALS
ENERGY
FINANCIALS
WHOLESALERS
WHAT IT IS Session cookies or tokens authenticate users on a given website for a period of
time. When you log into a site or application, the server sets a temporary
session cookie in your browser. This lets the application remember that you’re
logged in and authenticated. Some cookies may last only 24-48 hours, while
others last for months.
HOW IT HELPS
CRIMINALS Stolen session cookies allow bad actors to infiltrate organizations through
session hijacking. With cookies in hand, criminals use anti-detect browsers with
a browser plug-in to authenticate as the legitimate user, bypassing MFA to
COOKIES &
1.5 BILLION
300 MILLION
75,000
ENGINEERING & CONSTRUCTION
FINANCIALS
HEALTH CARE
HOUSEHOLD PRODUCTS
INDUSTRIALS
MATERIALS
MEDIA
RETAILING
TECHNOLOGY
TELECOMMUNICATIONS
TRANSPORTATION
AEROSPACE & DEFENSE
APPAREL
BUSINESS SERVICES
CHEMICALS
ENERGY
WHOLESALERS
WHAT IT IS
Phone assets are stolen phone numbers.
HOW IT HELPS
CRIMINALS In combination with stolen credentials, criminals can use phone assets to
bypass multi-factor authentication using tactics such as SIM swapping and
phone porting. With a simple phone call to a mobile carrier and some light
social engineering, criminals can divert a victim’s phone service to their own
device. Once the attacker has control of the victim’s phone number, they receive
all SMS-based authentication messages and can easily log into sensitive
PHONE
accounts undetected.
5 MILLION
4 MILLION
3 MILLION
2 MILLION
1 MILLION
0
ENGINEERING & CONSTRUCTION
HEALTH CARE
HOUSEHOLD PRODUCTS
INDUSTRIALS
MATERIALS
MEDIA
RETAILING
TECHNOLOGY
TELECOMMUNICATIONS
TRANSPORTATION
AEROSPACE & DEFENSE
APPAREL
BUSINESS SERVICES
CHEMICALS
ENERGY
FINANCIALS
WHOLESALERS
WHAT IT IS Geolocation assets consist of latitude and longitude pairings that pinpoint
users’ physical locations. This is typically the location of the IP that a user last
logged in from. That location sometimes correlates with their address, but not
always, which is why this data has been separated from PII assets.
HOW IT HELPS
CRIMINALS Criminals can use geolocation data (or addresses) to craft targeted attacks
against high-value victims such as employees with privileged access to
corporate data.
GEOLOCATION
Examples include:
1.5 MILLION
1.2 MILLION
900,000
600,000
300,000
0
ENGINEERING & CONSTRUCTION
HEALTH CARE
HOUSEHOLD PRODUCTS
INDUSTRIALS
MATERIALS
MEDIA
RETAILING
TECHNOLOGY
TELECOMMUNICATIONS
TRANSPORTATION
AEROSPACE & DEFENSE
APPAREL
BUSINESS SERVICES
CHEMICALS
ENERGY
FINANCIALS
WHOLESALERS
WHAT IT IS Financial assets include credit card numbers, bank account numbers, and tax
IDs. While this information all technically qualifies as PII, we have separated
them into their own category due to the severity of the exposure.
HOW IT HELPS
CRIMINALS Criminals can use stolen credit card numbers and other financial information to
harm your enterprise by:
500,000
400,000
300,000
200,000
100,000
0
ENGINEERING & CONSTRUCTION
HEALTH CARE
HOUSEHOLD PRODUCTS
INDUSTRIALS
MATERIALS
MEDIA
RETAILING
TECHNOLOGY
TELECOMMUNICATIONS
TRANSPORTATION
AEROSPACE & DEFENSE
APPAREL
BUSINESS SERVICES
CHEMICALS
ENERGY
FINANCIALS
WHOLESALERS
WHAT IT IS Social assets include social media handles that are tied to the breached
account.
HOW IT HELPS
CRIMINALS Social assets can help criminals connect the dots between personal and
corporate identities, which can be particularly useful in targeted attacks. An
attacker may move laterally from one account to another, first compromising a
social media account with limited protections in place and then using that
access to compromise higher-value accounts or accounts belonging to the
victim’s trusted associates. Data shared on social media may also provide the
SOCIAL
attacker with insights that can aid in answering security questions or crafting
believable spear phishing attacks.
8 MILLION
7 MILLION
6 MILLION
5 MILLION
4 MILLION
3 MILLION
2 MILLION
1 MILLION
0
ENGINEERING & CONSTRUCTION
HEALTH CARE
HOUSEHOLD PRODUCTS
INDUSTRIALS
MATERIALS
MEDIA
RETAILING
TECHNOLOGY
TELECOMMUNICATIONS
TRANSPORTATION
AEROSPACE & DEFENSE
APPAREL
BUSINESS SERVICES
CHEMICALS
ENERGY
FINANCIALS
WHOLESALERS
WHAT IT IS Account assets are data related to the breached account itself – including
secret answers to the security questions that many sites use as an extra layer
of authentication. Account assets also encompass user activity records, such
as the date an account was created and most recent login date.
HOW IT HELPS
CRIMINALS Access to users’ secret answers makes it easy for attackers to bypass
authentication measures and take over accounts. In addition, criminals may use
account activity records to engender trust and convince users to share
additional information, such as their password. For example, an attacker might
ACCOUNT
list recent actions a user has taken on specific dates and ask them to “verify”
their validity by taking a risky action like clicking a phishing link.
10 MILLION
8 MILLION
6 MILLION
4 MILLION
2 MILLION
0
ENGINEERING & CONSTRUCTION
HEALTH CARE
HOUSEHOLD PRODUCTS
INDUSTRIALS
MATERIALS
MEDIA
RETAILING
TECHNOLOGY
TELECOMMUNICATIONS
TRANSPORTATION
AEROSPACE & DEFENSE
APPAREL
BUSINESS SERVICES
CHEMICALS
ENERGY
FINANCIALS
WHOLESALERS
WHAT IT IS Short for combination list, a combo list contains pairs of passwords and
usernames or email addresses obtained from various breaches. SpyCloud finds
that the vast majority of the data we see in combo lists is old – ingested
months or even years prior to the list publication. Our focus is on recapturing
data immediately after a breach occurs.
HOW IT HELPS
CRIMINALS Inexpensive or even freely available on the underground, combo lists are used
for credential stuffing. Cybercriminals take advantage of the high password
reuse rates among users and try the logins from the combo lists on other
websites or apps. Any accounts using the same credentials found on a combo
list remain in jeopardy. Combo lists serve as a good reminder that even old data
can still be useful to criminals.
COMBO
6 MILLION
5 MILLION
4 MILLION
LIST
3 MILLION
2 MILLION
1 MILLION
0
ENGINEERING & CONSTRUCTION
HEALTH CARE
HOUSEHOLD PRODUCTS
INDUSTRIALS
MATERIALS
MEDIA
RETAILING
TECHNOLOGY
TELECOMMUNICATIONS
TRANSPORTATION
AEROSPACE & DEFENSE
APPAREL
BUSINESS SERVICES
CHEMICALS
ENERGY
FINANCIALS
WHOLESALERS
Apparel Industrials
Chemicals Media
Financials Technology
Defense Industry.
16,086,095
TOTAL BREACH
ASSETS
4,154
TOTAL BREACH
SOURCES
180,102
AVERAGE # OF BREACH
RECORDS PER COMPANY
3,061,738 !
TOTAL BREACH
65% RECORDS
PASSWORD REUSE
538,740
9,158,578
AVERAGE PII ASSETS PER COMPANY
?
C-
668,004
WHAT’S
EXPOSED 48,011 SOCIAL
39,906 ACCOUNTS
27,013 PHONE
6,319 GEOLOCATION
$ 3,510
AU
CO FINANCIAL
TH
OK
IES
18 /T
OK
ENS
6, RECO
42 RDS
4
1,431
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
123456
password
1,690
aaron431 MALWARE-INFECTED
CONSUMERS
16
companies
The companies in this report
APPAREL
represent 16 of the largest 380,970
AVERAGE # OF BREACH ASSETS
US companies in the PER COMPANY
Apparel Industry.
6,095,520
TOTAL BREACH
ASSETS
3,044
TOTAL BREACH
SOURCES
63,017
AVERAGE # OF BREACH
RECORDS PER COMPANY
1,008,269 !
TOTAL BREACH
62% RECORDS
PASSWORD REUSE
232,867
3,725,875
AVERAGE PII ASSETS PER COMPANY
?
C-
152,867
WHAT’S
EXPOSED 22,553 SOCIAL
17,103 ACCOUNTS
11,559 PHONE
3,350 GEOLOCATION
$ 1,078
AU
CO FINANCIAL
TH
OK
,4 IES
/T
9
27 OK
ENS
,18 RECO
RDS
4
1,585
MALWARE-INFECTED
EMPLOYEES
newmember
123456
219,092
aaron431 MALWARE-INFECTED
CONSUMERS
51 BUSINESS
companies
The companies in this report
SERVICES
represent 51 of the largest 447,679
AVERAGE # OF BREACH ASSETS
US companies in the PER COMPANY
22,831,636
TOTAL BREACH
ASSETS
5,322
TOTAL BREACH
SOURCES
73,748
AVERAGE # OF BREACH
RECORDS PER COMPANY
3,761,130 !
TOTAL BREACH
62% RECORDS
PASSWORD REUSE
273,129
13,929,574
AVERAGE PII ASSETS PER COMPANY
?
C-
501,545
WHAT’S
EXPOSED 25,524 SOCIAL
21,773 ACCOUNTS
13,533 PHONE
4,861 GEOLOCATION
$ 1,676
AU
CO FINANCIAL
TH
OK
1, IES
/T
6
68 OK
ENS
3 ,7
RECO
RDS
67
5,608
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
password
aaron431
4,038,028
123456 MALWARE-INFECTED
CONSUMERS
29
companies CHEMICALS
The companies in this report
Chemicals Industry.
10,833,368
TOTAL BREACH
ASSETS
4,902
TOTAL BREACH
SOURCES
67,059
AVERAGE # OF BREACH
RECORDS PER COMPANY
1,944,699 !
TOTAL BREACH
63% RECORDS
PASSWORD REUSE
220,590
6,397,111
AVERAGE PII ASSETS PER COMPANY
7 40 CU
TIV
ES address
email
E IP
L EX
VE SSN
LE
?
C-
331,267
WHAT’S
EXPOSED 20,681 SOCIAL
16,909 ACCOUNTS
10,689 PHONE
3,390 GEOLOCATION
$ 1,231
AU
CO FINANCIAL
TH
OK
37 IES
/T
OK
2, ENS
73
RECO
RDS
2
2,289
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
123456
pass1
5,848
password MALWARE-INFECTED
CONSUMERS
101
companies
The companies in this
ENERGY
report represent 101 of the 268,661
AVERAGE # OF BREACH ASSETS
largest US companies in PER COMPANY
27,134,735
TOTAL BREACH
ASSETS
5,761
TOTAL BREACH
SOURCES
48,083
AVERAGE # OF BREACH
RECORDS PER COMPANY
4,856,367 !
TOTAL BREACH
61% RECORDS
PASSWORD REUSE
159,729
16,132,648
AVERAGE PII ASSETS PER COMPANY
email
E IP
EX
VE
L SSN
LE
?
C-
WHAT’S
EXPOSED 12,988 SOCIAL
11,154 ACCOUNTS
8,556 PHONE
2,189 GEOLOCATION
$ 1,337
AU
CO FINANCIAL
TH
OK
IES
44 /T
OK
ENS
9, RECO
32 RDS
2
6,810
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
password
123456
37,224
aaron431 MALWARE-INFECTED
CONSUMERS
32 ENGINEERING &
companies CONSTRUCTION
The companies in this
9,574,115
Construction Industry.
TOTAL BREACH
ASSETS
3,683
TOTAL BREACH
SOURCES
54,804
AVERAGE # OF BREACH
RECORDS PER COMPANY
1,753,734 !
TOTAL BREACH
64% RECORDS
PASSWORD REUSE
175,999
5,631,959
AVERAGE PII ASSETS PER COMPANY
?
C-
271,454
WHAT’S
EXPOSED 17,524 SOCIAL
13,758 ACCOUNTS
8,008 PHONE
2,625 GEOLOCATION
$ 1,054
AU
CO FINANCIAL
TH
OK
IES
11 /T
OK
1,5
ENS
RECO
RDS
92
2,425
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
password
123456
10,715
*NO-PASSWORD* MALWARE-INFECTED
CONSUMERS
167
companies FINANCIALS
The companies in this
125,031,742
TOTAL BREACH
ASSETS
8,878
TOTAL BREACH
SOURCES
132,561
AVERAGE # OF BREACH
RECORDS PER COMPANY
22,137,676 !
TOTAL BREACH
68% RECORDS
PASSWORD REUSE
446,740
74,605,649
AVERAGE PII ASSETS PER COMPANY
2 2,6 CU
TIV
ES address
email
E IP
L EX
VE SSN
LE
?
C-
3,641,651
WHAT’S
EXPOSED 38,654 SOCIAL
31,175 ACCOUNTS
24,126 PHONE
7,820 GEOLOCATION
$ 2,353
AU
CO FINANCIAL
TH
OK
IES
5, /T
OK
53
1
ENS
RECO
7, 6 RDS
26
15,274
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
password
456a33
551,879
aaron431 MALWARE-INFECTED
CONSUMERS
9 FOOD &
companies
DRUG
STORES
The companies in this
7,614,599
Industry.
TOTAL BREACH
ASSETS
1,345
TOTAL BREACH
SOURCES
126,421
AVERAGE # OF BREACH
RECORDS PER COMPANY
1,137,785 !
TOTAL BREACH
66% RECORDS
PASSWORD REUSE
556,251
5,006,257
AVERAGE PII ASSETS PER COMPANY
8 23 TIV
ES address
CU
email
E IP
L EX
VE SSN
LE
?
C-
53,233
WHAT’S
EXPOSED 39,143 SOCIAL
31,952 ACCOUNTS
34,754 PHONE
10,981 GEOLOCATION
$ 4,407
AU
CO FINANCIAL
TH
OK
IES
74 /T
OK
ENS
9, RECO
90 RDS
893
MALWARE-INFECTED
TOP NOTEWORTHY EXPOSED PASSWORDS EMPLOYEES
aaron431
password
81,631
simply123 MALWARE-INFECTED
CONSUMERS
companies
34 FOOD,
BEVERAGES
The companies in this
12,065,999
Tobacco Industry.
TOTAL BREACH
ASSETS
4,681
TOTAL BREACH
SOURCES
59,375
AVERAGE # OF BREACH
RECORDS PER COMPANY
2,018,743 !
TOTAL BREACH
63% RECORDS
PASSWORD REUSE
216,619
7,365,049
AVERAGE PII ASSETS PER COMPANY
?
C-
WHAT’S
EXPOSED 22,068 SOCIAL
16,414 ACCOUNTS
9,401 PHONE
3,526 GEOLOCATION
$ 915
AU
CO FINANCIAL
TH
OK
IES
43 /T
OK
ENS
1,9 RECO
RDS
17
4,002
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
password
123456
49,219
aaron431 MALWARE-INFECTED
CONSUMERS
companies
76 HEALTH
The companies in this
56,153,936
TOTAL BREACH
ASSETS
7,863
TOTAL BREACH
SOURCES
127,664
AVERAGE # OF BREACH
RECORDS PER COMPANY
9,702,473 !
TOTAL BREACH
63% RECORDS
PASSWORD REUSE
441,067
33,521,121
AVERAGE PII ASSETS PER COMPANY
email
IP
LE SSN
VE
LE
?
C-
WHAT’S
EXPOSED 38,957 SOCIAL
33,022 ACCOUNTS
22,823 PHONE
7,625 GEOLOCATION
$ 3,230
AU
CO FINANCIAL
TH
OK
IES
1, /T
OK
39 ENS
RECO
0,4 RDS
12
9,884
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
password
123456
59,524
aaron431 MALWARE-INFECTED
CONSUMERS
25 HOTELS,
companies RESTAURANTS
The companies in this
20,734,651
Leisure Industry.
TOTAL BREACH
ASSETS
4,119
TOTAL BREACH
SOURCES
142,758
AVERAGE # OF BREACH
RECORDS PER COMPANY
3,568,942 !
TOTAL BREACH
55% RECORDS
PASSWORD REUSE
503,844
12,596,096
AVERAGE PII ASSETS PER COMPANY
?
C-
WHAT’S
EXPOSED 39,491 SOCIAL
35,692 ACCOUNTS
30,476 PHONE
8,298 GEOLOCATION
$ 3,346
AU
CO FINANCIAL
TH
OK
IES
,7 /T
OK
99
3
ENS
RECO
,64 RDS
8
3,175
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
123456
Hello123
150,860
password MALWARE-INFECTED
CONSUMERS
companies
26 HOUSEHOLD
The companies in this PRODUCTS 418,711
report represent 26 of the
AVERAGE # OF BREACH ASSETS
largest US companies in PER COMPANY
10,886,484
Industry.
TOTAL BREACH
ASSETS
5,092
TOTAL BREACH
SOURCES
74,522
AVERAGE # OF BREACH
RECORDS PER COMPANY
1,937,568 !
TOTAL BREACH
64% RECORDS
PASSWORD REUSE
242,801
6,312,836
AVERAGE PII ASSETS PER COMPANY
2 ,24 CU
TIV
ES address
email
E IP
L EX
VE SSN
LE
?
C-
388,691
WHAT’S
EXPOSED 23,658 SOCIAL
18,236 ACCOUNTS
12,013 PHONE
4,410 GEOLOCATION
$ 1,408
AU
CO FINANCIAL
TH
OK
,5 IES
/T
3
94 OK
ENS
,7 2
RECO
RDS
4
2,510
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
passport
123456
54,186
password MALWARE-INFECTED
CONSUMERS
companies
50 INDUSTRIALS
The companies in this
27,308,200
TOTAL BREACH
ASSETS
8,419
TOTAL BREACH
SOURCES
107,421
AVERAGE # OF BREACH
RECORDS PER COMPANY
5,371,072 !
TOTAL BREACH
66% RECORDS
PASSWORD REUSE
302,046
15,102,307
AVERAGE PII ASSETS PER COMPANY
3 ,37 CU
TIV
ES address
email
E IP
L EX
VE SSN
LE
?
C-
1,233,537
WHAT’S
EXPOSED 26,221 SOCIAL
24,156 ACCOUNTS
16,816 PHONE
4,698 GEOLOCATION
$ 2,183
AU
CO FINANCIAL
TH
OK
1, IES
/T
76 OK
ENS
8 ,7 RECO
RDS
10
6,111
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
123456
password
32,153
aaron431 MALWARE-INFECTED
CONSUMERS
companies
46 MATERIALS
The companies in this
8,900,584
TOTAL BREACH
ASSETS
3,928
TOTAL BREACH
SOURCES
33,969
AVERAGE # OF BREACH
RECORDS PER COMPANY
1,562,578 !
TOTAL BREACH
64% RECORDS
PASSWORD REUSE
115,420
5,309,328
AVERAGE PII ASSETS PER COMPANY
1 ,7 6 CU
TIV
ES address
email
E IP
L EX
VE SSN
LE
?
C-
2 4 7, 6 6 5
WHAT’S
EXPOSED 8,680 SOCIAL
8,060 ACCOUNTS
6,693 PHONE
1,986 GEOLOCATION
$ 1,090
AU
CO FINANCIAL
TH
OK
IES
77 /T
OK
ENS
,8 RECO
87 RDS
2,747
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
aaron431
password
1,209
123456 MALWARE-INFECTED
CONSUMERS
28
companies
The companies in this
12,010,540
TOTAL BREACH
ASSETS
4,603
TOTAL BREACH
SOURCES
82,464
AVERAGE # OF BREACH
RECORDS PER COMPANY
2,309,005 !
TOTAL BREACH
64% RECORDS
PASSWORD REUSE
197,873
5,540,447
AVERAGE PII ASSETS PER COMPANY
?
C-
730,323
WHAT’S
EXPOSED 18,981 SOCIAL
37,421 ACCOUNTS
11,004 PHONE
2,184 GEOLOCATION
$ 1,296
AU
CO FINANCIAL
TH
OK
3, IES
/T
5
23 OK
ENS
0,8
RECO
RDS
83
6,478
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
password
TopSecret123
5,997,678
123123123 MALWARE-INFECTED
CONSUMERS
19 MOTOR
companies
VEHICLES
& PARTS
The companies in this
15,614,341
Industry.
TOTAL BREACH
ASSETS
5,554
TOTAL BREACH
SOURCES
138,860
AVERAGE # OF BREACH
RECORDS PER COMPANY
2,638,333 !
TOTAL BREACH
67% RECORDS
PASSWORD REUSE
486,726
9,247,801
AVERAGE PII ASSETS PER COMPANY
?
C-
WHAT’S
EXPOSED 48,314 SOCIAL
39,808 ACCOUNTS
20,408 PHONE
10,161 GEOLOCATION
$ 2,506
AU
CO FINANCIAL
TH
OK
1, IES
/T
56 OK
ENS
2,5 RECO
RDS
43
4,765
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
123456
password
41,647
aaron431 MALWARE-INFECTED
CONSUMERS
companies
81 RETAILING
The companies in this
98,471,298
TOTAL BREACH
ASSETS
5,263
TOTAL BREACH
SOURCES
197,205
AVERAGE # OF BREACH
RECORDS PER COMPANY
15,973,568 !
TOTAL BREACH
65% RECORDS
PASSWORD REUSE
881,360
71,390,159
AVERAGE PII ASSETS PER COMPANY
?
C-
908,630
WHAT’S
EXPOSED 38,380 SOCIAL
30,618 ACCOUNTS
19,120 PHONE
6,192 GEOLOCATION
$ 2,156
AU
CO FINANCIAL
TH
OK
99 IES
/T
1
,9
OK
ENS
17 RECO
RDS
,7 1
0
11,950
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
password
123456
5,876,758
aaron431 MALWARE-INFECTED
CONSUMERS
119
companies TECHNOLOGY
The companies in this
149,240,716
TOTAL BREACH
ASSETS
14,610
TOTAL BREACH
SOURCES
243,663
AVERAGE # OF BREACH
RECORDS PER COMPANY
28,995,928 !
TOTAL BREACH
60% RECORDS
PASSWORD REUSE
650,499
77,409,402
AVERAGE PII ASSETS PER COMPANY
1 2, CU
TIV
ES address
email
E IP
L EX
VE SSN
LE
?
C-
7, 5 1 8 , 5 8 2
WHAT’S
EXPOSED 65,694 SOCIAL
77,491 ACCOUNTS
32,949 PHONE
8,343 GEOLOCATION
$ 3,613
AU
CO FINANCIAL
TH
OK
IES
1,
95 /T
OK
4
ENS
,5 RECO
04 RDS
,602
67,723
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
123456
password
13,222,813
research MALWARE-INFECTED
CONSUMERS
companies
9 TELECOMMUNICATIONS
The companies in this
the Telecommunications
61,912,409
Industry.
TOTAL BREACH
ASSETS
7,412
TOTAL BREACH
SOURCES
1,535,588
AVERAGE # OF BREACH
RECORDS PER COMPANY
13,820,290 !
TOTAL BREACH
59% RECORDS
PASSWORD REUSE
3,211,277
28,901,489
AVERAGE PII ASSETS PER COMPANY
email
E IP
L EX
VE SSN
LE
?
C-
6,336,177
WHAT’S
EXPOSED 110,917 SOCIAL
229,757 ACCOUNTS
183,282 PHONE
18,977 GEOLOCATION
$ 30,580
AU
CO FINANCIAL
TH
OK
IES
,3 /T
6
53
OK
ENS
RECO
,61 RDS
2
8,015
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
123456
password
197,874
password1 MALWARE-INFECTED
CONSUMERS
companies
35 TRANSPORTATION
The companies in this
the Transportation
18,898,930
Industry.
TOTAL BREACH
ASSETS
5,676
TOTAL BREACH
SOURCES
97,651
AVERAGE # OF BREACH
RECORDS PER COMPANY
3,417,777 !
TOTAL BREACH
67% RECORDS
PASSWORD REUSE
315,628
11,046,976
AVERAGE PII ASSETS PER COMPANY
2 ,38 CU
TIV
ES address
email
E IP
L EX
VE SSN
LE
?
C-
598,535
WHAT’S
EXPOSED 28,477 SOCIAL
24,746 ACCOUNTS
15,576 PHONE
5,478 GEOLOCATION
$ 1,707
AU
CO FINANCIAL
TH
OK
8, IES
/T
41
OK
ENS
2,6
RECO
RDS
98
5,261
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
123456
password
110,317
123456789 MALWARE-INFECTED
CONSUMERS
companies
30 WHOLESALERS
The companies in this
8,234,908
TOTAL BREACH
ASSETS
3,155
TOTAL BREACH
SOURCES
48,410
AVERAGE # OF BREACH
RECORDS PER COMPANY
1,452,296 !
TOTAL BREACH
55% RECORDS
PASSWORD REUSE
164,866
4,945,983
AVERAGE PII ASSETS PER COMPANY
?
C-
214,365
WHAT’S
EXPOSED 13,452 SOCIAL
11,429 ACCOUNTS
9,230 PHONE
3,082 GEOLOCATION
$ 1,041
AU
CO FINANCIAL
TH
OK
IES
99 /T
OK
ENS
3, RECO
111 RDS
2,592
MALWARE-INFECTED
EMPLOYEES
TOP NOTEWORTHY EXPOSED PASSWORDS
password
123456
8,045
aaron431 MALWARE-INFECTED
CONSUMERS
YOUR PLAN OF ACTION
SpyCloud’s analysis of Fortune 1000 companies’ exposure of third-party breaches and malware-exfiltrated data has
revealed over 1.87 billion stolen cookie records, and 725 million stolen assets in criminals’ hands – 27.48 million of
which are plaintext passwords tied to Fortune 1000 company employees. Combined with high rates of password
reuse, these exposures represent significant cyber risks for these organizations and the companies and consumers
To defend against account takeover, session hijacking, malware, ransomware, and other malicious cyberattacks,
Fortune 1000 companies cannot bet solely on their employees to keep them safe and rather should think of users as
consumers whose behavior expands the attack surface multi-fold. To minimize exposure and safeguard data,
enterprises need to enforce strong enterprise password policy with SSO where possible, create clear company policies
on the use of business and personal devices, enforce multi-factor authentication on critical accounts, and mandate
the use of password managers, as well as leverage automated solutions that remediate their users' exposure –
Given the growing prevalence of malware-siphoned data used by cybercriminals, security teams can take proactive
steps to reduce the risk of exposed employee, contractor, and vendor identities. We recommend implementing robust
post-infection remediation – a framework of additional steps to existing incident response protocols designed to
negate opportunities for ransomware and other critical threats by resetting the application credentials and
Simply changing passwords after a malware infection does not guarantee active user sessions or trusted device
tokens will be invalidated. Since information-stealing malware also siphons device and web session cookies,
neglecting to address potentially stolen cookies leaves the victim’s accounts vulnerable to session hijacking through
device impersonation. For applications that fall outside your security team’s purview, it may be necessary to contact
the third-party cloud service provider and request that the compromised user sessions be invalidated as part of
With millions of Fortune 1000 employee identities exposed, it's imperative that security teams act quickly on what
cybercriminals have in hand to neutralize their risk of cyberattacks stemming from the use of this stolen data.
G E T T H E G UID E
ABOUT SPYCLOUD
SpyCloud transforms recaptured darknet data to protect businesses from cyberattacks. Its products
operationalize Cybercrime Analytics (C2A) to produce actionable insights that allow enterprises to proactively
prevent ransomware and account takeover, protect their business from consumer fraud losses, and
investigate cybercrime incidents. Its unique data from breaches, malware-infected devices, and other
underground sources also powers many popular dark web monitoring and identity theft protection offerings.
SpyCloud customers include half of the ten largest global enterprises, mid-size companies, and government
agencies around the world. Headquartered in Austin, TX, SpyCloud is home to nearly 200 cybersecurity
To learn more and see insights on your company’s exposed data, visit spycloud.com.