Over the last couple of years, NordPass researchers have tracked nearly 10,000 major database leaks and more than 7.8 billion exposed email records. The team, led by Mantas Sabeckis — a senior threat intelligence researcher at Nord Security, leveraged the NordStellar threat-intelligence platform for this research.
Contents:
The 2025 dataset marks a turning point: Public disclosures of database leaks fell by 36.9%, dropping from 4,804 incidents in 2024 to 3,031 in 2025. Despite that decrease, criminals still exposed more than half a billion email addresses in 2025 alone, highlighting that leak counts alone don’t capture the scale of the threat. Today’s attacks favor stealth and quality over quantity — smaller numbers of incidents now involve much larger datasets, and a growing share of stolen data circulates through private channels or infostealer logs rather than public forums.
Key takeaways
The United States (187 leaks), India (121), and Russia (78) recorded the highest number of country-specific incidents, though 60% of leaks were global or unattributed.
Technology, education, and e-commerce sectors saw the highest leak volumes, and private companies accounted for 53% of classified exposures compared to 10% affecting government entities.
Database leaks fell by 36.9% in 2025 (from 4,804 to 3,031), yet exposure remained significant, with more than half a billion email addresses compromised.
Nine out of 10 leaks contained email addresses (2,724 of 3,031), and 68% of incidents (2,069 of 3,031) included phone numbers, making contact data the most consistently exposed information.
Nearly one-third of leaks exposed credentials (972 of 3,033), while 12.3% (374 of 3,031) contained government-issued identifiers such as SSNs or driver’s license numbers. Financial data appeared in 2.2% (66 of 3,031) of cases.
Ransomware leak-site disclosures rose by 45% in 2025to 9,251 cases, highlighting the growing role of extortion-driven data exposure.
A small number of large breaches exposed tens of millions of records each, concentrating overall risk in high-impact incidents.
Current trend: Fewer leaks, bigger exposures
A shift to infostealers and closed markets. The decline in publicly visible database leaks likely reflects a change in attach methods — infostealer malware lets attackers capture usable credentials directly from user systems and access services without extracting centralized datasets.
As threat actors further refine their methods, infostealer data has become one of the most sought-after assets in the underground economy. As Mantas Sebeckis explains:
QUOTE: “Infostealer data will remain one of the most attractive commodities for threat actors. Its simplicity, low price, and limited need for technical skills are the main driving factors behind its growing popularity. While databases have their own place in the underground, infostealer data is far more effective in comparison. Attackers don’t have to rely on credential stuffing since they already know their targets. This gives them a direct path to compromised accounts, making their attacks faster, more precise, and more successful.”
Ransomware-driven exfiltration. Extortion groups often steal data as leverage and sell it privately if victims refuse to pay. These incidents might never appear on public leak sites.
STAT/INSIGHT INTERPOLATION: This trend is reinforced by NordStellar’s 2024-2025 ransomware research, which shows that leak-site disclosures increased by 45% year over year in 2025 (9,251 cases compared to 6,395 in 2024). The acceleration was particularly visible in the final quarter, with 2,910 incidents in Q4 (+38% year over year), including 1,000 publicly listed victims in December alone — the highest monthly total observed in two years. Beyond sheer volume, the data reveals a clear targeting strategy: 64% of recorded cases involved US-based organizations, while manufacturing emerged as the most affected sector, accounting for 1,156 incidents (19.3% of global victims). Small enterprises were disproportionately impacted, especially organizations with fewer than 200 employees and under $25 million in revenue, underscoring attackers’ preference for high-disruption environments with comparatively limited security posture.
Law enforcement action. Several major leak forums and marketplaces were disrupted in 2025, dispersing trade into smaller private channels. This makes leaks harder to detect but does not reduce victim exposure.
Geopolitical shifts. Data-driven hacktivism surged in 2024 due to global conflicts. As political focus shifted in 2025, some regions saw fewer public dumps while targeted espionage continued under the radar.
Fewer leaks do not mean less risk. The vast majority of 2025 incidents involved information that can be abused quickly, including email addresses (90%), phone numbers (68%), credentials such as passwords or API keys (32%), and government-issued identifiers (12.3%). Financial data, such as bank or cryptocurrency details, appeared in only 2.2% of cases.
Geographic patterns
NordStellar identified 1,203 country-specific leaks across 102 countries in 2025. The United States (187 leaks), India (121), and Russia (78) topped the list, reflecting their large populations and dense digital economies. Secondary clusters of leaks occurred in Indonesia, France, Brazil, Italy, Germany, Argentina, and Mexico.
Compared with 2024, the United States recorded more leaked databases in 2025, whereas Russia and several European countries saw notable declines. The pattern highlights that leak counts are shaped by disclosure practices and attacker focus. A majority of leaks were global or unattributed, reflecting the cross-border nature of data breaches.
Industry sector analysis
According to the NordStellar dataset, technology, education, and e-commerce organizations suffered the highest number of leaks. These sectors rely on internet-facing services and collect large volumes of customer data, making them lucrative targets.
Although the number of leaks declined across most industries, leak sizes often increased. For example, technology and e-commerce leaks frequently exposed hundreds of thousands of email addresses per incident. Financial sector breaches, though fewer in number, tended to involve larger datasets, amplifying their impact.
Government vs. private sector
Of the 3,031 leaks analyzed for 2025, 53% were attributed to private companies and 10% to government entities, with the remaining 37% unattributed due to insufficient metadata. Private-sector leaks not only occurred more often but also exposed larger datasets. The average private leak contained about 126,000 email addresses, whereas the average government leak contained about 79,000. This disparity reflects both the broader attack surface of private organizations and the higher monetization potential of commercial data. Government breaches remain high-impact even when fewer in number because sensitive personal and national security information can be exploited for espionage or political purposes.
Top 5 notable leaks of 2025
While thousands of breaches occurred in 2025, a small number of high-profile incidents drove a disproportionate share of the risk. The table below summarizes the five biggest leaks NordStellar tracked and provides evidence from independent reporting:
| Organization and date | Evidence of breach | Data exposed |
|---|---|---|
| Under Armour (November 2025) | Malwarebytes reported that the Everest ransomware gang published a 191 GB dataset containing 191.6 million records and 72.7 million unique email addresses. Infosecurity Magazine confirmed that Have I Been Pwned (HIBP) added 72 million email addresses to its database | Dates of birth, genders, names, email addresses, geolocation data, purchase history |
| Prosper Marketplace (September 2025) | SecurityWeek, citing HIBP, reported that an unauthorized query of Prosper’s databases exposed 17.6 million accounts and included names, addresses, IP addresses, dates of birth, government IDs, employment statuses, and income levels. | Dates of birth, employment statuses, income data, names, credit status information, email addresses, government IDs, IP addresses, physical addresses, browser user agent details |
| Vietnam Airlines (June 2025) | An Outpost24 analysis revealed that threat actors released a 64 GB dataset containing more than 7.3 million unique email addresses. HIBP listed Vietnam Airlines as the subject of a breach affecting 7.3 million accounts. | Physical addresses, email addresses, phone numbers, dates of birth, genders, names, nationalities, usernames |
| The Pass’Sport program (December 2025) | HIBP records show that France’s Pass’Sport program leak contained 6.5 million unique email addresses and affected about 3.5 million households. HookPhish’s breach alert confirms the same numbers and notes that the data included names, genders, phone numbers, and physical addresses. | Email addresses, names, genders, phone numbers, physical addresses |
| Bouygues Telecom (August 2025) | Bouygues announced that attackers accessed personal information on 6.4 million customers. HIBP notes that 5.7 million unique email addresses were exposed. | Physical addresses, dates of birth, email addresses, names, phone numbers |
These incidents illustrate the wide variety of victims — from athletic apparel and fintech companies to airlines and government programs — and highlight how current leaks often reveal far more than email addresses.
Looking ahead: What to expect in 2026
Data-leak risks will evolve rather than disappear. We expect criminals to continue relying on infostealer malware, phishing, and ransomware extortion to obtain and monetize credentials.
That evolution will likely accelerate as criminal enterprises mature and new tools become more widely and easily accessible. As Karolis Arbačiauskas, head of product at NordPass, puts it, the trajectory is rather clear:
QUOTE: “The data leak risks will continue to evolve as criminal enterprises continue to thrive. The rising popularity of LLMs will catalyze it even further, just like in other fields. Attackers will use AI tools to craft better phishing emails, create malware, use agentic software, or find weak points faster.
“Businesses and individuals need to stay alert and update their security practices. Strong password policies and regular software updates should remain key defenses against these threats.”
How to protect yourself
The research findings showcase that exposure is concentrated in highly digital industries, large private-sector organizations, and regions with dense online ecosystems. Reducing impact requires action from both organizations and individuals.
For organizations:
Minimize the volume of personal data stored and segment critical systems to limit breach scope.
Strengthen credential protection with hardware-backed authentication and protect endpoints against infostealer malware.
Monitor for leaked credentials and act quickly to contain incidents before they scale.
For individuals:
Employ a password manager, use unique passwords, and enable multi-factor authentication to prevent stolen credentials from being reused across services.
After major breach disclosures, stay alert for phishing and targeted scams.
If suspicious activity appears, reset credentials immediately and review connected accounts.
Final thoughts
The decline in publicly disclosed database leaks in 2025 reflects tactics changing more than the internet becoming safer. Criminals increasingly harvest credentials through infostealers, extortion campaigns, and private data exchanges, using more sophisticated methods to reach their goals.
Heading into 2026, the defining challenge will be managing identity at scale. Organizations that reduce data concentration, tighten access controls, and shorten detection and response times will be better positioned to limit impact when incidents occur. The ability to contain exposure — not just prevent it — will increasingly define resilience.
Methodology
Our dataset includes every publicly available leaked database detected by NordStellar between 2023 and 2025. Each entry was processed through an AI-assisted classification pipeline (nexos.ai), which analyzed available leak metadata, including origin domains, top-level domains, descriptions, referenced organizations, and dataset contents, to determine sector, geographic attribution, and organization type (public or private).
Leaks were categorized as “country-specific” when available metadata indicated a primary country association. Otherwise, they were marked global or unknown.
From the 3,031 leaks recorded in 2025, NordStellar extracted reported email counts and recorded the presence of additional data types, including phone numbers, credentials (plaintext or hashed passwords, API keys), government identifiers, and financial records. Email totals reflect aggregated account records and may include mixed account types (e.g., customer, employee, administrative, or user accounts), as precise differentiation was not feasible.