The technology, education, and e-commerce sectors were the hardest hit by data leaks over a three-year period that saw more than 7.8 billion email records exposed across nearly 10,000 major incidents.
An analysis of the breaches found that 90% contained email addresses, 32% exposed credentials, and 12.3% sensitive government-issued identifiers like SSNs.
“The technology, education, and e-commerce sectors are attractive targets because they serve large numbers of users and store vast amounts of personal data, making them both valuable and vulnerable to attack. These industries must prioritize security investments and robust employee training to protect the data they hold,” says Karolis Arbaciauskas, head of product at NordPass.
Other frequently targeted sectors included retail, finance, hospitality, media, and manufacturing. While the financial sector saw fewer incidents compared to the top three industries and retail, those that did occur were often more severe, exposing a much higher average number of emails per leak, research shows.
Hackers shift strategy
Across nearly all classified industries, leak volume declined in 2025. However researchers caution that a lower number of leaks does not mean lower risk.
“Leak activity continues to focus on highly digital industries that collect large volumes of valuable user credentials and personal data. A lower number of leaks does not mean lower risk because several industries recorded higher average leak sizes, increasing potential impact despite lower incident counts. Continued investment in sector‑specific controls, including third‑party risk management, credential protection, and monitoring of underground markets, is critical to reducing exposure,” says Arbaciauskas.
Mantas Sabeckis, the senior threat intelligence researcher at Nord Security who headed the research, adds that this reduction may also partially reflect threat actors’ shifting strategy. According to him, the cybercriminal underground’s shift toward infostealer malware enables near real‑time credential harvesting and direct access to targeted services without relying on large‑scale leaked database dumps.
The decrease may also be attributed to disruptions within the leak database ecosystem itself, including the takedown of several leak forums and marketplaces in 2025. These actions by law enforcement reduced the public visibility of leaked databases, further decentralizing the market into smaller channels or private groups.
Private vs. public sector
Researchers also looked into government versus private sector exposure trends. Data shows that private sector organizations accounted for the majority (53%) of identified exposures — 1,632 leaks compared to just 10% (317 leaks) impacting government entities. This reflects both the larger private sector attack surface (there are more private companies than governmental institutions) and the higher monetization value of commercial datasets.
Private‑sector leaks not only occur more often but also expose significantly larger datasets, increasing risk to individuals through phishing, fraud, and credential‑based attacks. Government leaks, while less frequent in publicly observed datasets, remain high impact due to the sensitive nature of the information involved and the potential for geopolitical or intelligence exploitation.
How to protect yourself
According to Arbaciauskas, reducing impact requires action from both organizations and individuals.
For organizations:
- Minimize the volume of personal data stored and segment critical systems to limit breach scope.
- Strengthen credential protection with hardware-backed authentication and protect endpoints against infostealer malware.
- Monitor for leaked credentials and act quickly to contain incidents before they scale.
For individuals:
- Employ a password manager, use unique passwords, and enable multi-factor authentication to prevent stolen credentials from being reused across services.
- After major breach disclosures, stay alert for phishing and targeted scams.
- If you notice suspicious activity on an account, reset your credentials immediately and review connected accounts.
Research methodology
This report is the result of a joint effort between NordPass and NordStellar. The dataset includes publicly available leaked databases detected by NordStellar between 2023 and 2025. Each entry was processed through an AI-assisted classification pipeline (nexos.ai), which analyzed available leak metadata, including origin domains, top-level domains, descriptions, referenced organizations, and dataset contents, to determine sector, geographic attribution, and organization type (public or private).
Leaks were categorized as “country specific” when available metadata indicated a primary country association. Otherwise, they were marked as “global” or “unknown.” From the 3,031 leaks recorded in 2025, NordStellar extracted reported email counts and recorded the presence of additional data types, including phone numbers, credentials (plaintext or hashed passwords, API keys), government identifiers, and financial records. Email totals reflect aggregated account records and may include mixed account types (e.g., customer, employee, administrative, or user accounts) because precise differentiation was not feasible. No personal data was acquired or purchased for this research.