US, India top hacker target list in 2025 despite 37% fall in public data leaks: NordPass

The United States and India emerged as the most targeted countries for hackers in 2025, even as the number of publicly disclosed database leaks fell sharply year-on-year, according to new research by NordPass, a password manager, and NordStellar, a threat intelligence platform.

The cybersecurity firms tracked 9,914 major leaked databases and over 7.8 billion exposed email records between 2023 and 2025. In 2025 alone, 3,031 leaked databases were identified—down 36.9% from 4,804 in 2024. However, researchers caution that the decline reflects a shift in hacker tactics rather than an easing of cyber risk.

For businesses, the findings reinforce a growing reality: cyber risk is becoming more concentrated, more targeted and potentially more financially damaging, even if headline breach counts appear to decline.

US, India, Russia lead in 2025

Of the 1,203 country-specific leaks identified across 102 countries last year, the United States topped the list with 187 incidents, followed by India (121) and Russia (78). Indonesia, France, Brazil, Italy, Germany, Argentina and Mexico were also among the most affected.

While several European countries saw notable declines in leak counts compared with 2024, the US recorded a marked increase. Emerging markets in Southeast Asia and Latin America remained consistently targeted.

Researchers say large populations, dense digital ecosystems and economic or geopolitical relevance continue to make these countries high-frequency targets.

For India, the data comes at a time when enterprises are rapidly digitising operations, expanding fintech adoption and scaling e-commerce and SaaS ecosystems—factors that increase both opportunity and attack surface.

Fewer leaks, larger exposures

Despite the fall in total incidents, exposure levels remain significant. More than half a billion email addresses were compromised in 2025 alone.

Nine out of 10 leaks (90%) contained email addresses, 68% included phone numbers, and nearly one-third (32%) exposed credentials such as passwords or API keys. Around 12.3% of leaks involved government-issued identifiers, including Social Security numbers and driver’s licence details. Financial data—such as bank or cryptocurrency information—appeared in just 2.2% of cases.

“The vast amount of contact details and credentials in leaked datasets increases the risk of doxxing, scam calls, phishing, and targeted harassment,” said Karolis Arbaciauskas, head of product at NordPass. He added that enabling two-factor authentication and passkeys can significantly reduce the risk of account compromise even if credentials are exposed.

For corporates, the exposure of credentials—rather than just contact data—poses the most immediate operational risk, enabling account takeovers, supply chain infiltration and financial fraud.

Shift to infostealers and ransomware

According to Mantas Sabeckis, senior threat intelligence researcher at Nord Security, the drop in public database dumps is tied to a broader tactical shift in the cybercriminal underground.

Attackers are increasingly relying on infostealer malware, which enables near real-time harvesting of credentials directly from infected devices. This reduces dependence on large-scale database leaks and allows criminals to access targeted services more quickly and precisely.

At the same time, ransomware-driven data exfiltration is rising. NordStellar’s 2024–2025 ransomware research shows leak-site disclosures increased 45% year-on-year in 2025, reaching 9,251 cases. The final quarter alone recorded 2,910 incidents, with December logging 1,000 publicly listed victims—the highest monthly total in two years.

Notably, 64% of recorded ransomware cases involved US-based organisations, while manufacturing was the most affected sector globally. Small enterprises—with fewer than 200 employees and under $25 million in revenue—were disproportionately impacted.

Researchers also attribute lower public leak visibility to law enforcement action. Several major leak forums and marketplaces were disrupted in 2025, pushing data trade into smaller, private channels and making incidents harder to detect.

For boards and CXOs, this means traditional monitoring of public leak forums may no longer provide a complete risk picture.

Private sector bears the brunt 

Of the 3,031 leaks analysed for 2025, 53% were attributed to private companies and 10% to government entities, with the remaining 37% unattributed due to insufficient metadata.

Private-sector incidents not only occurred more frequently but also involved larger datasets. The average private leak exposed around 126,000 email addresses, compared with about 79,000 for government leaks. However, breaches involving public agencies remain high impact due to the sensitivity of personal and national security data.

Technology, education and e-commerce sectors recorded the highest leak volumes, reflecting their reliance on internet-facing services and extensive customer data collection. Even where incident counts declined, the size of individual leaks often increased.

For digital-first companies and consumer platforms, the concentration of exposure heightens regulatory, reputational and litigation risks, particularly in jurisdictions tightening data protection norms.

High-impact breaches dominate risk

A handful of large-scale incidents accounted for a disproportionate share of overall exposure in 2025, with several breaches exposing tens of millions of records each. These high-impact events underscore a broader trend: fewer but more concentrated data exposures.

The findings suggest that traditional metrics—such as the number of public database dumps—may no longer fully capture the scale of cyber risk.

Instead, the quantum of data per incident and the speed of monetisation are emerging as more relevant indicators for enterprise risk assessment.

What to expect in 2026

NordPass expects cybercriminals to deepen their reliance on infostealers, phishing and ransomware-based extortion, with artificial intelligence tools further enhancing attack sophistication.

“Attackers will use AI tools to craft better phishing emails, develop malware and identify vulnerabilities faster,” Arbaciauskas said, adding that businesses must strengthen password policies, deploy hardware-backed authentication and reduce unnecessary data storage.

For individuals, experts recommend using password managers, enabling multi-factor authentication, monitoring for breach disclosures, and promptly resetting credentials when suspicious activity arises.

As 2026 approaches, the report concludes, resilience will hinge less on preventing every breach and more on limiting the scale and impact of inevitable exposures—through tighter identity controls, reduced data concentration and faster incident response.

For corporate India and global enterprises alike, the message is clear: fewer headlines do not mean lower risk. The cyber threat landscape is not shrinking—it is becoming sharper, faster and more financially consequential.