Countries most affected by hackers:
New research from NordPass and NordStellar shows nearly 10,000 major leaks and over 7.8 billion email records exposed from 2023 to 2025, underscoring the growing challenge organizations face in safeguarding sensitive information.
The vast majority of leaked datasets included information that can be quickly exploited: 90% contained email addresses, 68% — phone numbers, 32% exposed credentials (like passwords or API keys), and 12.3% — government-issued identifiers. Financial data, such as bank or cryptocurrency details, appeared in only 2.2% of cases.
“Due to the large amount of contact details and credentials in leaked datasets, we might see an uptake in real-world abuse such as doxxing, scam calls, targeted harassment, various phishing activities, and SMS or email scams. It’s very important to use two-factor authentication and passkeys wherever possible. It can save you if a hacker breaches a company and gets their hands on your credentials. I would also recommend using data breach scanning tools to check if your email and credit card data was leaked to the dark web,” says Karolis Arbaciauskas, head of product at NordPass.
Largest targets
Researchers identified 1,203 country-specific leaks (whose origin could be determined) across 102 countries. The United States, India, and Russia were the most affected countries in 2025. Last year a total of 187 leaks were traced to the USA, 121 to India, and 78 to Russia.
Other targets included Indonesia, France, Brazil, Italy, Germany, Argentina, and Mexico, demonstrating widespread global exposure. This indicates persistent targeting of large economies and geopolitical regions of high interest.
“We can assume these countries remain high-frequency targets due to their large populations, high density of digital services, and economic or geopolitical relevance. Most attacks are financially motivated. But some database leaks are tied to hacktivism, a trend we expect to continue in 2026,” says Arbaciauskas.
Hackers shift strategy
A year-over-year comparison reveals significant shifts in the geographic distribution of leaks. Several European countries saw substantial declines. Meanwhile, the United States experienced a marked increase in database leaks in 2025. Emerging markets in Southeast Asia and Latin America remained consistently targeted.
In general, a total of 3,031 leaked databases were identified in 2025, compared to 4,804 in 2024, representing a 36.9% decrease. According to the researchers, this reduction may partially reflect threat actors’ shifting strategy.
“The cybercriminal underground’s shift toward infostealer malware, which enables near real‑time credential harvesting and direct access to targeted services without relying on large‑scale leaked database dumps. The decrease may also be attributed to disruptions within the leak database ecosystem itself, including the takedown of several leak forums and marketplaces in 2025. These actions by law enforcement reduced the public visibility of leaked databases, further decentralizing the market into smaller channels or private groups,” explains Mantas Sabeckis, senior threat intelligence researcher at Nord Security.
How to protect yourself
According to Arbaciauskas, reducing impact requires action from both organizations and individuals.
For organizations:
- Minimize the volume of personal data stored and segment critical systems to limit breach scope.
- Strengthen credential protection with hardware-backed authentication and protect endpoints against infostealer malware.
- Monitor for leaked credentials and act quickly to contain incidents before they scale.
For individuals:
- Employ a password manager, use unique passwords, and enable multi-factor authentication to prevent stolen credentials from being reused across services.
- After major breach disclosures, stay alert for phishing and targeted scams.
- If suspicious activity appears, reset credentials immediately and review connected accounts.
Research methodology
This report is the result of a joint effort between NordPass and NordStellar. The dataset includes publicly available leaked databases detected by NordStellar between 2023 and 2025. Each entry was processed through an AI-assisted classification pipeline (nexos.ai), which analyzed available leak metadata, including origin domains, top-level domains, descriptions, referenced organizations, and dataset contents, to determine sector, geographic attribution, and organization type (public or private).
Leaks were categorized as “country-specific” when available metadata indicated a primary country association. Otherwise, they were marked global or unknown. From the 3,031 leaks recorded in 2025, NordStellar extracted reported email counts and recorded the presence of additional data types, including phone numbers, credentials (plaintext or hashed passwords, API keys), government identifiers, and financial records. Email totals reflect aggregated account records and may include mixed account types (e.g., customer, employee, administrative, or user accounts), as precise differentiation was not feasible. No personal data was acquired or purchased for this research.
