"The scale of this exposure is immense" — New study reveals the extent of data leaks and the frightening rise of digital doppelgängers

It's been a bad year for data breaches so far in 2025, and we still have a couple of months to go.

Off the top of my head, I can list several severe breaches, from the 16 billion accounts leaked from Google, Facebook, and Telegram to the 70,000 Discord user IDs to the 40 billion records (many marked "confidential") discovered on an unencrypted database.

VPN provider Surfshark published a study on October 28 detailing just how exposed we all are on the internet. The results are more than a bit frightening.

According to the study, there have been 23.2 billion user account breaches since 2004, which equates to a total of 57.8 billion personal data points. So far in 2025, Surfshark says there have been more than 215 million account leaks, with each quarter only getting worse.

Surfshark counts data points this way: a leaked email address is considered as one, but each leaked account can have more than one data point. Anything from passwords to physical attributes can count towards the total.

Surfshark said it gathered this data with the help of independent security researchers. It looked at 160 countries with populations of more than one million people, altogether containing "44.4 billion leaked data types."

Out of the 160 countries included in the study, Surfshark claims almost 17 billion accounts were leaked, with an average of 2.8 data points each.

Why do physical attributes matter? My password is safe, so who cares if a hacker knows my hair color?! It's not quite so simple.

The ultimate conclusion to Surfshark's study is that there's a lot of personal information available to find on the internet — whether through legitimate or illegitimate means — and the biggest risk to users comes from the aggregation of this data.

Hackers who have access to sensitive details can build what Surfshark calls a "digital doppelgänger," and there are millions of people at risk of targeted exploitation that's deeply personalized.

Passwords and usernames make up the bulk of the breach data

Surfshark's analysis of 160 countries reveals that passwords make up about 23% of the data contained in leaks since 2004. That's about 10.4 billion exposures.

In second place are usernames with 3.26 billion leaks, or about 7.4% of the total exposures. Hashed passwords — stored in what should be a secure manner — come out to a total of 2.93 billion.

Beyond these top three marks, the 17 other common data points include names, phone numbers, countries, cities, IP addresses, ZIP codes, languages, locations, and more. Even in 15th place, date-of-birth leaks account for 1.36 billion data points.

With far more password leaks than there are humans on planet earth — plus all of the other leaked data points — it's no stretch when Surfshark says that "the scale of this exposure is immense."

Returning to the "digital doppelgänger" idea, Surfshark reminds us that although physical characteristics are less commonly leaked, they are a crucial part of the next-gen hacker's arsenal.

Leaks of physical features pale in comparison to the rest, making up just 0.06% of all of the data points, but that nevertheless equates to nearly 29 million pieces of data that include everything from shoe size, height, and weight, to eye and hair color.

According to Surfshark, "this information creates opportunities for online fraud and real-world crimes, such as vehicle tracking, license plate cloning, and targeted theft. These seemingly niche categories collectively demonstrate that data leaks concern not just where you log into but who you are and what you own in the physical world."

USA is number one ... in several data leak rankings

Data breaches occur everywhere in the world, but the study points to the US as being one of the most targeted locations. Surfshark claims that nearly 4.5 billion user emails tied to 19 billion data points have leaked in the US since 2004, but the country also holds first spot for several other metrics.

Personal info, location, social media, finance, and "other" leaks are most prevalent in the US out of all 160 countries included in the study. For personal information alone, there are 17,163 leaks per 1,000 people.

Russia takes first place for password leaks, with 22,478 breaches per 1,000 people. And Israel has the most physical feature leaks with 69.9 per 1,000 people.

What can you do to prevent data breaches?

The scariest part of this study and the rise of "digital doppelgängers" is the fact that you can't change physical attributes as easily as you can change a username and password.

Target fraud and identity theft are on the rise, and it's especially important these days to be wary about data breaches. While there's no one way to avoid these situations, the usual cybersecurity advice applies.

Use a strong password, and make it different for each instance. A proper password manager can help. Multi-factor authentication is also crucial, as it can stop hacker access should your password leak out.

Be wary of phishing attempts via email, text, or call, and be very careful when using public Wi-Fi. Any trusted VPN (I have no allegiance to Surfshark) can help in this instance.

Keep an eye on your financials and credit reports, and try your best to reduce the footprint your data leaves across the web. With the age of social media fully upon us, you might be surprised at how many details can be gleaned from a single account.

If you do believe your accounts have been breached, a website like Have I Been Pwned will quickly let you know.

Surfshark VPN: $1.99 at Surfshark

If you're often working with open Wi-Fi or simply want to keep your web traffic private, a VPN like Surfshark can help. Two-year plans start at about $1.99 per month.

👉 See VPN plans at Surfshark

View Deal

FAQ

Follow Windows Central on Google News to keep our latest news, insights, and features at the top of your feeds!