141 million breached files reveal data exposed.
getty
Update, July 30, 2025: This story, originally published on July 28, has been updated with additional information from the Anatomy of a Data Breach report that analyzed 141 million compromised files from 1,257 breach incidents, including a detailed look at the blast radius of a breach, as well additional data from a newly published Zscaler ransomware threat report.
It is a sad reflection of the times, as far as data breaches and leaks are concerned, that news of an analysis of 141 million files from 1,257 breaches, including ransomware attacks, hardly registers as being a large number. At least not in the context of aggregated criminal databases containing 16 billion login credentials, or even the recent news of 184 million plaintext passwords found online. The truth is that with the availability and ease of use of infostealers-as-a-servce, which cost hackers as little as $30 a month to rent, you can only expect these numbers to grow. The importance of the 141 million files, however, lies not in the overall number but in the data that is contained within. What is being claimed as the “biggest ever content-level analysis of breached datasets” has revealed just how concerned everyone should be.
The Biggest Content-Level Data Breach Analysis
In its Anatomy of a Data Breach report, Lab 1 has compiled the results of what it said was the biggest content-level analysis of data breach files ever.
The analysis, based on 141,168,340 records included in a total of 1,297 ransomware and data breach incidents, reconstructed from “forensic acquisitions of compromised systems,” according to Lab 1, is worthy of note as it didn’t just look at dumps of structured data, which ordinarily focus on credentials above all else. Instead, Robin Brattel, Lab 1 CEO, said, the analysis “focused on the huge risks associated with unstructured files that often hold high-value information, such as cryptographic keys, customer account data, or sensitive commercial contracts.”
And, oh boy, did it reveal those huge risks, and then some.
- Financial documents were present in 93% of incidents.
- Financial documents accounted for 41% of all analyzed files.
- Bank statements were present in 49% of incidents.
- International Bank Account Numbers were found in 36% of the breached data sets.
- 14% of all the incidents involved wealth statements.
- Customer and corporate personally identifiable information was found in 82% of breaches.
- 67% of that breached PII involved customer service interactions.
- 51% of incidents included email leaks that contained U.S. social security numbers.
- 54 email addresses were exposed, on average, in each of the data breach files.
- Cryptographic keys, with the power to bypass authentication protections, were found in 18% of all the breaches.
- Code files accounted for 17% of all exposed files.
- 79% of all incidents contained system logs.
- 81% contained images.
The average breach, according to the Lab 1 analysts, contains 22,647 files comprising 13.44 GB of data. Breaking this down further, there are, on average, 14 different file types, 22 file classifications and, somewhat incredibly and worryingly in equal measure, 482 organizations impacted as a result.
“With cybercriminals now behaving like data scientists to unearth these valuable insights to fuel cyberattacks and fraud, unstructured data cannot be ignored,” Brattel warned. Organizations simply must understand the kind of information that has been leaked in any data breach, and beyond that, how it can be used in ongoing attacks and exactly who could be impacted.
The Blast Radius Of A Data Breach
That last statistic from the analysis really threw me, and not in a good way. 482 organizations, on average, are impacted as a result of each and every data breach. Surely that has to be a mistake?
Referring to this as the blast radius of a data breach, which is a very good way of describing it, I think, the Lab 1 analysts found that this has increased by 61% over the last three years. The content-level analysis, they said, “exposes the full blast radius of organizations implicated in these incidents,” many of whom have “nth-party relations to the breached company and be unaware of their potential exposure.” The integrity and trustworthiness of the entire supply chain, and beyond, is undermined by each and every breach, in other words. What’s more, the report warned, the blast radius has “significant implications for systemic risk, regulatory obligations, and reputational damage.”
Of course, averages are funny things when you look at the extremes of the statistics that feed them. Lab 1 confirmed that while the median blast radius was 482, the incident with the most significant number of impacted organizations reached a staggering 1.73 million. At the same time, the smallest was restricted to, erm, just the one. Looking at just the financial services sector, the average blast radius was 4,468 impacted organizations.
“We need to stop thinking of breaches as isolated incidents,” Damian Sutcliffe, a former Chief Information Officer (EMEA) at Goldman Sachs, said. Pointing out that the real risk of a breach lies with the concentration of intelligence, every breach adding to the growing mosaic of organizational operation imagery, Sutcliffe wanted that this applies to “not just that held within our systems, but information held across our entire supply chain.”
Data Breach Demand Is Fuelling Ransomware Attack Growth
Another in-depth analysis, this time published by Zscaler ThreatLabz on July 29, the 2025 Ransomware Report, has revealed the extent to which compromised data is now driving the ransomware attack landscape. “Ransomware tactics continue to evolve, with the growing shift toward extortion over encryption as a clear example,” said Deepen Desai, Cybersecurity executive vice president at Zscaler, “GenAl is also increasingly becoming part of the ransomware threat actor’s playbook, enabling more targeted and efficient attacks.”
The demand for data is undoubtedly driving the steady growth in ransomware attacks, although steady growth could be something of an understatement according to the latest Zscaler ThgreatLabz analysis. Zscaler cloud protections have seen a 146% year-over-year increase when it comes to blocking ransomware attacks, a rate which researchers have said is alarming.
“This escalation reflects a strategic shift,” the researchers concluded, that “ransomware groups are increasingly prioritizing extortion over encryption.” And that has meant a 92% “increase in the total volume of exfiltrated data by 10 major ransomware groups in the past year.” If you want numbers, the report said this meant a rise from 123 TB to 238 TB.
