Back to Blog
Reports9 min readDec 23, 2024

Q4 2024 Breach Analysis: Key Findings from 12B Records

Our Q4 2024 breach analysis covers 2.1B newly exposed records across healthcare, SaaS, retail, and finance, with sector breakdowns and attribution.

T

Threat Intel Team

Revealer.US

Executive Summary

This Q4 2024 breach analysis report synthesizes findings from the Revealer.US collection pipeline across October, November, and December 2024. In that window we ingested 2.1 billion newly exposed records, bringing the cumulative corpus tracked by our platform to approximately 12 billion unique credentials, documents, and personal identifiers. Q4 2024 breaches continued a trend we first flagged in our Q3 data breach report: attackers are shifting away from smash-and-grab database dumps and toward quieter, longer-dwell intrusions that leak in stages through stealer logs, ransomware data-leak sites, and misconfigured SaaS tenants.

Three numbers define the quarter. First, 2.1 billion new records, a 14 percent increase over Q3 2024. Second, 73 named breach incidents of meaningful scale, compared to 61 in Q3. Third, 41 percent of all newly exposed credentials in Q4 came from infostealer logs rather than traditional database exfiltration, the highest ratio we have ever recorded.

What Changed This Quarter

  • Healthcare overtook SaaS as the single largest sector by record volume, driven by three multi-hospital incidents in North America
  • Credential reuse rates hit 62 percent, meaning roughly six of every ten leaked passwords had already appeared in prior breaches
  • Average time from initial compromise to public disclosure stretched to 212 days, up from 188 days in Q3
  • Ransomware leak sites published data from 1,347 victim organizations, a Q4 record

Total Records Exposed

Our collection team classified the 2.1 billion new Q4 records along three axes: source type, record type, and geography. The breakdown is instructive for defenders trying to prioritize monitoring coverage.

By source type, 864 million records came from stealer log corpora, 712 million from ransomware leak site dumps, 398 million from database breaches disclosed by affected vendors, and 126 million from combo lists and compilations assembled by underground brokers. The remaining 40 million came from accidentally exposed cloud storage buckets and Git repositories that our scanners picked up.

By record type, credentials dominated at 1.4 billion, followed by 380 million personally identifiable information records, 210 million financial records including partial card data, and 110 million medical or insurance identifiers. The medical category is small by volume but disproportionate in downstream impact, a theme we return to in the sector breakdown.

Cumulative Platform Totals

The 12 billion cumulative figure is not just a vanity metric. It represents the working set of breach analysis material our customers query against every day. Of those 12 billion records, roughly 7.8 billion are credentials, 2.4 billion are PII, 1.1 billion are financial, and the remainder spans documents, chat logs, and session artifacts. Deduplication is ongoing and aggressive; the raw ingest is closer to 19 billion before collapse.

Top Breach Categories

Five breach categories accounted for 91 percent of Q4 exposed records. We rank them below by new records added to the corpus during the quarter.

  1. Healthcare and health insurance: 612 million records
  2. SaaS and cloud productivity: 498 million records
  3. Retail and e-commerce: 344 million records
  4. Financial services and fintech: 281 million records
  5. Telecommunications and ISPs: 176 million records

The remaining 9 percent spread across education, government, gaming, hospitality, and industrial verticals. Gaming specifically had a quiet quarter compared to Q3, when a single MMO platform accounted for 190 million leaked accounts.

Healthcare Takes the Top Spot

Healthcare climbed from fourth place in Q3 to first place in Q4 because of three named incidents: a regional hospital network in the US Midwest that lost 41 million patient records, a European insurance aggregator that exposed 28 million policyholders, and a pharmacy benefits manager whose third-party vendor leaked 19 million prescription histories. All three share a common pattern, which we detail below in notable named breaches.

SaaS Sector Analysis

SaaS remained the steadiest contributor at 498 million records across 22 distinct incidents. The sector analysis for SaaS shows an interesting split: only four of the 22 incidents involved direct database compromise of the SaaS vendor itself. The other 18 were tenant-level compromises where customer organizations lost data because individual employees were infected with infostealers that harvested SaaS session tokens.

Sector Breakdown

A closer look at each major sector reveals distinct attacker economics and defender blind spots.

Retail and E-commerce

Retail breach volume of 344 million was concentrated in six large incidents, including two loyalty-program database dumps and one point-of-sale provider compromise that affected 1,200 downstream merchants. Average dwell time in retail was 174 days, shorter than the cross-sector average, because most retailers detected anomalies through payment processor fraud reports rather than their own telemetry.

Financial Services

The 281 million financial records include 94 million partial card numbers, 62 million banking credentials, 48 million brokerage login pairs, and 77 million know-your-customer document images. The KYC image category is a growing concern because those assets enable synthetic identity fraud that survives password rotation.

Telecommunications

Telecom contributed 176 million records across four incidents, three of which involved SIM management portals rather than billing databases. SIM swap enablement continues to be the primary monetization path for telecom breaches.

Most Reused Passwords Discovered

From the 1.4 billion newly leaked credentials, we extracted the 20 most frequently observed plaintext or cracked passwords. Reused passwords remain the cheapest and most reliable attacker primitive, and the Q4 list is depressingly familiar.

  1. 123456
  2. password
  3. 123456789
  4. qwerty123
  5. password1
  6. 111111
  7. 1q2w3e4r
  8. admin
  9. welcome1
  10. iloveyou

Positions 11 through 20 include variants like Aa123456, P@ssw0rd, letmein, and sunshine. Corporate domains were not immune: 3.1 percent of credentials tied to business email addresses used passwords from this top-20 list, a slight improvement from 3.4 percent in Q3 but still catastrophic at scale.

Reuse Across Breaches

Of the 1.4 billion leaked credentials, 868 million had appeared in at least one prior breach in our corpus. That is a reuse rate of 62 percent, up from 58 percent in Q3. The implication for defenders is unambiguous: any credential that has ever been exposed should be treated as permanently burned.

Notable Named Breaches

We tracked 73 named incidents in Q4. Six stand out for their size, novelty, or sector impact. Organization names below are referenced using generic descriptors to avoid pre-disclosure identification where investigations are ongoing.

  • Midwest hospital network, 41 million patient records, initial access via compromised radiology vendor
  • European insurance aggregator, 28 million policyholders, misconfigured data warehouse exposed to the public internet for 71 days
  • North American pharmacy benefits manager, 19 million prescription histories, compromised through a subcontractor VPN account
  • Global loyalty-program operator, 54 million member accounts, credential-stuffing enabled by reused passwords from prior breaches
  • Southeast Asian fintech super-app, 33 million KYC document bundles, exfiltration via an unauthenticated internal API
  • Point-of-sale managed service provider, indirect exposure of 1,200 merchants, initial access via a single infostealer-infected administrator workstation

Each of these illustrates the broader breach attribution challenge. In four of the six, the initial intrusion vector was not the victim organization itself but a third party holding privileged access.

Geographic Distribution

The 2.1 billion Q4 records mapped to end users across every inhabited continent. North America accounted for 38 percent, Europe 27 percent, Asia-Pacific 24 percent, Latin America 7 percent, and Africa and the Middle East 4 percent combined. The geographic breakdown closely mirrors internet user distribution, but threat actor activity shows notable regional concentrations.

  • Russian-language forums continued to host the largest share of underground breach commerce, approximately 44 percent by volume
  • Telegram-based channels hosted 31 percent, a significant jump from Q3 as forum operators hedge against takedowns
  • English-language breach forums accounted for 18 percent
  • Chinese-language markets held 7 percent

Threat Actor Activity and Attribution

Breach attribution in Q4 skewed heavily toward financially motivated actors. Ransomware affiliates associated with at least 14 distinct brand names posted to leak sites, with three brands accounting for 48 percent of all published victims. Initial access brokers remain the connective tissue of this economy. We observed IAB listings for 1,090 corporate networks in Q4, priced between 400 and 45,000 US dollars depending on revenue and access level.

State-aligned activity accounted for an estimated 4 to 6 percent of tracked breaches. That share is deliberately conservative because attribution confidence for state activity is harder to establish from public telemetry alone.

Recommendations

Based on the credential leaks, sector analysis, and breach volume trends documented above, we offer the following prioritized recommendations for defenders heading into Q1 2025.

  1. Treat third-party access as the primary breach vector. Inventory every vendor with privileged access and enforce just-in-time elevation
  2. Monitor for stealer log exposure continuously. Forty-one percent of new credentials came from stealer logs, not database dumps
  3. Force rotation of any credential that appears in our corpus, regardless of whether the exposure was recent
  4. Audit SaaS tenant session token lifetimes. Most SaaS exposures in Q4 were session-based, not password-based
  5. Map your supply chain for healthcare and financial data processors, the two highest-risk sectors this quarter

Customers tracking exposure across multiple entities can consolidate monitoring under a single workspace. See our pricing page for multi-tenant and enterprise tiers.

Conclusion

Q4 2024 confirmed trends we flagged earlier in the year and introduced two new ones worth watching. The shift toward stealer logs as the dominant credential source, and the rise of third-party compromise as the primary initial access vector, both complicate traditional breach analysis. Defenders who still build their monitoring programs around named database dumps are already behind.

Twelve billion cumulative records is a number that stops being useful the moment you stop acting on it. The organizations that weathered Q4 without material incident were the ones treating exposure data as an operational feed, not a periodic report.

Want to run this analysis against your own domains and executives? Start a free trial of Revealer.US and get quarterly breach analysis delivered to your inbox.

PreviousDark Web Monitoring: What Every CISO Needs to Know in 2025NextRansomware-as-a-Service: How RaaS Reshaped the Threat Landscape

Related Articles

View all
Reports

Monthly Threat Landscape Report: January 2025

Revealer.US threat intelligence report for January 2025: ransomware, infostealers, credential exposures, zero-days, and emerging TTPs.

9 min read
Reports

Infostealer Malware Trends Report: H2 2024

Our H2 2024 infostealer report ranks top stealer families by log volume, maps distribution TTPs, and tracks evolving target data and underground pricing.

8 min read
Reports

Monthly Threat Landscape Report: October 2024

Key trends in data breaches, malware campaigns, and threat actor activity from the past month.

12 min read
Get Started

Ready to check your exposure?

Create a free account and search >21 billion records.

Start Free