My accountGet Surfshark
Research
Published:Oct 28, 2025
QUICK LINKS

Cybersecurity|Cybersecurity statistics

From eye color to shoe size: how exposed are we?

From eye color to shoe size: how exposed are we?

Since 2004, a staggering 23.2 billion accounts have been leaked globally, exposing 57.8 billion personal data points.¹ These data points, often linked to users’ email addresses, give malicious actors the tools to build detailed user profiles. This consolidation of information paves the way for account takeovers, identity theft, financial loss, and sophisticated fraud schemes.

In this research, we analyzed data from 160 countries and clarified two key terms:

  • A leaked email address is counted as one leaked account;
  • Each leaked account can contain multiple data points, which are individual pieces of information exposed in a breach. These data points are not limited to common identifiers like email addresses or passwords. They can also include physical attributes such as eye color, height, and weight.

Across the 160 countries, nearly 17 billion accounts were leaked, with each account, on average, compromised along with 2.8 data points. In 2025 over 215 million accounts have been leaked so far, with the second quarter experiencing the highest number of leaks. This figure is almost double the nearly 50 million leaks recorded in the first quarter. The third quarter alone accounted for a third of all leaked accounts this year.¹

The anatomy of a leak: data categories

We grouped the 100 different types of leaked data points into nine distinct categories. Analysis reveals that three of these categories form the core of most data leaks.

  • Password (30.4% of all leaks): this most frequently exposed category includes passwords,password hints, security questions, and their answers.
  • Personal information (28.8% of all leaks): the second most common category contains highly sensitive data such as full names, Social Security numbers, phone numbers, dates of birth, and identification document numbers.
  • Location (22.9% of all leaks): the third largest category includes physical addresses, zip/postal codes, timezones, and IP-address-based locations.

Beyond these top three categories, hackers also gain access to a wide array of other information. This includes social media data (e.g., profile links), financial details (e.g., credit card and bank account numbers), and even physical features (e.g., eye color, height).

While awareness of password leaks is common, the exposure of unchangeable traits like eye color is often overlooked. Additionally, data on vehicles (e.g., driver's license IDs, license plates) and education (e.g., universities attended) are compromised, highlighting the extensive reach of data leaks.

A geographical hotspot: the United States

Data leaks are a global issue, but the US stands out as the country where building a comprehensive digital profile of an individual is the easiest. Since 2004, almost 4.5 billion user emails have been leaked in the US, linked to 19 billion individual data points. In the first three quarters of 2025, the US has continued to lead, with nearly 90 million compromised accounts. This makes up 41% of all leaked accounts across the 160 countries analyzed.¹

The US is the only country to rank in the top five for all nine data point categories. It holds the number one spot for five of these categories: personal information, finance, location, social media, and other.

The chart below illustrates how other countries compare in their rankings across these nine data categories:

Notably, Australia ranks in the top 10 in seven categories. It holds the third position in personal information and physical features, sixth in finance, location, and social media, seventh in the other category, and ninth in password.

Leading countries in the remaining categories include Russia in password leaks, Serbia in education, Israel in physical features, and Lithuania in vehicle data. However, none of these countries shows the same breadth of exposure as the US. This dominance likely reflects the US's large, highly digitized population and its role as the headquarters for many of the world's largest tech companies, making its citizens a high-value and frequently targeted group.

Drilling down: the most compromised data points

A closer examination of the specific data points leaked across the 160 analyzed countries reveals which types of information are most at risk. The password category accounts for 30% of leaks, with the actual password field being the most frequently exposed single data point. This data point alone has been leaked 10.4 billion times, accounting for nearly a quarter (23%) of all data points.

Usernames rank second, with 3.3 billion records leaked, accounting for 7.4% of the total. Other subcategories among the top 20 most leaked include full name, phone number, IP address, address, and date of birth.

The scale of this exposure is immense. Passwords, being the most leaked data point, account for over 10 billion records leaked online, exceeding the entire global population. Even location data, which ranks 19th on the list, has seen 458 million records leaked worldwide. To put this into perspective, this is equivalent to every person in the European Union having their location leaked.

When analyzing the most leaked data types by country, the US stands out again by ranking in the top three for 18 of the 20 most leaked data types. These include first name, last name, full name, phone, address, and location.

While many people primarily worry about leaked login details, this deeper analysis shows that in the US, hackers often possess more extensive knowledge of Americans' physical-world identities (their names, addresses, and phone numbers) than their digital ones.

More than just usernames and passwords

While login credentials and contact details are the most commonly compromised in data leaks, the scope of exposed information often extends to highly personal, physical attributes of an individual’s life. Although these data categories are less frequently leaked, they are crucial in augmenting a digital profile with real-world characteristics, making the concept of "digital doppelgänger" chillingly plausible.

For example, the Physical Features category may account for just 0.06% of all leaked data points, but this seemingly small fraction translates to 28.8 million individual pieces of information. To put that into perspective, it’s nearly equivalent to the entire population of Australia having their physical traits leaked online. This category includes height, weight, shoe size, eye color, and hair color.

Israel leads the world in the exposure of physical features data, followed by France, Australia, and the US. The leaks are so detailed that we can identify which countries lead in particular attributes:

  • Israel has the most leaks related to height;
  • France leads in exposed data on eye color, hair color, and weight;
  • The US ranks first for leaked shoe size data.

While you can change your password or username, changing identifying features such as height or eye color is not feasible. This information adds a disturbing layer of physical reality to a digital identity, equipping fraudsters with details that can make impersonation attempts far more convincing.

Similarly, the vehicle category links a person's digital identity to a significant real-world asset. While the US ranks second for this category, Lithuania holds the number one position. This position may seem surprising given Lithuania's small population. However, when the data is adjusted for population size, the prevalence of these leaks becomes evident. Lithuania experiences 50.5 vehicle-related data point leaks per 1,000 people, significantly higher than the US rate of 35.4. This indicates that Lithuanian citizens are disproportionately affected by this leak type. Lithuania leads the world in leaks of license plates, driver license IDs, and vehicle models.

This information creates opportunities for online fraud and real-world crimes, such as vehicle tracking, license plate cloning, and targeted theft. These seemingly niche categories collectively demonstrate that data leaks concern not just where you log into but who you are and what you own in the physical world.

Conclusion: the era of the digital doppelgänger

The data paints a clear picture: billions of people have had their personal information scattered across the internet. This data’s sheer volume and variety of this data mean that isolated incidents are no longer the primary threat. Instead, the risk comes from the aggregation of this information.

This issue extends beyond a compromised password for a single website. With access to everything from your first name to your shoe size, hackers have the building blocks to construct detailed "digital doppelgänger" for millions of individuals. This turns exposed lives into unprecedented opportunities for highly personalized fraud, theft, and exploitation.

Methodology

Data for this study were collected in partnership with independent cybersecurity researchers. We selected countries with populations over one million, totaling 160. Since 2004, the dataset has included 23.2 billion accounts and exposed 57.8 billion data types. After filtering the dataset to focus on these 160 countries, we obtained 46.8 billion data types. After further classifying the data types into categories, we analyzed 44.4 billion leaked data types in this study.

Data point categories:

  • Personal information (full name, first name, middle name, last name, social security number, gender, phone, phone (partial), date of birth, nationality, age, identification document number);
  • Password (password, password hash, salt, encrypted password, password b64, security answer, security question, password hint);
  • Education (education, university, faculty, school);
  • Finance (credit card number, credit card expiration date, credit card security code, VAT number, bank account number, bank name, PayPal, currency, affiliate code, credit rating, income, salary, bitcoin address, ethereum address);
  • Location (locale, location, state, city, address, zip code, longitude, latitude, timezone, country);
  • Social media (Facebook, Facebook page, LinkedIn, GitHub, YouTube, homepage, Instagram, follower count, Twitter, Stack Overflow, Discord, MSN, IM, Yahoo, other social media, Telegram, AIM, VKontakte, Skype, LCQ);
  • Physical characteristics data (height, weight, shoe size, eye color, hair color);
  • Vehicle data (Driver license ID, license plate, vehicle identification number, vehicle manufacturer, vehicle model, vehicle color, vehicle manufacture date);
  • Other (username, IP address, parent email address, company's name, employer, language, profession, bio, profile picture, IMEI, IMSI, API key, device type, device hardware ID).
For complete research material behind this study, visit here.

References:

¹ Surfshark (2025). Global data breach statistics.
A digital doppelganger is a virtual representation or replica of a person created using technology. These can be generated through artificial intelligence (AI), machine learning, and data analytics to mimic a person's appearance, behavior, or characteristics. Digital doppelgangers are used in various fields, including virtual reality, personalized marketing, healthcare, and entertainment. However, their creation and use raise ethical concerns regarding privacy, consent, and potential identity theft or other misuse.
When aggregating data, several risks come into play. Privacy is a significant concern, as combining datasets can inadvertently expose personal information if not anonymized. Security is another issue, with large datasets being attractive targets for cyberattacks. Errors in data collection can lead to inaccurate insights, and aggregation might strip away important context, resulting in oversimplified conclusions.
The most leaked data points globally include passwords, usernames, hashed passwords, first names, phone numbers, last names, country, full names, city, and IP addresses.
Leaked data can lead to identity theft by providing cybercriminals with personal information such as names, addresses, Social Security numbers, and birthdates. With this information, they can impersonate individuals to commit fraudulent activities, such as opening new accounts, applying for loans, or accessing medical services in the victim's name.
The team behind this research:About us

Related articles:

Global Data Breach Map: billions breached and counting
Cybersecurity statistics | Oct 14, 2025

Global Data Breach Map: billions breached and counting

This interactive data breach map tracks the latest statistics on personal data leaks by country since 2004.
In the US, 41% worry about online privacy but still use data-hungry apps
Cybersecurity statistics | May 19, 2025

In the US, 41% worry about online privacy but still use data-hungry apps

According to Surfshark’s survey results and data analysis, 41% of people in the US are very concerned about their online privacy, but despite that, they use data-hungry phone apps.
Deepfake statistics in early 2025: how frequently are famous people targeted?
Cybersecurity statistics | Apr 14, 2025

Deepfake statistics in early 2025: how frequently are famous people targeted?

According to Surfshark's analysis, 179 deepfake incidents were reported in the first quarter of 2025, marking a 19% rise compared to the total number of incidents recorded in 2024.