42% of the world's top 1,000 most visited websites do not enforce any minimum password length requirements.

Only 1%, or five websites, among the top 1,000 most visited websites met all best-practice password criteria.

58% of the world's top 1,000 most visited websites do not require special characters for their passwords.

When asked which egress channels for the outflow of sensitive data does your organization worry most about, 55% said personal webmail.

Across 449 dark web victim listings where details were available, the average data volume exfiltrated was 527.65GB in Q3 2025.

80 groups published victims on dark web leak sites in Q3 2025.

Server-side injection (Web/API): 4.2% in the financial services industry (versus 5.3% average in other industries).

Cross-site scripting (Web/API): 5.0% in the financial services industry (versus 9.7% average in other industries).

Malicious web browser downloads made up 23% of threats in Q2 2025, with no change compared to Q1 2025.

Analysis of over three million dark web posts shows stolen credentials far outpace credit card theft.

In one analysis, energy had 18% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, media had 21% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, hospitality had 15% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, transport had 12% of vulnerable assets across cloud, APIs, and web applications.

Top 5 industries by web‑app vulnerability: Education: 35.3%, Retail: 30.9%, Government: 30.4%, Professional Services: 30.1%, Media: 25.7%.

In one analysis, the government sector had 30.4% vulnerable web applications.

In one analysis, retail had 27% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, the services sector had 30.1% vulnerable web applications.

In one analysis, the media sector had 25.7% vulnerable web applications.

19.6% of all analyzed web apps are vulnerable.