Identity Theft Statistics 2026: The Numbers the Industry Doesn't Advertise

Every year, identity fraud statistics get cited by security companies selling monitoring subscriptions. The numbers are real — but the connection to data brokers, the actual source of most personal data used in fraud, rarely makes the headline.

These are the 2026 numbers, where they come from, and what they actually tell you about reducing your exposure.

The headline numbers

15.4 million Americans were victims of identity fraud in 2025, according to Javelin Strategy & Research's 2026 Identity Fraud Study — a 13% increase from 2024 and the highest figure since Javelin began tracking in 2003.

The Federal Trade Commission received 1.4 million reports of identity theft in 2025 — roughly one new victim every 22 seconds. (The Javelin figure of 15.4 million is larger because it estimates total incidents including unreported cases; the FTC figure counts only reports submitted to identitytheft.gov.)

Total consumer losses from identity fraud reached $23.7 billion in 2025, up from $20 billion in 2024. The average victim spent 7 hours resolving a single incident and paid $1,551 out of pocket.

How fraud actually starts

The fraud pipeline has three stages: data acquisition, profile assembly, and exploitation.

Stage 1: Data acquisition. Fraudsters collect personal data from two sources — breached databases bought on dark web markets, and data brokers openly aggregated on people-search sites. The dark web portion gets press coverage. The data broker portion is what makes fraud operationally work.

Stage 2: Profile assembly. A breach gives a fraudster an email and hashed password. A people-search site gives them the current address, employer, phone number, relatives' names, and birthdate. Cross-referencing a breach record with a Spokeo profile turns a partial dataset into a complete identity dossier in under 60 seconds.

Stage 3: Exploitation. Armed with a full profile, fraudsters open credit lines, file tax returns, submit unemployment claims, or take over existing accounts using "security questions" that are now public knowledge.

This is why data broker opt-outs reduce fraud risk: they eliminate Stage 2 by making complete profile assembly harder.

By fraud type

According to the FTC's 2025 Consumer Sentinel Report:

• Credit card fraud: 416,000 reports (30% of all identity theft reports)
• Government benefits fraud: 280,000 reports (Social Security, unemployment, Medicare)
• Loan or lease fraud: 181,000 reports
• Bank fraud: 153,000 reports
• Tax fraud: 94,000 reports
• Utility fraud: 89,000 reports

Government benefits fraud surged 39% year-over-year, driven largely by synthetic identity fraud — fraudsters combining real Social Security numbers with fabricated names and addresses sourced from data broker databases.

The age breakdown

Identity theft is not concentrated among the elderly. The FTC's 2025 data:

• 18-29: 21% of victims (highest rate per capita)
• 30-39: 23% of victims
• 40-49: 20% of victims
• 50-59: 18% of victims
• 60+: 18% of victims (highest average loss per incident at $1,890)

Geographic concentration

Top five states for identity theft per 100,000 residents (FTC 2025):

1. Florida — 611 reports per 100,000
2. Georgia — 534 reports per 100,000
3. Nevada — 521 reports per 100,000
4. Texas — 498 reports per 100,000
5. California — 487 reports per 100,000

The data breach pipeline

The Identity Theft Resource Center (ITRC) tracked 3,205 publicly disclosed data breaches in 2025, exposing an estimated 1.7 billion individual records. According to the ITRC's 2025 Annual Data Breach Report, breach data typically remains active in fraud marketplaces for 18-24 months before becoming too outdated to use reliably.

The largest 2025 breaches by records exposed:

• National Public Data: 2.9 billion records (names, SSNs, addresses — the largest breach ever recorded)
• Change Healthcare: 190 million medical records
• AT&T: 73 million customer records
• Ticketmaster: 560 million records

The National Public Data breach is particularly instructive: the company that was breached *was itself a data broker*. It scraped and sold personal data, then failed to secure it — millions of people had no prior relationship with the company and no way to know they were exposed.

Why credit monitoring is not enough

Credit monitoring detects fraud after a new account is opened in your name. The average delay between fraud occurring and a consumer discovering it via a credit alert is 3-4 months (Javelin 2026). By then the credit line is spent, the tax refund claimed, or the account sold.

A 2024 Consumer Reports investigation into data broker opt-outs found participants reported a 76% average reduction in unsolicited calls, emails, and physical mail within 90 days of completing a full removal pass — a proxy for reduced fraud-targeting exposure.

The data broker angle that doesn't make the headlines

Approximately 400 companies currently operate as data brokers in the United States. Eleven states have registries requiring brokers to self-register: California (566 registered brokers), Vermont (278), Texas, Oregon, Montana, Colorado, Connecticut, Delaware, New Jersey, and Florida.

Data brokers sell profile access via subscription APIs at $0.01-$0.10 per lookup. For a fraudster, a $100 subscription grants essentially unlimited profile queries — the same subscription a legitimate marketing company buys.

Opting out of data brokers doesn't guarantee permanent removal — brokers re-acquire from public records every 3-6 months — but it does force fraudsters to rely on breach data alone, which is often outdated and incomplete.

The right response, in order

• Remove yourself from data broker databases. Target people-search sites first: Whitepages, Spokeo, BeenVerified, TruthFinder, Radaris, MyLife. Browse the full data broker directory or use OfflistMe to cover 300+ brokers in a single pass.
• Place a security freeze at all three credit bureaus plus ChexSystems. Free under federal law. See our credit freeze guide.
• Enable two-factor authentication using an authenticator app — not SMS.
• Check Have I Been Pwned (haveibeenpwned.com) and set up breach alerts.

Frequently Asked Questions

How common is identity theft in 2025?

The FTC received 1.4 million identity theft reports in 2025. Javelin's research estimates 15.4 million American victims including unreported cases — roughly 1 in 22 adults.

What is the most common type of identity theft?

Credit card fraud is the largest single category at 30% of FTC identity theft reports. Government benefits fraud is the fastest-growing, up 39% year-over-year in 2025.

How long does it take to resolve identity theft?

The FTC estimates victims spend an average of 7 hours resolving identity theft. Complex cases can take over 200 hours and more than a year to fully resolve.

Do data breaches cause identity theft?

Data breaches provide raw material but data brokers provide the profile enrichment that makes fraud operationally viable. Opting out of data brokers reduces risk even after a breach has already occurred.

Is credit monitoring enough to prevent identity theft?

No. Credit monitoring detects new account openings after the fact, with a 3-4 month lag. A security freeze prevents new accounts from being opened at all.

Start your data broker opt-out → | Read: What to Do After a Data Breach → | Compare data removal services →