Identity Theft Statistics 2026: The Numbers the Industry Doesn't Advertise
15.4 million identity fraud victims in 2025. The 2026 numbers, plus the data broker connection most guides never cover.
Every year, identity fraud statistics get cited by security companies selling monitoring subscriptions. The numbers are real, but the connection to data brokers, the actual source of most personal data used in fraud, rarely makes the headline.
These are the 2026 numbers, where they come from, and what they actually tell you about reducing your exposure.
Key Takeaways
- 15.4 million Americans were victims of identity fraud in 2025 — roughly 1 in 22 adults — with total losses reaching $23.7 billion, up from $20 billion in 2024.
- Government benefits fraud surged 39% year-over-year, driven largely by synthetic identity fraud using real SSNs combined with addresses sourced from data broker databases.
- The National Public Data breach exposed 2.9 billion records — the largest breach ever recorded — and the breached company was itself a data broker that scraped and sold personal data.
- Credit monitoring detects fraud 3–4 months after the fact; a credit freeze prevents new accounts from being opened at all and is free under federal law.
- Data broker opt-outs reduce fraud risk by eliminating profile augmentation — the step where fraudsters enrich breach data with current addresses and relatives' names from people-search sites.
The headline numbers
15.4 million Americans were victims of identity fraud in 2025, according to Javelin Strategy & Research's 2026 Identity Fraud Study, a 13% increase from 2024 and the highest figure since Javelin began tracking in 2003.
The Federal Trade Commission received 1.4 million reports of identity theft in 2025, roughly one new victim every 22 seconds. (The Javelin figure of 15.4 million is larger because it estimates total incidents including unreported cases; the FTC figure counts only reports submitted to identitytheft.gov.)
Total consumer losses from identity fraud reached $23.7 billion in 2025, up from $20 billion in 2024. The average victim spent 7 hours resolving a single incident and paid $1,551 out of pocket.
How fraud actually starts
The fraud pipeline has three stages: data acquisition, profile assembly, and exploitation.
Stage 1: Data acquisition. Fraudsters collect personal data from two sources, breached databases bought on dark web markets, and data brokers openly aggregated on people-search sites. The dark web portion gets press coverage. The data broker portion is what makes fraud operationally work.
Stage 2: Profile assembly. A breach gives a fraudster an email and hashed password. A people-search site gives them the current address, employer, phone number, relatives' names, and birthdate. Cross-referencing a breach record with a Spokeo profile turns a partial dataset into a complete identity dossier in under 60 seconds.
Stage 3: Exploitation. Armed with a full profile, fraudsters open credit lines, file tax returns, submit unemployment claims, or take over existing accounts using "security questions" that are now public knowledge.
This is why data broker opt-outs reduce fraud risk: they eliminate Stage 2 by making complete profile assembly harder.
By fraud type
According to the FTC's 2025 Consumer Sentinel Report:
- Credit card fraud: 416,000 reports (30% of all identity theft reports)
- Government benefits fraud: 280,000 reports (Social Security, unemployment, Medicare)
- Loan or lease fraud: 181,000 reports
- Bank fraud: 153,000 reports
- Tax fraud: 94,000 reports
- Utility fraud: 89,000 reports
Government benefits fraud surged 39% year-over-year, driven largely by synthetic identity fraud, fraudsters combining real Social Security numbers with fabricated names and addresses sourced from data broker databases.
The age breakdown
Identity theft is not concentrated among the elderly. The FTC's 2025 data:
- 18-29: 21% of victims (highest rate per capita)
- 30-39: 23% of victims
- 40-49: 20% of victims
- 50-59: 18% of victims
- 60+: 18% of victims (highest average loss per incident at $1,890)
Geographic concentration
Top five states for identity theft per 100,000 residents (FTC 2025):
- Florida, 611 reports per 100,000
- Georgia, 534 reports per 100,000
- Nevada, 521 reports per 100,000
- Texas, 498 reports per 100,000
- California, 487 reports per 100,000
The data breach pipeline
The Identity Theft Resource Center (ITRC) tracked 3,205 publicly disclosed data breaches in 2025, exposing an estimated 1.7 billion individual records. According to the ITRC's 2025 Annual Data Breach Report, breach data typically remains active in fraud marketplaces for 18-24 months before becoming too outdated to use reliably.
The largest 2025 breaches by records exposed:
- National Public Data: 2.9 billion records (names, SSNs, addresses, the largest breach ever recorded)
- Change Healthcare: 190 million medical records
- AT&T: 73 million customer records
- Ticketmaster: 560 million records
The National Public Data breach is particularly instructive: the company that was breached *was itself a data broker*. It scraped and sold personal data, then failed to secure it, millions of people had no prior relationship with the company and no way to know they were exposed.
Why credit monitoring is not enough
Credit monitoring detects fraud after a new account is opened in your name. The average delay between fraud occurring and a consumer discovering it via a credit alert is 3-4 months (Javelin 2026). By then the credit line is spent, the tax refund claimed, or the account sold.
A 2024 Consumer Reports investigation into data broker opt-outs found participants reported a 76% average reduction in unsolicited calls, emails, and physical mail within 90 days of completing a full removal pass, a proxy for reduced fraud-targeting exposure.
The data broker angle that doesn't make the headlines
Approximately 400 companies currently operate as data brokers in the United States. Eleven states have registries requiring brokers to self-register: California (566 registered brokers), Vermont (278), Texas, Oregon, Montana, Colorado, Connecticut, Delaware, New Jersey, and Florida.
Data brokers sell profile access via subscription APIs at $0.01-$0.10 per lookup. For a fraudster, a $100 subscription grants essentially unlimited profile queries, the same subscription a legitimate marketing company buys.
Opting out of data brokers doesn't guarantee permanent removal, brokers re-acquire from public records every 3-6 months, but it does force fraudsters to rely on breach data alone, which is often outdated and incomplete.
The right response, in order
- Remove yourself from data broker databases. Target people-search sites first: Whitepages, Spokeo, BeenVerified, TruthFinder, Radaris, MyLife. Browse the full data broker directory or use OfflistMe to cover 500+ brokers in a single pass.
- Place a security freeze at all three credit bureaus plus ChexSystems. Free under federal law. See our credit freeze guide.
- Enable two-factor authentication using an authenticator app, not SMS.
- Check Have I Been Pwned (haveibeenpwned.com) and set up breach alerts.
Frequently Asked Questions
How common is identity theft in 2025?
The FTC received 1.4 million identity theft reports in 2025. Javelin's research estimates 15.4 million American victims including unreported cases, roughly 1 in 22 adults.
What is the most common type of identity theft?
Credit card fraud is the largest single category at 30% of FTC identity theft reports. Government benefits fraud is the fastest-growing, up 39% year-over-year in 2025.
How long does it take to resolve identity theft?
The FTC estimates victims spend an average of 7 hours resolving identity theft. Complex cases can take over 200 hours and more than a year to fully resolve.
Do data breaches cause identity theft?
Data breaches provide raw material but data brokers provide the profile enrichment that makes fraud operationally viable. Opting out of data brokers reduces risk even after a breach has already occurred.
Is credit monitoring enough to prevent identity theft?
No. Credit monitoring detects new account openings after the fact, with a 3-4 month lag. A security freeze prevents new accounts from being opened at all.
What the Numbers Mean for Your Personal Risk
The aggregate statistics, 15.4 million victims, $23.7 billion in losses, are important context, but they obscure the more useful question: what does your personal lifetime risk of identity theft actually look like?
With approximately 15.4 million Americans affected in a single year out of a total adult population of roughly 260 million, the per-year victimization rate is approximately 1 in 17 adults. Over a 30-year period (roughly a working adult's exposure window), the probability of experiencing at least one identity theft incident, assuming a constant annual rate, exceeds 80%. Identity theft is not a rare event that happens to unlucky people. It is a near-universal lifetime risk that most people experience at least once.
The risk, however, is not distributed evenly across age groups.
Young adults (25–34) face the highest rate of account takeover fraud. This age group is heavily active on financial apps, has recently established credit (creating more accounts to attack), and is more likely to reuse passwords across services. Javelin's 2026 data shows 25–34 year olds experience account takeover at nearly twice the rate of any other age group.
Seniors (60+) experience the highest average financial loss per incident, $1,890 on average, compared to $890 for the 18–29 age group. Seniors are more likely to be targeted for government benefits fraud and investment fraud, both of which involve larger sums and longer timelines before discovery. The 3–4 month average detection lag is most costly for this group.
Middle-income earners (30–49) are the most targeted overall by traditional credit card and loan fraud, driven by their established credit profiles and active financial account usage.
The Data Broker Connection in Identity Theft Cases
The role of data brokers in enabling identity theft receives significantly less attention than data breaches, but FTC data and independent research point to a direct and documented connection.
A Federal Trade Commission analysis of identity theft reports found that a meaningful percentage of victims whose cases involved address fraud and government benefits fraud had publicly accessible profiles on people-search sites that contained enough information to construct a complete identity dossier, current address, employer, relatives' names, and date of birth, without requiring any breach data. The data broker profile alone, freely accessible to anyone with internet access, provided the raw material for the fraud.
The specific mechanism is what fraud researchers call "profile augmentation": a fraudster starts with a partial dataset (an email address from a breach, or just a name), then uses people-search sites to fill in the gaps. Spokeo, BeenVerified, and Intelius can convert a name and approximate age into a current address, associated phone numbers, and family member names in under 60 seconds. That enriched profile then enables security question bypassing, address verification for new account openings, and synthetic identity construction.
Consumer Reports found in its 2024 data broker opt-out study that participants reported a 76% average reduction in unsolicited contact (calls, texts, and physical mail) within 90 days of completing a full removal pass. While this metric measures marketing contact rather than fraud directly, the reduction in unsolicited contact is a proxy for reduced profile accessibility, the same profiles that marketers use are the ones that fraudsters use.
Opting out of data brokers does not eliminate identity theft risk, particularly for people whose data has already appeared in major breach databases like the 2024 National Public Data breach (2.9 billion records). But it does force any would-be fraudster to rely on breach data alone, data that is often outdated and incomplete, rather than combining breach data with real-time people-search profile information. Removing data broker profiles raises the cost and complexity of identity theft targeting by eliminating the easiest enrichment step.
The Breach Catalyst: How National Public Data, Gravy Analytics, and Snowflake Fueled Fraud
The surge in identity theft between 2024 and 2026 is directly linked to a series of massive database breaches. These incidents exposed huge, overlapping sets of personal details, making it much easier for criminals to bypass security verification.
The most severe was the late-2024 breach of National Public Data (NPD), a background check broker run by Jerico Pictures. The leak exposed 2.9 billion records, including names, addresses, phone numbers, and Social Security Numbers (SSNs) stretching back decades. Because NPD scraped this data from public records without consumer consent, victims had no accounts to lock down or passwords to change. Having this data available on dark web forums gave scammers a permanent directory of SSNs matched with historical addresses, which they now use to create fake identities and submit fraudulent government benefit claims.
Another major leak occurred in 2025 when a misconfigured Amazon Web Services (AWS) bucket exposed location logs from Gravy Analytics. This database linked anonymous mobile advertising IDs to physical addresses, showing where millions of devices traveled daily.
At the same time, hackers targeted over 100 corporate clients of the Snowflake cloud platform—including AT&T, Santander, and Ticketmaster—using stolen employee credentials. They bypassed accounts that lacked multi-factor authentication, stealing terabytes of call logs, purchase histories, and customer interactions. When scammers combine these corporate logs with location files and the NPD database, they can run automated cross-referencing checks. This helps them build detailed profiles to trick bank representatives, bypass security questions, and execute highly targeted account takeovers. To defend against this, you should freeze your credit files at Equifax, Experian, TransUnion, and ChexSystems. A credit freeze blocks creditors from checking your report, stopping scammers from opening new accounts even if they have your SSN and address. It is free, simple to set up online, and far more effective than paid monitoring services that only alert you after fraud has occurred.
Start your data broker opt-out → | Read: What to Do After a Data Breach → | Compare data removal services →
Related Guides
Understand your privacy rights
Every removal request cites a specific statute. These plain-English explainers show what each law covers and how enforcement actually works.
Related Data Broker Removal Guides
Take back your privacy today
Remove your personal information from data brokers and platforms in seconds.
Remove Your Personal Data NowFrom $7.00 one-time · 546 data brokers · No subscription
