Publicly exposed employee data available through commercial data brokers and people-search sites has become the most significant source of attacker intelligence used in targeted social engineering attacks, ahead of social media and the dark web.

A new survey of 421 cybersecurity leaders at large enterprises report that attackers are using this readily available information to identify and impersonate employees – with IT and identity teams now targeted far more often than executives.

The findings come from Optery’s 2026 Enterprise Social Engineering Survey Report, “The Data Behind the Deception”, published this month.

The report sets out documented examples of threat actors – such as the Black Basta ransomware group – using commercial data brokers for reconnaissance.

In 2022, the 0ktapus campaign hit more than 130 organisations and stole nearly 10,000 credentials after attackers harvested employees’ mobile numbers from data aggregation services and used them for SMS phishing.

More recently, leaked chat logs from the Black Basta ransomware group, made public in February 2025, showed members using data broker sites to identify employees at target organisations.

Survey respondents – cybersecurity leaders predominantly at director, VP and executive levels – rated data broker and people-search sites as a significant source of attacker intelligence in 97.6% of cases, compared with 90.5% for social and professional platforms and 89.3% for dark web and breach data.

IT and identity and access management (IAM) personnel were reported as targeted by 80.5% of organisations, compared with 42.3% for executives. HR (44.7%), finance (43.9%) and help desk staff (33%) were also frequently targeted. This points to deliberate targeting of staff with operational and privileged access to validate identities and authorise payments, not just senior figures.

Nearly three-quarters of respondents (74.6%) reported that their organisations experienced credential compromise resulting from targeted social engineering, with 77.9% reporting confirmed or suspected compromise. Almost all respondents (96%) said they had seen an increase in targeted social engineering attempts in the past year.

Only 3.6% of cybersecurity leaders said their employees’ personal data is not exposed online. More than three-quarters (77.4%) said it is very or somewhat exposed across data brokers and people-search sites.

In response, enterprises are focusing on reducing publicly exposed employee data on third-party sites. The report finds that 59.9% of organisations already use exposed data reduction as a defence, making it the most widely adopted measure, and 33.7% identify it as their largest investment priority. 82.2% plan to expand personal data removal coverage across their workforce over the next 12 months.

“Data broker exposure is not a theoretical risk for organisations,” said Lawrence Gentilello, CEO and founder of Optery. “Leaked ransomware group communications, incident investigations, and government advisories have all shown threat actors using data brokers to identify employees, map organisations, and support targeted social engineering. This report shows that enterprise security leaders are recognizing the same pattern and responding by reducing the employee data attackers use to launch these attacks.”