Swiss privacy firm Proton AG has unveiled its new “Data Breach Observatory”, a live-monitoring platform designed to track organisations’ data leaks by scanning hacker-forums and underground marketplaces on the dark web. According to the company, the tool has already identified 794 unique breach incidents in 2025 alone, exposing over 300 million records linked to identifiable companies. If broader data-compilations are included, the number of incidents rises to 1,571 with “hundreds of billions” of records involved.
The observatory highlights a striking pattern: companies with fewer than 250 employees are bearing the brunt of cyber-incursions, accounting for approximately 70.5 per cent of the breaches. By contrast, businesses with more than 1,000 employees represented only 15.9 per cent of incidents. Sector-wise, retail, technology and media/entertainment emerged as the most targeted categories. Stolen data most commonly comprised email addresses, personal names, contact information such as phone numbers or addresses and passwords. Sensitive material such as health or government-ID records appeared in 34 per cent of cases.
Proton said the new observatory shifts the industry away from relying solely on self-reporting by compromised firms, which it described as “biased” and incomplete. Instead, the company collaborates with intelligence partner Constella Intelligence, leveraging automated crawlers and dark-web indicators to surface leaks as they begin to circulate online. Proton’s director of engineering, AI & ML, Eamonn Maguire, stated: “Our mission with the Data Breach Observatory is simple, to reveal unseen breaches and to alert affected businesses and organisations as they happen. This is part of Proton’s drive to empower organisations and individuals with the tools to protect themselves.”
The platform is publicly accessible and allows users—organisations and individuals—to search breach data by category, size of company, country, exposed record-count and industry. A key feature is its real-time update capability, meaning that new incidents are posted regardless of whether the target organisation has formally disclosed the breach. Proton emphasises the need for this rapid notification amid a cyber-threat landscape in which many firms choose silence over transparency, fearing reputational damage or regulatory scrutiny.
Analysts view Proton’s initiative as part of a broader pivot in cybersecurity from reactive incident-management to proactive threat intelligence. By exposing dark-web leak activity earlier, organisations may gain vital time to lock down systems, alert affected customers and meet regulatory obligations. That said, security professionals caution that such monitoring is only one piece of an effective defence strategy: alerts may still lag sophisticated attacks that remain hidden or encrypted, and reliance on a single intelligence stream can lead to “alert-fatigue” or false-positives.
The emphasis on small and medium-sized businesses in Proton’s data is notable. Often under-resourced for cybersecurity, these firms may lack robust defences and formal disclosure practices, making them attractive and under-reported targets. On the other hand, larger enterprises—despite higher public visibility—may benefit from mature incident-response capabilities but still face significant exposure if attacked. The observatory’s data may help bridge the visibility gap across company sizes.
By stark contrast with traditional breach-databases that depend on voluntary disclosures, Proton claims the observatory provides a more realistic map of leaking data on the dark web. For example, Proton’s figures suggest that the number of records exposed could be magnitudes greater than publicly-reported figures imply. Critics of the firm’s approach caution that some dark-web data dumps are unverified or duplicative, and the public interface may prompt legal or regulatory implications for firms named in the tool before they are ready to respond.
For consumers and business-users alike, the observatory offers an early-warning function: if contact-information or login credentials appear in the database, they may take action such as enabling multi-factor authentication, changing passwords, or auditing internal access. However, observers emphasise that the observatory does not substitute for primary controls—encryption, access-governance, network segmentation and staff training remain central to reducing breach risk.
Proton’s launch of this tool also reflects a growing commercial trend in privacy-tech firms offering breach-intelligence services. The company, already known for end-to-end encrypted email, VPN and password-manager services, is now extending into the live-threat and monitoring domain. Whether this model can sustainably scale and avoid unintended consequences—such as pre-emptive naming of vulnerable organisations or undue alarm among consumers—remains to be seen.