Swiss privacy company Proton is urging European startups to rethink their cybersecurity approach after new research based on dark-web breach monitoring found that early-stage companies are increasingly targeted by cybercriminals, with significant consequences for innovation, data protection, and business continuity.
The push comes as Proton launches its new initiative, “Build in Private,” aimed at helping startups embed privacy and security into their operations from day one, rather than treating them as an afterthought. The campaign is supported by a new report, The breaches that broke 2025, which draws on findings from Proton’s Data Breach Observatory, a dark-web-sourced dataset that tracks cyberattacks and exposed data not otherwise publicly disclosed.
Proton’s observatory documented 794 breaches in 2025 alone, with more than 300 million records exposed through leaks detected by monitoring underground cybercrime forums and marketplaces. These disclosures offer a broader view of the breach landscape than traditional reporting, revealing incidents that many affected firms may not have publicly acknowledged.
Startups Are Not Too Small to Hack
Contrary to the common belief among founders that small teams are unlikely targets, Proton’s research suggests that startups, particularly those in technology sectors such as AI, blockchain, and cybersecurity, face real and growing risk. Weak access controls, shared credentials, and a heavy reliance on cloud and third-party systems were among the recurring patterns identified in breaches.
Proton argues that privacy shouldn’t be viewed as a barrier to innovation but as a critical business enabler, protecting intellectual property, customer data, and investor trust at the earliest and most vulnerable stages of company growth.
Patricia Egger, Proton’s Head of Security, highlighted the tension startups often face between speed and security: “… startups, particularly in their early stages, often tear up the rulebook and move with an agility that established competitors simply cannot match,” she said, noting that “security can be seen as a hindrance to that speed.”
A Wake-Up Call for Founders and Investors
The findings underscore that no business is too small to be breached, and that the traditional threat models startups use to justify delayed security investments are increasingly outdated. With sensitive data, including contact details and credentials, circulating on the dark web, Proton’s research highlights the importance of proactive risk management, secure defaults, and privacy-centric engineering practices.
Proton’s “Build in Private” initiative and accompanying report aim to provide actionable guidance for startups looking to bolster their cybersecurity posture in 2026. The full report provides deeper insights into real-world cases from 2025, along with recommendations on how early-stage companies can implement privacy-first approaches to avoid common pitfalls.
