You’ve Been Pwned: What Happens After a Data Breach
If you have ever received a message saying your password was found in a data breach, you might have just brushed it off. So what? You might think. After all, what could someone really do with your old login details?
The truth is – it can lead to a lot more trouble than you might initially think.
What is a Data Breach?
A data breach happens when information that was supposed to be private is exposed. This usually results from hacking, poor security, and/or human error.
The exposed data is usually sensitive (or I guess, what would be the point of stealing it?). Think your email address, password, full name, phone number, address, credit card/payment details, and medical information.
This kind of data can lead to identity theft, fraud, impersonation and more.
Sometimes the breach is from a big-name company. Other times, it’s a forgotten site you signed up for years ago and forgot existed. Either way, once your data’s out there, it can’t ever be undone and it spreads fast.
Where Does Leaked Data Go?
Often, the main goal of a ‘hacker’ is to compromise as much personal data as they possibly can. Once they have achieved this, they will likely look to monetise the data somehow, such as sharing and selling it on the dark web, in shady messaging groups and forums (Telegram, Signal), and collecting it into massive data dumps for bots to sort and pick through. There’s a whole underground trade built on this kind of information - hackers buy, sell, and swap it like trading cards or sales leads.
What Can Hackers Do With Your Data?
You might think “What use is just my email and password?” - but cybercriminals can turn even basic information into serious attacks. Here are a couple:
Credential Stuffing
Most people reuse passwords across multiple sites (even though we absolutely shouldn’t). Hackers take leaked credentials for one site and try them on loads of other sites, for example, your email, your bank, your Netflix, and your Amazon. The hacker quickly finds out you use the same password for everything, and now thanks to a breach on a completely unrelated site, he is logged into your online bank account.
- Identity Theft
With enough personal information, criminals can perform identity theft, open bank accounts, and credit cards, and apply for loans in your name. You might not find out until it's far too late and the debt collectors are calling.
- Targeted Scams
Have you ever had a phishing email that includes your name, job, or an old password? Or does it contain some information that a stranger wouldn’t know? That’s breached data being used to trick you. It makes scams way more convincing and harder to spot.
- Extortion and Blackmail
If your data came from somewhere sensitive, let’s say a dating site, adult platform, or something else you’d rather keep private, hackers may threaten to expose you in exchange for something (usually money).
- Resell to Others
The person who performed the original breach may not be the one who cares about your data. A lot of the time, a bad actor will package all the personal information they’ve breached and sell it to other cybercriminals who will make use of it.
Can I check if I have been part of a data breach?
Arguably, the most important part of the article! It’s all well and good me telling you the scary parts, but can you check if your data has been leaked? Yes, you can, and you should.
Luckily for us, there are a lot of good guys out there looking out for each other. A security researcher named Troy Hunt created a free site where you can search your email address or phone number to see if it has appeared in known breaches. If it has, and you’re still using the same passwords – you are walking around with a target on your back.
- Go to HaveIBeenPwned.com.
How to protect yourself?
You don’t need to be tech-savvy. Just follow these good habits:
- Never reuse passwords across accounts. (Check out this blog: Password Reuse).
- Use a password manager to store strong, unique passwords – they're a lifesaver.
- Turn on multi-factor authentication (MFA) wherever you can.
- Don’t ignore breach alerts - it's your early warning.
- Stay informed - cybersecurity isn’t just for IT people.
