What Happens in a Data Breach — and What Should You Do?

In 2024 alone, billions of records were exposed across thousands of data breaches. Odds are that your personal information — your email address, your hashed or plaintext password, perhaps your phone number or home address — is already sitting in a criminal database somewhere. Understanding how breaches happen and what to do when one affects you is essential digital literacy.

What Is a Data Breach?

A data breach is any incident where personal or sensitive information is accessed, stolen, or exposed without authorization. The data might be stolen by an external attacker, accidentally made public by a misconfigured server, or exposed by a malicious employee. The common thread is that information meant to be private ends up in hands that shouldn't have it.

The scale can vary from a handful of records to billions. The 2013 Yahoo breach ultimately affected 3 billion accounts — every account Yahoo had ever had. The 2019 Collection #1 breach aggregated 2.7 billion email-password pairs from hundreds of previous breaches into a single downloadable file.

How Breaches Happen

SQL Injection

SQL injection remains one of the most common attack vectors against web applications. When a website doesn't properly sanitize user input, an attacker can submit specially crafted text that is interpreted as a database command rather than data. A malicious input like ' OR '1'='1 in a login field can, if unprotected, instruct the database to return all user records. Well-executed SQL injection can dump an entire database — usernames, passwords, email addresses, payment info — in seconds.

Credential Stuffing

Credential stuffing attacks work by taking email/password pairs from one breach and automatically testing them against other services. Because most people reuse passwords, a LinkedIn breach password might still work on that user's Spotify, PayPal, or email account. Automated tools can test tens of thousands of credential pairs per minute. This is why password reuse is catastrophic: one breach cascades into dozens.

Phishing and Social Engineering

Many breaches begin not with technical exploits but with human manipulation. An attacker posing as IT support tricks an employee into revealing their credentials. A targeted spear-phishing email sends a senior executive to a convincing fake login page. Once an attacker has legitimate credentials, they may operate undetected for months while exfiltrating data.

Insider Threats

A disgruntled employee, a contractor with excessive database access, or someone bribed by a competitor can cause breaches that are technically harder to prevent than external attacks. The 2020 Twitter hack, in which attackers took over high-profile accounts, began with a social engineering attack on Twitter employees, not a technical vulnerability.

Misconfigured Storage

A significant number of breaches involve no hacking at all. Databases or cloud storage buckets left publicly accessible without authentication expose millions of records to anyone who knows where to look. Security researchers regularly discover exposed Elasticsearch instances, Amazon S3 buckets, and MongoDB databases containing user data.

What Data Do Attackers Target?

Not all data has equal value to attackers. In rough order of value on criminal marketplaces:

• Full identity packages ("fullz"): Name, address, date of birth, Social Security Number (or national ID), and payment card details combined. Used for identity theft, fraudulent loan applications, and tax fraud.
• Login credentials: Email and password combinations. Used in credential stuffing against other services. Fresh credentials from recently breached sites command higher prices.
• Payment card data: Card number, expiration, CVV. Used for fraudulent purchases before the card is cancelled.
• Medical records: More complete than most identity documents; used for insurance fraud and prescription fraud.
• Email addresses alone: Used for spam and phishing campaigns. Lower individual value but sold in bulk.

Breach Notification Laws

In many jurisdictions, companies are legally required to notify you if your data was breached:

• GDPR (EU): Companies must notify affected individuals "without undue delay" when a breach is likely to result in a risk to their rights and freedoms. The supervisory authority must be notified within 72 hours of the company becoming aware of the breach.
• CCPA/CPRA (California): Companies must notify California residents of breaches involving specific categories of personal information "in the most expedient time possible."
• State laws (US): All 50 US states have breach notification laws, though they vary in scope and timing requirements. Federal legislation has been proposed but not passed as of 2025.

In practice, notifications often arrive weeks or months after the breach — and sometimes breaches are discovered by third parties, not the affected company, meaning you may learn about it from a security researcher or news report before receiving an official notification.

How to Check If Your Data Was Breached

The most reliable free resource is haveibeenpwned.com, created and maintained by security researcher Troy Hunt. Enter your email address and it searches a database of billions of records from hundreds of known breaches. You can also set up email alerts so you're notified if your email appears in future breaches as they are added to the database.

Password managers like Bitwarden and 1Password also check your stored passwords against known breach databases and flag any that have appeared in leaks.

Immediate Steps After a Breach Notification

1. Change the Affected Password Immediately

Change your password on the breached service first, then check if you used the same or similar password anywhere else and change those too. Do not make a minor variation — use a completely different, randomly generated password.

2. Check for Password Reuse

Think through every service where you might have used the same password. Prioritize email, banking, social media, and any service that has your payment information. If you used the same password on any of those, change them immediately.

3. Enable Two-Factor Authentication

If you haven't enabled 2FA on the affected account and any accounts where you reused the password, do so now. A stolen password becomes useless if the attacker also needs your authenticator app code.

4. Monitor Financial Accounts

If the breach included financial data or enough information for identity theft, monitor your bank and credit card statements closely for the next several months. Set up transaction alerts if your bank offers them.

5. Consider a Credit Freeze

If personal information like your Social Security Number or date of birth was included in the breach, consider placing a credit freeze with the three major credit bureaus (Equifax, Experian, TransUnion in the US). A credit freeze prevents new credit accounts from being opened in your name without your explicit approval — making it much harder for identity thieves to take out loans or credit cards using your information. In the US, this is free and can be lifted temporarily when you need to apply for credit yourself.

6. Watch for Phishing Attempts

In the weeks following a breach, attackers often send phishing emails impersonating the affected company ("click here to verify your account security after our recent incident"). These emails look increasingly convincing. Always navigate directly to a company's site rather than clicking links in breach-related emails.

The Bottom Line

Data breaches are a fact of modern digital life. The question is not whether a service you use will be breached, but when — and whether your security practices limit the damage when it happens. Unique passwords for every service (enabled by a password manager), two-factor authentication on critical accounts, and a credit freeze after serious identity data exposure are the three most effective defenses. You cannot control whether a company you trust gets breached, but you can control how much damage a single breach can do to you.