Data breaches are announced regularly — millions of accounts here, hundreds of millions there. Most people read the headline and move on. Here's what actually happens to your data after a company gets hacked, and what the real-world consequences look like.
How a Breach Happens
The most common causes of data breaches are: employee phishing (someone clicks a malicious link and hands over credentials), credential stuffing (attackers use username/password combinations from previous breaches to access new systems), and software vulnerabilities (unpatched security flaws that attackers exploit). Sophisticated attacks against large companies often involve months of reconnaissance before the actual breach.
Immediately After the Breach
Attackers exfiltrate — download — the data they want. This often includes user databases with emails, hashed passwords, names, addresses, and payment information. In many cases, the attacker then sells access to other criminals or sells the data directly.
Companies often don't know they've been breached immediately. The average time to detect a breach is 207 days, according to IBM's annual Cost of a Data Breach Report. By the time you receive a notification, your data has often been in criminal hands for months.
Where Your Data Goes Next
Dark web marketplaces. Stolen data gets listed for sale. Email/password combinations sell for fractions of a cent each in bulk. Credit card numbers sell for $5–20 each depending on credit limit and country. Full identity packages (name, SSN, DOB, address) sell for $10–30.
Credential stuffing attacks. The leaked email/password list gets run against hundreds of other sites automatically. Accounts that used the same password get taken over.
Spam and phishing campaigns. Your email gets added to lists used for spam and phishing. If your name and employer were in the breach, you may receive personalized phishing attempts.
Data brokers. Some breach data eventually makes its way into data broker databases, where it gets merged with other records to build richer profiles.
The Notification You Receive Is Often Useless
Companies are legally required to notify affected users (timelines vary by state). These notifications typically arrive weeks or months after the breach, use vague language ("some user information may have been accessed"), and offer credit monitoring as compensation — which doesn't actually protect you from the ways your data will be misused.
What to Do When You're Notified of a Breach
- Change your password on the breached service immediately. Don't wait.
- If you used that password anywhere else, change it on those accounts too — or better, switch to a password manager.
- Enable two-factor authentication on the breached account.
- If payment information was included, watch your bank statements and consider requesting a new card number.
- If your SSN was included, place a fraud alert or credit freeze at all three bureaus.
- Check haveibeenpwned.com to see all breaches your email is in.
The Systemic Problem
You cannot prevent companies from being breached. You can only limit the damage each breach causes to you by maintaining unique passwords, using alias emails, and minimizing how much personal information you provide to any given service.