Joe TidyCyber correspondent, BBC World Service
BBCKnowledge breaches are getting so frequent that it may be exhausting to know how one can react when it occurs to you. It is usually simple to shrug it off, however there is a danger.
Being a sufferer of an information breach will increase your probabilities of being focused by criminals and scammers.
Sue advised the BBC how scammers went after her. We discovered her particulars had been leaked on-line.
She was a sufferer of what is often known as a Sim swap assault – the place scammers trick a community operator into pondering they’re the account holder to get a brand new Sim card for a cell machine.
They used it to take over virtually all her on-line accounts via her cellphone. She stated the expertise was “horrible”.
“The scammers took over my Gmail account after which locked me out of my financial institution accounts as a result of they failed safety checks,” she stated.
Sue additionally had a bank card opened in her title and the criminals bought greater than £3,000 in vouchers.
It took a number of journeys to the branches of her financial institution and cell phone supplier to get her accounts again.
And the thieves weren’t performed.
“The criminals additionally did a sinister factor after breaking into my WhatsApp,” she stated. “They despatched messages to horse driving teams I’m in warning there have been folks on their strategy to stab the horses.”
We searched hacker databases utilizing on-line instruments like haveibeenpwned.com and Constella Intelligence to see if Sue’s particulars have been beforehand compromised.
Her cellphone quantity, e mail tackle, date of start and bodily tackle have been all uncovered in information breaches at playing platform PaddyPower in 2010 and e mail validation software Verifications.io in 2019. Different compilations of hacked data additionally included her particulars.
Hannah Baumgaertner, from cyber agency Silobreaker, stated attackers seemingly used the private information leaked in earlier breaches to conduct the Sim swap assault.
“As soon as that they had entry to Sue’s cellphone quantity they have been have been in a position to intercept any safety codes despatched to confirm her id for her Gmail account,” she stated.
Netflix hijacked
However scammers aren’t all the time focusing on large payouts.
Fran from Brazil advised the BBC she discovered a person had registered to her Netflix account – and elevated her month-to-month subscription.
“I used to be charged $9.90 (£7.50) on my cost card, although I hadn’t made this buy,” she stated.
“I instantly contacted my household to seek out out if anybody had added one other profile to the account we share, however all of them stated no.”
Fran was a sufferer of a typical rip-off the place her Netflix account was hijacked by a freeloader.
It is not recognized precisely how they acquired into her account and the murky world of cybercrime means it’s tough to pinpoint if a single information breach led to somebody being scammed.
However we discovered Fran’s e mail tackle had been uncovered in at the very least 4 information breaches together with hacks of Web Archive (2024), Trellov (2024), Descomplica (2021) and Wattpad (2020) in response to the web site haveibeenpwned.com.
The password she used for her Netflix account just isn’t in publicly-known databases however is perhaps in others.
“There’s a large marketplace for cracked Netflix, Disney and Spotify accounts”, stated Alon Gal, co founding father of cyber safety firm Hudson Rock.
“It is a low-barrier entry level for cybercrime, turning one firm’s information leak into widespread, ongoing abuse.”
Hudson RockScammers usually mix stolen personal data with public data.
Leah, who did not wish to give her actual title, runs a small enterprise utilizing Fb adverts and was just lately focused in an extended operating rip-off apparently originating from Vietnam.
“I acquired a phishing e mail from ‘notifications@facebookmail.com’ saying that I used to be due a refund. I clicked on the hyperlink and entered my particulars on the pretend Meta web page and the scammers have been in a position to take over my enterprise account although I had 2 issue authentication.
“They then posted baby sexual abuse movies underneath my title which acquired me blocked. I used to be even barred from utilizing Messenger to complain to Meta.”
Within the three days it took Leah to get again her enterprise account again the scammers had run a whole lot of kilos of adverts paid for by her. She ultimately acquired the cash again.
Alberto Casares from Constella Intelligence searched hacker databases and located Leah’s e mail tackle and different particulars have been taken in information breaches at Gravatar (2020) and this 12 months’s Qantas (third-party breach).
“It seems just like the attackers used a typical strategy of linking up Leah’s personal stolen e mail tackle together with her publicly listed enterprise quantity to launch a focused phishing assault in opposition to the e-mail account.”
They might have performed this themselves or used an information dealer to pay for various potential targets he stated.
Mass information breaches
Mass information breaches are fuelling scams and secondary hacks world wide, with a number of excessive profile assaults coming in 2025 alone.
In line with Proton Mail’s Knowledge Breach Observatory, there have been 794 verified breaches from identifiable sources found to this point in 2025 with greater than 300 million particular person data uncovered.
“Criminals pay premium costs for stolen information as a result of it constantly generates revenue via fraud, extortion, and cyberattacks,” stated Eamonn Maguire from the agency.
Other than notifying prospects and regulators about breaches, there are not any exhausting and quick guidelines on what firms ought to do for victims.
Providing free credit score monitoring, for instance, was once frequent.
Last year, Ticketmaster (which noticed 500m folks affected by a breach) supplied this to some folks.
However this 12 months fewer corporations are doing this. Marks and Spencer and Qantas, for instance, haven’t supplied these providers to prospects.
Co-op selected to present victims a £10 voucher – in the event that they spent £40 in its retailers.
Some try to hunt compensation within the courts, with a rising pattern of sophistication motion lawsuits – although these are notoriously exhausting to win as a result of it’s tough to show how people have been impacted.
However some have been profitable.
T-Cellular has begun paying prospects affected by a significant information breach in 2021 which affected 76m prospects.
The agency agreed to pay $350m – with funds reportedly starting from $50 to $300.
Get our flagship publication with all of the headlines it’s worthwhile to begin the day. Sign up here.
