What is a data breach, and what do I do if my information is in one?

Quick answer

A data breach is when an organisation that holds your personal information loses control of it — your email, password, phone number, address, sometimes your credit-card or ID details end up in a leaked file that attackers download and reuse; the practical response is to change the password on that account, change it anywhere else you reused it, and turn on two-factor authentication.

What it's NOT

A data breach is NOT something you can 'undo' — once data has leaked, it cannot be recalled, only made less useful. It is also NOT necessarily the company's fault in a way you can ignore: even if the company was negligent, the attacker has the data either way, and the practical defence is yours.

More context

A data breach is what happens when an organisation that holds personal information loses control of it. The information leaks out of their systems — through a hack, a misconfigured database, a stolen laptop, a malicious insider — and ends up where the organisation never meant it to be: a paste site, a forum, a dark-web marketplace, sometimes the homepage of a news site.

What is usually in a breach, in rough order of seriousness:

  • Email addresses and usernames. Almost every breach includes these. Useful to attackers mostly as a key for the next dataset.
  • Passwords. Sometimes in plaintext (rare and inexcusable), often as hashes (which need to be cracked but very often are), sometimes properly hashed with bcrypt or Argon2 (best case — but the strongest hash is no protection if the password itself was weak).
  • Phone numbers and physical addresses. Useful for SIM-swap attacks, targeted package fraud, and crafting convincing phishing.
  • Dates of birth, government IDs, social security numbers. Long-lived data you cannot really “change”, which makes these leaks particularly painful.
  • Credit-card numbers and bank details. Increasingly rare in modern breaches because payment processors handle them separately, but it still happens.
  • Health data, dating profiles, private messages. When breaches hit those, the damage extends beyond the financial.

A data breach is not the same as fraud. The breach is the leak. Fraud — credit-card misuse, account takeover, identity theft — is what attackers do with the leaked data afterwards. Many breached datasets are years old by the time anyone uses them against you. The two famous large databases — the “Collection #1-5” set (2019) and the “RockYou2024” file with ~10 billion passwords — are aggregates of many older breaches.

What to do when you learn you are in one:

  1. Find out which breach. Have I Been Pwned lists known breaches by email, and tells you which fields were exposed.
  2. Change the password on that service immediately. Make it unique — do not reuse anywhere.
  3. Change it anywhere else you reused it. This is where attackers actually win. A breach of a forum from 2014 turns into a bank takeover in 2026 because the same password was used.
  4. Turn on two-factor authentication on the breached service and on any high-value accounts (email, bank, password manager).
  5. Treat related messages as suspect for months. Attackers buy these datasets and use the real personal info inside to send convincing phishing. A message that knows your name, employer and recent purchase is more persuasive than one that does not.
  6. If financial or ID data leaked, monitor your bank statements, alert your bank, and in some countries freeze your credit (the US offers this freely; in France a similar mechanism exists for fraud-victim notation at the Banque de France).
  7. In the EU, you can report the incident to your national data-protection authority (CNIL in France) — under GDPR, the company is required to notify you within 72 hours of becoming aware, and you have a right to compensation for documented harm.

The single biggest practical lesson from twenty years of breaches: password reuse is the multiplier. The breach itself is rarely catastrophic by itself; reusing the same password is what turns one leak into many takeovers. A password manager is the structural fix.

People also ask

How do I know if my data was in a breach? +

The free service haveibeenpwned.com (run by security researcher Troy Hunt, used by Mozilla, 1Password, the UK NCSC, Cloudflare and others) lets you type an email address and see every known breach it appeared in. It is the most reputable source. Most modern password managers and browsers also warn you automatically when a password you have saved matches one in a known leak.

What should I do the moment I learn one of my accounts is in a breach? +

Three steps, in order. (1) Change the password on the breached service. Make the new one unique — do not reuse anywhere else. (2) Change the password anywhere else you used the same one (this is where attackers actually win — credential reuse). (3) Turn on two-factor authentication on that account if it offers it. If the breach included credit card or ID details, you may also want to alert your bank or freeze your credit.

Why do I still get spam and phishing months after a breach? +

Because leaked databases get traded, repackaged, and resold on dark-web marketplaces and in private channels. A breach that happened in 2022 may not 'arrive' in your inbox as targeted phishing until 2025 or 2026, when a new criminal group buys the dataset. Treating any unexpected message as guilty until proven innocent — especially one that references real personal details — is the right reflex.

Can I sue the company that leaked my data? +

In the EU, GDPR Article 82 gives individuals the right to compensation for material and moral damages from a breach, and the CNIL (in France) or other national authorities can fine the company. In practice, class-action style suits are rare and individual settlements are small unless serious harm (identity theft, fraud) is documented. The realistic outcome is regulatory fines on the company, not large personal payouts — but reporting the incident to your national data-protection authority is worth doing.

How do attackers turn a leaked email + password into a real attack? +

Automated 'credential stuffing': they run scripts that try the leaked email + password against banks, email providers, streaming services, social networks. If you reused the password anywhere, the script finds a hit. They also use the leaked personal info (name, address, employer, recent purchases) to build more convincing phishing emails — 'Hi [your name], your recent Amazon order #1234 had a delivery problem...'.

Also explained

What is a password manager, and is it safe to use one?

A password manager is an app that generates a unique strong password for every account and remembers them for you behind one master password — yes, it is much safer than reusing the same password, even though all your passwords sit in one place.

What is phishing, and how do I recognise it?

Phishing is when someone sends you a fake message — usually email, SMS or chat — that looks like it comes from your bank, your boss, a delivery service or a friend, hoping you click a link, enter a password or transfer money before you notice the small details that give it away.

What is the dark web?

The dark web is a small slice of the internet that you can only reach with a special browser like Tor — it hides who is connecting and what they are reading, which is useful for journalists and dissidents but also where stolen passwords and illegal goods are traded.

What is two-factor authentication (2FA), and which kind should I use?

Two-factor authentication adds a second step after your password — a code from an app, a tap on your phone, or a passkey — so that a stolen password alone is no longer enough to log in; in 2026 the best option for most people is a passkey, then an authenticator app, then SMS only as a last resort.
← Back to everyday cybersecurity