Data breaches are so prevalent that understanding how to react when affected can be challenging. While it might seem easy to dismiss, there is a significant risk involved.
Becoming a victim of a data breach increases the likelihood of being targeted by criminals and scammers.
One individual, Sue, shared her experience with scammers after her details were found to have been leaked online.
She fell victim to a Sim swap attack, a method where scammers deceive a network operator into believing they are the legitimate account holder to acquire a new Sim card for a mobile device.
This allowed them to gain control over nearly all her online accounts through her phone. The experience was described as “horrible.”
“The scammers took over my Gmail account and then locked me out of my bank accounts because they failed security checks,” she stated.
A credit card was also opened in Sue’s name, and the criminals used it to purchase over £3,000 in vouchers.
Recovering her accounts required multiple visits to her bank branches and mobile phone provider.
The criminal activity did not stop there.
“The criminals also did a sinister thing after breaking into my WhatsApp,” she recounted. “They sent messages to horse riding groups I am in warning there were people on their way to stab the horses.”
Hacker databases, using online tools such as haveibeenpwned.com and Constella Intelligence, were searched to determine if Sue’s details had been previously compromised.
Her phone number, email address, date of birth, and physical address were all exposed in data breaches at the gambling platform PaddyPower in 2010 and the email validation tool Verifications.io in 2019. Other compilations of hacked records also contained her information.
Hannah Baumgaertner, from cyber firm Silobreaker, suggested that attackers likely utilized the personal data leaked in these prior breaches to execute the Sim swap attack.
“Once they had access to Sue’s phone number, they were able to intercept any security codes sent to verify her identity for her Gmail account,” she explained.
Netflix Hijacked
Scammers do not always target large financial gains.
Fran, from Brazil, discovered that an unauthorized user had registered to her Netflix account and subsequently increased her monthly subscription.
“I was charged $9.90 (£7.50) on my payment card, even though I hadn’t made this purchase,” she said.
“I immediately contacted my family to find out if anyone had added another profile to the account we share, but they all said no.”
Fran was a victim of a common scam where her Netflix account was hijacked by an unauthorized user.
The exact method of access to her account remains unknown, and the complex nature of cybercrime makes it difficult to pinpoint if a single data breach directly led to the scam.
However, Fran’s email address was exposed in at least four data breaches, including hacks of Internet Archive (2024), Trellov (2024), Descomplica (2021), and Wattpad (2020), according to haveibeenpwned.com.
The password used for her Netflix account is not found in publicly known databases but could exist in others.
“There is a huge market for cracked Netflix, Disney, and Spotify accounts,” noted Alon Gal, co-founder of cybersecurity company Hudson Rock.
“It’s a low-barrier entry point for cybercrime, turning one company’s data leak into widespread, ongoing abuse.”
Scammers frequently combine stolen private information with publicly available data.
Leah, who preferred not to disclose her real name, operates a small business using Facebook adverts and was recently targeted by a persistent scam believed to originate from Vietnam.
“I got a phishing email from ‘[email protected]’ saying that I was due a refund. I clicked on the link and entered my details on the fake Meta page, and the scammers were able to take over my business account even though I had 2-factor authentication.”
“They then posted child sexual abuse videos under my name which got me blocked. I was even barred from using Messenger to complain to Meta.”
Within the three days it took Leah to regain control of her business account, the scammers had run hundreds of pounds worth of adverts paid for by her. She eventually recovered the money.
Alberto Casares from Constella Intelligence searched hacker databases and found that Leah’s email address and other details were compromised in data breaches at Gravatar (2020) and this year’s Qantas (a third-party breach).
“It looks like the attackers used a common technique of linking up Leah’s private stolen email address with her publicly listed business number to launch a targeted phishing attack against the email account.”
This could have been done by the attackers themselves or by using a data broker to acquire a list of potential targets, he added.
Mass Data Breaches
Mass data breaches are fueling scams and secondary hacks globally, with several high-profile incidents occurring in 2025 alone.
- 6.5 million people lost their data when The Co-op was breached in April
- Marks & Spencer was also hacked around the same time, affecting millions of people, though the company has not disclosed the exact number
- Harrods lost the data of 400,000 of its luxury store customers
- 5.7 million flyers were impacted in the Qantas airline hack
According to Proton Mail’s Data Breach Observatory, 794 verified breaches from identifiable sources have been discovered so far in 2025, exposing over 300 million individual records.
“Criminals pay premium prices for stolen data because it consistently generates profit through fraud, extortion, and cyberattacks,” stated Eamonn Maguire from the firm.
Beyond notifying customers and regulators about breaches, there are no strict guidelines on what companies should do for victims.
Offering free credit monitoring, for instance, was once a common practice.
Last year, Ticketmaster (which saw 500 million people affected by a breach) provided this to some individuals.
However, fewer firms are offering such services this year. Marks and Spencer and Qantas, for example, have not extended these services to customers.
Co-op opted to give victims a £10 voucher, conditional on spending £40 in its shops.
Some victims are pursuing compensation through the courts, with a growing trend of class-action lawsuits. These cases are notoriously difficult to win due to the challenge of proving individual impact.
Nevertheless, some have been successful.
T-Mobile has started compensating customers affected by a major data breach in 2021 that impacted 76 million customers.
The company agreed to pay $350 million, with individual payments reportedly ranging from $50 to $300.
