What Is a Data Breach? How to Check If You're Affected
A data breach occurs when unauthorized individuals access protected data — usually a company's database containing user credentials, payment info, or personal details. In 2024-2025, major breaches at National Public Data, Ticketmaster, and AT&T exposed hundreds of millions of records. If your email has ever been used online, your data has almost certainly appeared in at least one breach.
How data breaches happen
The most common breach impact for individuals: your email + password hash appears in a database sold on dark web markets. Attackers run these against other services automatically.
- SQL injection: Attackers exploit poorly coded web forms to extract the database
- Credential stuffing: Using stolen username/password pairs from one breach to try other services
- Insider threat: An employee with database access steals or leaks data
- Third-party vendor: A less-secure vendor with access to your data is breached
- Phishing: An employee is tricked into revealing credentials, giving attackers network access
- Unpatched vulnerabilities: Exploiting known security flaws that haven't been patched
How to check if your data was breached
- haveibeenpwned.com: Enter your email to see which breaches it appears in. Free, run by security researcher Troy Hunt. Shows which data types were exposed.
- Mozilla Monitor (monitor.mozilla.org): Similar service, sends ongoing alerts for new breaches
- Google Password Checkup: In Chrome's password manager, shows if saved passwords appeared in breaches
- Apple's Security Recommendations: In iOS/macOS Keychain, flags compromised passwords
- 1Password Watchtower: Alerts you if saved passwords appear in breach databases
What data is typically exposed
- Email address + hashed password: The most common. Attackers crack weak password hashes offline.
- Full name + address: Identity theft risk — can be used to open fraudulent accounts
- Phone number: Used for SIM swapping and phishing calls
- Date of birth: Often a security question answer
- Social Security Number: Highest risk — can be used for identity theft and tax fraud
- Payment card numbers: Banks usually detect and cancel these proactively
- Plain-text passwords: The worst case — if the company didn't hash passwords. Change immediately.
What to do immediately after a breach
- Change the breached password on that site immediately
- Change the same password on every other site where you used it
- Enable 2FA on the breached account
- If payment data was exposed: monitor bank statements; consider ordering new cards
- If SSN was exposed: freeze your credit at all three bureaus (free in the US)
- If your full identity was exposed: consider credit monitoring services (Experian, LifeLock)
Long-term protection
- Use a password manager with unique passwords for every site — a breach only exposes one password
- Enable 2FA on all accounts: stolen passwords become useless without the second factor
- Use email aliases: SimpleLogin or Apple Hide My Email generates unique addresses per service, limiting breach exposure
- Freeze your credit (US): Free at Equifax, Experian, and TransUnion — prevents new credit accounts being opened in your name
- Sign up for breach alerts: haveibeenpwned.com and Mozilla Monitor send alerts when new breaches containing your email are found
Frequently asked questions
How do I know if my password was actually cracked?
Even hashed passwords can be cracked. Weak passwords (under 10 characters, dictionary words, common phrases) can be cracked within hours using GPU farms. Strong unique passwords take billions of years to crack even with the hash exposed. Use a password manager.
What happens to my data after a breach?
Stolen data is typically sold on dark web markets. Buyers use it for: credential stuffing (trying your login on other sites), targeted phishing, identity theft, or resale. Some breaches are publicly dumped rather than sold privately.
Does a VPN prevent data breaches?
No. Data breaches happen at the company's server, not your connection. A VPN protects data in transit, not data stored by third-party companies. The best protection is unique passwords per site (so a breach only exposes one account) and 2FA.