๐ข Beginner Summary
A data breach is when unauthorized people access and steal data from an organization. Billions of accounts have been breached โ and your information is very likely in one of those databases. Here's how breaches happen, what gets stolen, and what you should actually do when one affects you.
Table of Contents
- What a data breach is
- Anatomy of a breach: how attackers get in
- Case study: The LinkedIn breach
- What gets stolen and why it matters
- What happens to stolen data
- How to tell if you were affected
- What to do if you're in a breach
- FAQ
What a Data Breach Is
Every service you sign up for stores data about you: your email address, your password (hopefully hashed), sometimes your real name, phone number, payment details, address, messages, or browsing history.
A data breach is when unauthorized people gain access to that stored data and take it. The breach could target a small forum with 10,000 users or a major platform with billions โ both have happened.
Since 2004, researchers estimate over 15 billion records have been exposed in publicly known breaches. That figure underestimates the true total โ many breaches are never discovered or disclosed.
Anatomy of a Breach: How Attackers Get In
There are several common paths into an organization's database:
SQL Injection
Web applications that interact with databases sometimes fail to properly sanitize user input. An attacker enters malicious code into a form field โ a search box, a login field โ and the database executes it as a command. A successful SQL injection can allow an attacker to dump the entire database contents in minutes.
Despite being a well-understood vulnerability for over 25 years, SQL injection remains in the top 3 of the OWASP Web Application Security Risks.
Compromised Credentials
An employee at the target company has their credentials stolen (through phishing, password reuse from another breach, or malware). The attacker uses those credentials to log in with legitimate access and quietly exfiltrate data.
Unpatched Vulnerabilities
Software that hasn't been updated has known, published vulnerabilities. Attackers scan the internet for outdated software and exploit these holes before the organization patches them.
Misconfigured Cloud Storage
Organizations store data in cloud services (AWS S3 buckets, Azure blobs, Google Cloud Storage) that are accidentally configured to be publicly accessible. Security researchers and attackers routinely scan for these misconfigured buckets โ and find them with alarming frequency.
Insider Threats
Sometimes the attacker is an employee โ either malicious or manipulated. An employee with database access who downloads a copy of customer records before leaving is a data breach.
Case Study: The LinkedIn Breach
LinkedIn has experienced two significant breaches that illustrate how this plays out in practice.
2012 Breach โ The Underestimated Attack
In June 2012, LinkedIn announced that 6.5 million password hashes had been stolen and posted online. LinkedIn forced password resets for affected accounts and considered the matter closed.
In 2016, it emerged that the breach was far larger than disclosed: 117 million accounts had been compromised. The passwords had been hashed using SHA-1 without salting โ a technique that was inadequate even in 2012. Security researchers cracked millions of the passwords within days of the 2016 revelation.
The stolen database was being sold on dark web markets for 5 Bitcoin (then around $2,300). It contained email addresses and plaintext-equivalent passwords for over 100 million LinkedIn users.
The Cascading Damage
The LinkedIn passwords were used in credential stuffing attacks against dozens of other services โ Netflix, Spotify, and others saw waves of account takeovers from users who had reused their LinkedIn password. This is exactly why password reuse is so dangerous. See: How Passwords Get Hacked
2021 LinkedIn Data Scrape
A dataset of 700 million LinkedIn user records appeared for sale online. This one was scraped rather than hacked โ attackers used LinkedIn's own API to collect publicly visible profile data at massive scale. While no passwords were included, the data โ names, job titles, email addresses, phone numbers, professional histories โ is extremely valuable for spear phishing and social engineering attacks.
What Gets Stolen and Why It Matters
| Data Type | What Attackers Do With It |
|---|---|
| Email + Password | Credential stuffing against other sites; direct account access |
| Email address alone | Spam, phishing, social engineering targets |
| Name + Phone + Address | Identity theft, spear phishing, SIM swapping |
| Date of birth + SSN | Full identity theft, fraudulent credit applications |
| Credit card numbers | Direct financial fraud; sold in bulk |
| Medical records | Insurance fraud, prescription fraud, blackmail |
What Happens to Stolen Data
Stolen data follows a consistent lifecycle:
- Private exploitation โ attackers first use the data themselves, attempting account takeovers and financial fraud
- Sale on dark web markets โ the data is listed for sale to other criminals. Fresh breach data from major platforms can sell for thousands of dollars per database. Older data sells for pennies per record.
- Traded and redistributed โ breached databases change hands dozens of times, getting combined with other breaches into "combo lists"
- Public release โ eventually, data often ends up posted publicly on hacker forums โ which is how sites like HaveIBeenPwned acquire the data they use to check exposure
The journey from breach to public release often takes 1-2 years, meaning your data may be actively traded long before you hear about it.
How to Tell If You Were Affected
Use HaveIBeenPwned โ the most comprehensive free breach-checking service:
- Go to haveibeenpwned.com
- Enter your email address
- See which breaches included your data and what was exposed
You can also sign up for free breach alerts โ HIBP will email you if your address appears in a new breach. For step-by-step guidance: How to Check if Your Email Has Been Hacked
What to Do If You're in a Breach
๐ต Breach Response Steps
- Change your password on the breached service immediately โ use a strong, unique password you use nowhere else. Read: How to Create Strong Passwords
- Change the same password everywhere else you used it. This is urgent โ credential stuffing starts immediately.
- Enable 2FA on the affected account and all high-value accounts
- Monitor your bank and credit accounts for unusual activity over the next several months
- Consider a credit freeze if your Social Security Number, date of birth, or financial information was exposed. A credit freeze is free and prevents new credit being opened in your name.
- Be extra vigilant for phishing โ attackers use breach data to craft highly targeted phishing attacks. Emails may reference your real name, your employer, or other accurate details.
FAQ
Can I sue a company for being breached?
In some cases, yes. Class action lawsuits against companies for negligent data handling are increasingly common โ especially in the US and EU. Check if there's already a class action related to a breach you're affected by; you may be entitled to compensation without needing to file yourself.
If a company is breached, is it always their fault?
Not always entirely โ sophisticated nation-state attackers are very difficult to defend against. But many breaches result from negligence: failure to patch known vulnerabilities, inadequate security practices, or failing to encrypt sensitive data. Companies have an obligation to protect data entrusted to them.
My password was hashed โ does that mean it's safe?
It depends on how it was hashed. Weak hashing (MD5, SHA-1 without salt) can be cracked rapidly with modern hardware. Strong hashing (bcrypt, Argon2, scrypt with proper configuration) is much more resistant. Regardless โ if your password appeared in a breach, change it.
References
- HaveIBeenPwned โ haveibeenpwned.com
- Wired: Inside the 2016 LinkedIn breach reveal
- FTC โ Identity Theft guidance
- OWASP Top 10 โ owasp.org