In 2024 alone, billions of personal records were exposed in data breaches around the world. Your email address has almost certainly appeared in at least one — and quite possibly several. The real question is not whether your data has been exposed, but what data was exposed and what you are doing about it.
A data breach occurs when unauthorised individuals gain access to a system holding personal data and extract that data. It could be a major corporation like a bank, retailer, or social media platform, or it could be a smaller organisation like a local gym, a subscription service, or a company you did business with years ago and have long since forgotten.
What gets stolen in data breaches
The data exposed varies enormously by breach. At the lower end, a breach might expose email addresses and usernames — useful for spam campaigns but not immediately dangerous on their own. At the more serious end, a breach can expose passwords (even if hashed, these can sometimes be cracked), full names and home addresses, dates of birth, phone numbers, payment card details, national insurance numbers, bank account details, and even passport or driving licence information.
The most dangerous combination is email address plus password, because it enables credential stuffing attacks — automated tools that test the stolen username and password combination against hundreds of other websites, looking for accounts where you have reused that password. This is why password reuse is so critical a risk: one breach of a minor website can cascade into loss of access to your bank, your email, your social media, and your shopping accounts simultaneously.
How to check if your data has been exposed
The most reliable, free tool for checking whether your email address has appeared in known data breaches is haveibeenpwned.com, maintained by Troy Hunt, one of the world’s most respected independent cybersecurity researchers. Enter your email address to see a list of every publicly disclosed breach where that address has appeared, with details of what specific data was exposed in each breach.
You can also set up a free monitoring alert on the site, which will automatically notify you by email if your address appears in future breaches. This is worth doing — breach notifications are often delayed by months, and knowing quickly gives you a window to act before your data is actively used against you.
The Google Password Manager (accessible through passwords.google.com if you use Chrome) and Apple’s iCloud Keychain both include password monitoring features that check your saved passwords against known breach databases and alert you when a password needs to be changed. Bitwarden also includes breach monitoring. These tools are useful complements to haveibeenpwned.com.
What to do immediately after discovering a breach
The urgency of your response should match the sensitivity of the data exposed. If only your email address was exposed, the main risk is increased spam and phishing attempts — be more vigilant about suspicious emails but there is no emergency action required. If passwords were exposed, act immediately regardless of how old the password is, because you may have used it elsewhere.
Change the password on the breached service first, then search your password manager for any other account where you used the same or similar password and change those too. Enable two-factor authentication on the affected account if you have not already. If payment card details were exposed, contact your bank to discuss whether a replacement card is advisable.
How attackers use stolen data
Understanding what attackers do with breached data helps you prioritise your response. The most immediate use of stolen credentials is credential stuffing — automated testing of username and password combinations against popular websites. This happens within hours of breach data appearing on criminal forums.
Stolen personal information is used to craft targeted phishing attacks. An attacker who knows your name, email, home address, and the bank you use can write a highly convincing email that references these specific details, making it far more credible than a generic phishing attempt. This is why data breaches that expose personal information rather than just credentials can lead to phishing attacks months or years later.
Identity theft is the most serious downstream consequence of major breaches. With enough personal information — name, date of birth, address, national insurance number — an attacker can attempt to open financial accounts, apply for credit, or commit fraud in your name. If you have had significant personal data exposed, consider registering with CIFAS (cifas.org.uk) for protective registration, which adds a warning flag to your credit file that alerts lenders to verify your identity more carefully before approving credit applications.
Long-term habits that limit your breach exposure
- Use a unique password for every single account — if one is breached, none of the others are compromised
- Use a password manager to generate and store these unique passwords
- Enable two-factor authentication on every important account
- Use an email alias service (like SimpleLogin or Apple’s Hide My Email) for newsletter signups and less trusted services, so breaches of those services do not expose your real email address
- Monitor haveibeenpwned.com and enable breach alerts
- Review your credit report periodically for unfamiliar accounts — the three main UK agencies (Experian, Equifax, TransUnion) all offer free access