Data breaches have become so frequent that many people no longer know how to respond when it happens to them. It’s easy to brush it off, but doing so comes with real risks.
When your personal information is exposed, your chances of being targeted by cybercriminals and scammers rise significantly.
Sue shared her experience with the BBC after we discovered her details circulating online.
She had fallen victim to a SIM swap attack, a method where attackers trick a mobile provider into believing they are the real account holder in order to issue a new SIM card.
Using that SIM card, the scammers were able to take control of almost all of her online accounts. Sue described the incident as “horrible.”
“The scammers took over my Gmail account and then locked me out of my bank accounts because they failed the security checks,” she said.
Sue also found out that a credit card had been opened in her name, and the criminals bought more than £3,000 worth of vouchers.
To regain control of her accounts, she had to repeatedly visit her bank and mobile operator.
But the attackers didn’t stop there.
“After they broke into my WhatsApp, they did something even more sinister,” she said. “They messaged horse-riding groups I’m in, claiming people were coming to stab the horses.”
Using tools like haveibeenpwned.com and Constella Intelligence, we checked hacker databases and found her phone number, email address, date of birth, and home address in past data breaches—specifically the 2010 PaddyPower breach and the 2019 Verifications.io breach—plus other leaked datasets.
Hannah Baumgaertner from Silobreaker said the scammers most likely used personal information from these earlier breaches to carry out the SIM swap attack.
A Hijacked Netflix Account
Not every attacker is after a big payout.
Fran from Brazil told the BBC that someone had gained access to her Netflix account—and even upgraded her subscription plan.
“I was charged $9.90 even though I didn’t make that purchase,” she said.
Her family confirmed they hadn’t added any new profiles.
Fran had become a victim of a common scam in which freeloaders hijack streaming accounts.
We found that her email had appeared in at least four data breaches, including Internet Archive (2024), Trellov (2024), Descomplica (2021), and Wattpad (2020).
Although the password for her Netflix account does not appear in public databases, it may exist in private or underground ones.
According to Alon Gal of Hudson Rock, there is a booming market for stolen Netflix, Disney, and Spotify accounts, making even minor data leaks valuable to cybercriminals.
Criminals Mix Stolen Data With Public Information
Leah—who requested anonymity—runs a small business using Facebook ads. She became the target of a long-running scam that appears to have originated in Vietnam.
She received a phishing email from “notifications@facebookmail.com” about an alleged refund. After clicking the link and entering her details on a fake Meta page, attackers gained control of her business account—even though she had two-factor authentication enabled.
They then uploaded child sexual abuse videos using her name, which got her blocked from Facebook and even prevented her from using Messenger to complain.
During the three days it took to recover her account, the scammers ran hundreds of pounds’ worth of ads charged to her. She eventually got reimbursed.
Constella Intelligence found that her email and personal information were exposed in breaches at Gravatar (2020) and Qantas (2025).
Attackers likely paired her stolen private email with her publicly listed business phone number to create a targeted phishing attack.
Mass Data Breaches Driving Global Scams
A wave of major breaches in 2025 has contributed to rising scams and secondary attacks:
-
6.5 million Co-op customers were affected in April
-
Marks & Spencer suffered a breach impacting millions (exact figure undisclosed)
-
Harrods lost data belonging to 400,000 customers
-
5.7 million Qantas passengers had their information leaked
Proton Mail’s Data Breach Observatory reports 794 verified breaches from identifiable sources so far in 2025, exposing more than 300 million individual records.
“Criminals pay high prices for stolen data because it reliably generates profit through fraud, extortion, and cyberattacks,” said Eamonn Maguire.
Aside from informing customers and regulators, there are no strict requirements for what companies must offer victims.
In the past, free credit-monitoring services were common—such as when Ticketmaster (with 500 million victims) offered them last year.
But fewer companies are providing such support now.
Marks & Spencer and Qantas, for example, have not offered these services, and Co-op only gave victims a £10 voucher if they spent £40 in-store.
Some victims are trying to obtain compensation through class-action lawsuits, though these are difficult to win due to challenges proving individual harm.
However, a few cases have succeeded—such as T-Mobile’s settlement over its 2021 breach affecting 76 million customers. The company agreed to pay $350 million, with individual payments ranging from $50 to $300.
Conclusion
In today’s digital age, safeguarding personal data on the internet is more crucial than ever. With the increasing amount of personal information being shared online, users are at risk of data theft, identity fraud, and other security threats. It is essential to be mindful of the information shared on social media, websites, and apps, as well as to use strong, unique passwords and enable privacy settings where possible. By staying informed about potential risks and practicing good cyber hygiene, individuals can significantly reduce the chances of their personal data being misused.
