What Really Happens in a Data Breach (and What You Can Do About It) (2025)

When your personal data gets splashed around in a data breach, it isn’t your fault. Somebody else made a mistake. There was nothing the crypto investors who lost $1.4 billion in the ByBit crypto exchange hack could have done to prevent it. Even the creator of the popular HaveIBeenPwned breach tracking site was fooled by a phishing fraud. In some cases, like the National Public Data breach that exposed billions of SSNs, you can find out if your data got spilled. But you might never know if a potential employer shared your data with a third-party screening firm that failed to secure it.

But that doesn't mean you're totally powerless. When you understand how a data breach happens, you can shield yourself from the worst effects. We’re here to help you reach that understanding. If you pay attention to breach reports and take appropriate action immediately, you can get ahead of any identity thieves who might misuse your personal data.

What Do Data Thieves Want?

Picture a criminal gang boosting an armored car carrying safes full of valuables. It seems they’ve made a lucrative haul, but in practical terms, they don’t know who owns each safe, they have no idea what’s inside, and they’re light years from puzzling out the combinations. That’s much like when data thieves get hold of encrypted data vaults from a password manager or similar company. When implemented properly, such a vault can only be opened by the owner, with all decryption happening locally on the owner’s device.

When confronted with a mystery safe or an unknown block of encrypted data, thieves are likely to shove it off the truck and move on to easier targets. However, even a little bit of additional information can make safecracking easier. For example, in one LastPass breach, thieves obtained non-encrypted versions of the URLs unlocked by passwords in the vault. That made guessing master passwords easier, and of course, once the thieves have their copy of your vault in hand, they can spend any amount of time trying to crack it.

Even when Zero Knowledge authentication isn’t implemented perfectly, it creates serious obstacles for malefactors trying to crack security. Conversely, when companies ignore this technology, results can be disastrous.

What Happens If Your Data Is Stolen in a Breach?

In a more common breach, thieves get hold of a company’s customer list, either entirely or in part. Whether they break into the office and lift a paper list or hack into a database online, the result is the same. In the best-case scenario, they only get not-very-private details such as your name, address, phone number, and email. True, they can sell that info to data aggregators and brokers. They might get a list of your purchases, which is also of interest to brokers.

It’s conceivable the stolen data could include your credit card number, but that’s not as big a worry as you might think. The longstanding Payment Card Industry Data Security Standard (PCI-DSS) protocol defines the security of credit card transactions in excruciating detail, and it works most of the time, provided businesses follow the rules. In any case, you don’t have to pay for fraudulent charges on your credit card (at least in the US). This same protection does not apply to debit or business credit cards, so be wary.

Online merchants and other sites have a duty to protect your account details. Many do a fine job, keeping all data encrypted and using Zero Knowledge techniques that let them validate your login password without ever knowing or storing it. But if a site stores your password insecurely such that it’s exposed in a breach, you’ve lost control of that account. Depending on the type of site, the hackers can place orders, make bank transfers, send emails in your name, and even lock you out by changing the password.

It gets worse in two ways. First, if you haven’t gotten around to enlisting the aid of a password manager, you probably use the same password on multiple sites. Hackers know this and quickly check stolen credentials against multiple popular sites. Second, if they get access to your email account, they can often use the standard password reset mechanism to capture more of your online accounts. A breach that exposes your passwords can quickly escalate into full-scale identity theft.

How Do Databases Get Hacked?

I asked an AI image creation program for some sketches depicting “a hacker gaining access to an encrypted database.” Not surprisingly, all the results depict a hoodie-clad figure banging out code while examining endless lines of cryptic characters. This level of hacking does happen, but in real life, breaking into accounts can be much simpler.

The Norton Password Manager breach from 2023 is a good example. Attackers didn’t breach Norton’s security and didn’t steal encrypted data. Rather, they took usernames and passwords from other thefts and used them to jump-start a process called credential stuffing. It’s very simple. They just ran a script designed to try thousands and thousands of username and password combinations, carefully noting the few that yielded access to someone’s account. A 2023 PayPal breach also involved credential stuffing.

The group who stole encrypted data vaults from LastPass is still at large, and they can make endless attempts to guess the master passwords that will open those vaults. It wouldn’t take long at all to try the hundred (or thousand) most common passwords against every single vault. If this effort cracks even one target in a hundred, the thieves are doing well.

What Can You Do After a Data Breach?

When the news warns about another boring data breach, it’s easy to ignore, but you should pay attention. Do you have an account or other connection with the breached entity? Just how serious is the breach? A news article will sometimes spell it out, perhaps stating that nothing but customer email and physical addresses were exposed (whew!) or that the breach involved financial information for specific groups. In other stories, you’ll see far less detail, either because the affected company doesn’t yet know what was lost or because they don’t want to admit it.

One thing you can’t do is wait around for a breached entity to tell you whether you were affected. A hack like this is both embarrassing and costly. For legal reasons, victim companies are very cautious about what they reveal. Sometimes, a good lawyer can parlay a statement like “Sorry we lost your data” into a class action lawsuit. That being the case, if you have the slightest connection with the breached entity, you should assume that your data was included.

If you have an account with the breached company, change your password. Now! It doesn’t matter whether you’re sure you were exposed. Just do it. Don’t be part of the one in six Americans who blithely do nothing after a breach. Use a strong, unique password generated by your password manager.

Don’t stop there—search your password manager for any other sites where you used the compromised password and fix those, too. This is a time-critical action. Data thieves can’t access every stolen account simultaneously. By acting fast, you may get ahead of them.

While you have the affected site (or sites) open, check to see if multi-factor authentication (MFA) is an option. MFA is your strongest weapon against account takeover. Enable it if available. Logging in will then require both your password (something you know) and another factor (something you physically have), such as an authenticator app on your phone or a physical security key. A stolen password is useless without that additional factor.

Even after you change your password, keep an eye on the affected company for a while. Log in and confirm that any pending orders or actions are legitimate. See if the company is offering any kind of compensation for victims. A free credit-tracking subscription isn’t out of the question. After the massive Experian breach in 2015, Experian offered victims two years of credit report monitoring and identity resolution services.

If your password manager vault got stolen, that’s bad news. Things are especially hairy if the affected company didn’t precisely follow Zero Knowledge protocols or if you protected your passwords with a lame or reused master password. Changing your password won’t keep the thieves from trying to crack security, as the stolen data still opens with the old password. The same is true of adding MFA after the fact. Your only real recourse is to switch to a more reliable password manager and then quickly spin up a new, unique password for every single secure site.

How to Protect Yourself Against Data Breaches

As noted, credential stuffing attacks simply use a script that automates rapidly checking the most common passwords against multiple accounts. If you’re trying to remember passwords without help, chances are good you’re drawing from a pool of the worst passwords or using the same password everywhere. That’s a huge problem.

Get a password manager right now and start using it. Choose one with a strong emphasis on security, particularly Zero Knowledge security. Zero Knowledge means nobody else can open your vault, not the password company, not a disgruntled employee, not even the NSA.

Choose a password manager that supplies an actionable password security report. If you’re already armed with such a tool, use it! Replace all the weak passwords revealed by the report with strong ones. When the report shows duplicate passwords, generate a new password for each site. Don’t put this off; you don’t know where the next breach will hit.

You’ve heard this before, but I’ll say it again. Protect your password treasure trove with a long, strong, memorable password. Then, add multi-factor authentication. If you get a choice, authentication using a smartphone app or a physical security key is better than the type that relies on texting you a code. With those tasks accomplished, you’d do well to go back and enable MFA for every account that supports it.

Merchants and shopping sites are prime targets for hacking, as Home Depot employees and Rite-Aid customers sadly know. But these sites can’t expose personal data they don’t have. Yes, letting the site save your shipping and credit card information is convenient, but when there’s a choice, decline that convenience. You can always use your password manager to fill in that data. And if any field isn't marked as required, leave it blank.

Unless you cut off all contact with the digital world, your personal information is scattered around the web. Some sites holding your precious data don’t protect it as well as they should, which often results in a breach. You can’t prevent that from happening, but you can minimize your exposure by using a personal data removal service to clear out as much of that loose private information as you can.

Ultimately, data breaches are a fact of life, from hacks that expose billions of SSNs to ones that merely make it harder to order donuts. You can’t prevent them; it’s out of your control. But by following the suggestions above, you can limit the impact of a potential breach.