Personal Data Breach & Identity Theft

Critical SeverityRisingData Breach / Identity TheftVerified 2026-02-28

Criminals weaponize stolen personal data from major breaches to launch targeted phishing attacks and create unauthorized accounts in your name. After a company breach exposes your SSN, email, or card details, scammers use this information to craft convincing emails, perform credential stuffing, or commit synthetic identity fraud. This pattern represents one of the fastest-growing threats, with over 1.1 million identity theft reports in 2024 alone.

Annual Losses

$1.45 billion

Avg Loss / Victim

$1,000-$1,650 median for older adults; varies widely by fraud type

Primary Vector

Stolen personal data weaponized via phishing emails, phone calls, and credential stuffing attacks

Peak Season

Year-round, with spikes following major breach disclosures

How It Works

Identity theft following a data breach occurs in stages, often months or years after your personal information is stolen. A trusted company suffers a breach, exposing your name, email, Social Security number, or payment card details. Criminals immediately purchase this stolen data from dark web marketplaces and use it to craft highly personalized phishing emails, make convincing phone calls, or perform automated credential stuffing attacks against major financial institutions. The breached data makes these attacks far more effective because they reference real account details, creating an illusion of legitimacy. Over time, attackers may escalate to opening new accounts, filing fraudulent tax returns, or conducting SIM-swap attacks to bypass two-factor authentication.

1A company you trusted experiences a data breach, and your personal data (name, SSN, email, card details) is stolen and sold on dark web markets
2Criminals purchase your stolen data in bulk and use it to craft targeted phishing emails that reference your real account details and financial institutions
3You receive a convincing email claiming your account needs verification, appearing to come from your bank or a breached company
4Attackers perform credential stuffing, testing your leaked username and password combinations against banks, email providers, and retail sites
5Criminals may create synthetic identities by combining your real SSN with fabricated personal details to apply for credit cards or loans
6Attackers attempt SIM-swap attacks by contacting your phone carrier and impersonating you to redirect your phone number to their device, bypassing two-factor authentication
7Months or years later, you discover unauthorized accounts, fraudulent charges, or tax returns filed in your name

Example Scam Messages

Hover or tap the highlighted text to see why each element is a red flag.

EXAMPLE 1

Dear Sarah Johnson, we noticed unusual activity on your Wells Fargo account ending in 4829. Click here to verifyRed flag: Real banks direct you to log in through their official website, never through email links your identity immediately to protect your account.

“your real name and specific account details” — Legitimate banks never reference account details in emails or ask you to click links for verification

“Click here to verify” — Real banks direct you to log in through their official website, never through email links

EXAMPLE 2

Your Social Security number was compromisedRed flag: This is accurate information from the real 2024 breach, but scammers use real breach details to build trust in the Change Healthcare data breach. Call 1-855-206-7283 immediately to activate your free credit monitoring and freeze your credit.

“Your Social Security number was compromised” — This is accurate information from the real 2024 breach, but scammers use real breach details to build trust

“call this number to activate free credit monitoring” — Legitimate breach notifications never ask for payment or SSN to enroll in credit monitoring; the company provides it for free after verifying your identity through postal mail

EXAMPLE 3

IRS Alert: Your Social Security number was used to file a fraudulent tax returnRed flag: This mimics the real consequence of identity theft, making it feel urgent and legitimate. Click here to claim your refund or call our verification line at 1-888-445-3901.

“Your Social Security number was used to file a fraudulent tax return” — This mimics the real consequence of identity theft, making it feel urgent and legitimate

“click here or call this number” — The IRS contacts you by postal mail only, never by email or unsolicited phone calls

Red Flags Checklist

Email or call referencing your real account details but asking you to click a link or call a number you cannot independently verify

Real companies never ask you to verify sensitive information through links in emails or numbers they provide. Always call the official number on your statement or the company's website.

Offers of 'free credit monitoring' that request your Social Security number or other personal details to enroll

Legitimate breach notifications provide credit monitoring for free without requiring you to provide information the company should already have. Real offers come by postal mail.

Calls from someone claiming to represent a breached company, asking you to 'confirm' information they should already have

Legitimate breach notifications are sent by postal mail and include verified contact information. Never provide personal details over the phone in response to unsolicited calls.

Unfamiliar accounts or hard inquiries appearing on your credit report, especially soon after a major breach announcement

These are signs of active identity theft. Place a credit freeze immediately and dispute fraudulent accounts with the credit bureaus.

Tax return rejected because one was already filed in your name, or receiving a 1099 for income you didn't earn

This indicates your SSN was used for tax fraud. File an Identity Theft Affidavit with the FTC and contact the IRS immediately.

Receiving collection notices for accounts you never opened or debts you didn't incur

Criminals may be using your identity to open accounts. Contact the creditor, dispute the account, and file with the FTC.

What Real Communication Looks Like

Legitimate breach notifications are sent by postal mail to your address on file, include the company's verifiable address and phone number, clearly state what data was exposed and what happened, and direct you to their official website or a verified phone number. Real companies never ask you to verify information through email links. If you suspect a breach notification is fake, hang up and call the company's main number from their official website or your statement. Real credit monitoring offers from breached companies are provided for free without requiring you to provide additional personal details. The Federal Trade Commission's IdentityTheft.gov provides official guidance and includes a verified contact method for the company if you have questions.

What To Do

If you just received this message:

Do not click any links in the email or call any phone number provided in the message

Visit IdentityTheft.gov/databreach or go directly to the company's official website to verify if a breach occurred

If the breach is real, place a credit freeze with all three bureaus (Equifax, Experian, TransUnion) by calling or visiting their official websites

Set up account alerts with your bank and credit card companies to notify you of suspicious activity

Change your password for any online accounts associated with the breached company, and use unique passwords everywhere

If you already clicked or gave information:

Do not enter any personal information, passwords, or financial details into the suspicious site

If you already entered a password, change it immediately on the legitimate website

If you entered your SSN, payment card details, or other sensitive information, place a credit freeze and file an Identity Theft Report at IdentityTheft.gov

Monitor your credit report for unauthorized accounts or inquiries at AnnualCreditReport.com

Consider running a malware scan on your device using reputable antivirus software

File a report with the FTC at ReportFraud.ftc.gov with details of the suspicious email

Where to report:

Federal Trade Commission: IdentityTheft.gov or ReportFraud.ftc.gov

FBI Internet Crime Complaint Center (IC3): ic3.gov

US Postal Inspection Service (if breach notification was received by mail): uspis.gov

Your state's Attorney General's office

The company that suffered the breach, using their official contact information

Frequently Asked Questions

How do I know if my data was in a breach?

Check HaveIBeenPwned.com (a free, reputable service) by entering your email address. You can also sign up for breach notifications from Have I Been Pwned. Legitimate breach notifications will also arrive by postal mail from the affected company. After major breaches like National Public Data or Change Healthcare, check news reports and official company announcements.

Should I freeze my credit or just set an alert?

A credit freeze is much stronger and highly recommended. A freeze blocks new accounts from being opened entirely without your explicit PIN-based authorization. An alert only flags attempts to open new accounts but allows them to proceed. After a breach exposing your SSN, a freeze is the better choice. Freezes are free and can be lifted temporarily when you need to apply for credit.

How long after a breach can my data be misused?

Stolen Social Security numbers never expire and are resold repeatedly on dark web markets for years or decades. Criminals may use your data immediately after a breach, or they may wait months or years to avoid detection. This is why ongoing credit monitoring and regular credit report reviews are important even after a breach.

If I placed a credit freeze, can I still apply for credit?

Yes. When you need to apply for credit, you temporarily lift your freeze using a PIN you create. Contact the credit bureau (by phone or their website) and request a temporary lift. You can set it for a specific number of days. After approval, you can re-freeze. This process is free.

What's the difference between an Identity Theft Report and a credit freeze?

A credit freeze prevents new accounts from being opened. An Identity Theft Report (filed at IdentityTheft.gov) creates an official record with the FTC and activates fraud alerts with credit bureaus, blocks fraudulent inquiries, and gives you additional legal protections. File the report if you've been a victim of identity fraud, not just if your data was in a breach.

Sources

FBI IC3 2024 Annual Report
FTC Consumer Sentinel Network 2024 Data
FTC IdentityTheft.gov Official Guidance
HHS OCR Breach Notification Database
Have I Been Pwned Database
US Postal Inspection Service
Marriott/Starwood $52M settlement (FTC + 50 state AGs, Oct 2024) for multi-year breaches of 131.5M customers
Georgia Tech $875K DOJ False Claims Act settlement (Sep 2025) for failed cybersecurity controls

Got a suspicious message?

Paste it in and get an instant analysis — free, private, no account needed.

Analyze a Message