Data breaches make headlines when they happen to big companies, but millions of smaller breaches happen every year without any public notice. If you've been using the internet for more than a few years, your email address has almost certainly been exposed in at least one breach.
But what actually happens after a breach? Where does your data go, and what risks does it create?
Step one: The breach occurs
A data breach happens when an attacker gains unauthorized access to a company's database. This can happen through many routes — a security vulnerability in the company's software, a phishing attack that tricks an employee into handing over credentials, or simply a misconfigured database left open to the internet.
The attacker downloads as much data as they can before being detected. This data typically includes usernames, email addresses, and often passwords. If the passwords were stored securely (hashed and salted), they may be difficult to crack. If they were stored poorly — which is more common than you'd think — they may be immediately usable.
What happens to the stolen data
Stolen data doesn't just disappear. It enters a well-established underground market. Within days or weeks of a major breach, the data typically appears on dark web forums where it's sold in bulk. A list of a million email addresses with corresponding passwords might sell for a few hundred dollars.
Buyers of this data use it in several ways. The most immediate threat is credential stuffing — trying the email and password combinations on other popular services like Gmail, banking apps, and social media. If you use the same password across multiple accounts, this is extremely dangerous.
Credential stuffing works because most people reuse passwords. Attackers don't need to hack Google or your bank directly — they just need to find one site you used the same password on.
Your email address ends up on spam lists
Even if your password wasn't compromised, your email address alone has value. Breached email lists are sold to spammers who use them for mass marketing campaigns and phishing attacks. This is often why you start receiving spam emails from services you've never signed up for — your address was purchased from a breach list.
Phishing emails from breach lists are more targeted than generic spam. Attackers may know which service you were registered with, allowing them to craft convincing fake emails that appear to come from that service.
How long does the risk last?
Once your email address is in a breach, it stays in circulation indefinitely. Old breach data continues to be traded and reused for years. There's no expiry date on a stolen email address.
This is why the number of spam and phishing emails you receive tends to increase over time the longer you've been online. Each breach adds your address to more lists.
How to check if your email has been in a breach
A free service called Have I Been Pwned (haveibeenpwned.com) lets you check whether your email address appears in known data breaches. It's operated by a reputable security researcher and is widely trusted. If your email appears there, you should change any passwords associated with that account and enable two-factor authentication where possible.
Reducing your exposure going forward
The most effective way to limit your exposure in future breaches is to minimize the number of services that hold your real email address. For signups where you only need a one-time confirmation, a disposable email address means that even if that service is breached, your real address is never exposed.
You can't eliminate the risk of data breaches entirely — they're a problem with the services you use, not your own systems. But you can significantly reduce the damage they cause by keeping your real email address away from low-trust signups.