You get the email. “We are writing to inform you that we recently discovered a data security incident…” and then a carefully written paragraph that tells you almost nothing useful.
What it does not tell you is what actually happens next. What the attackers do with your data. How quickly it moves. Who ends up with it. What the real consequences are for you. Companies are legally required to notify you — they are not legally required to tell you anything that would alarm you more than necessary.
This article tells you what they do not. Not to frighten you, but because understanding what actually happens to stolen data is the only way to respond to it intelligently.
Start with the scale of the problem. In the first half of 2025 alone, the US recorded 1,732 data breach incidents leading to over 165.7 million breach notifications, according to ESET Security Research. Most victims receive notification weeks or months after the breach actually occurred. The average time to identify a breach is 194 days, according to IBM’s Cost of a Data Breach Report. By the time you know your data was stolen, it has almost certainly already been sold.
Step 1: The breach happens — often without anyone noticing
The vast majority of breaches are not discovered by the company being attacked. They are discovered by external researchers, law enforcement, or customers who notice suspicious activity. The 194-day average detection timeline means attackers routinely spend six months inside a company’s systems before anyone realizes they are there.
During that time, they are not just stealing data and leaving. They are mapping the environment, identifying the most valuable assets, escalating their access privileges, and extracting data in ways designed to avoid triggering security alerts. When they finally leave, they take exactly what they came for — and often leave behind backdoors that allow them to return.
Step 2: Stolen data enters the criminal marketplace — within days
Most people imagine a breach as one attacker stealing one set of data for their own use. The reality is an industrialized ecosystem. According to BlackFog security research, cybercriminals typically do not use stolen data themselves. They sell it. The dark web — a part of the internet accessible only through specialized software — hosts active marketplaces where stolen data is bought, sold, and traded around the clock.
Speed matters here. Cybersecurity researchers report that stolen data frequently appears for sale on dark web forums within days of a breach — sometimes while the company has not yet realized the breach occurred. The data is packaged, priced, and listed like any commodity in any marketplace. Buyers are other criminals who specialize in using specific types of data for specific types of fraud.
What your stolen data is worth — and who buys it
| Data Type | Dark Web Price | Who Buys It | What They Do With It |
| Credit card details | $10 – $240 per card | Card fraudsters | Make purchases, withdraw cash before you notice and cancel |
| Bank account logins | $30 – $4,000 | Account takeover specialists | Drain accounts, transfer funds, take out loans in your name |
| Email address + password | $1 – $10 | Credential stuffers | Try the same login across dozens of sites you use |
| Full identity package (SSN, DOB, address) | $30 – $300 | Identity thieves | Open credit cards, take out loans, file tax returns in your name |
| Medical records | $250 – $1,000 | Insurance fraudsters | File false insurance claims, obtain prescriptions |
| Corporate login credentials | $500 – $3,000 | Ransomware groups | Access company systems for extortion attacks |
| Passport/driving license scans | $100 – $2,000 | Document forgers | Create fake identities for fraud at larger scale |
Step 3: Your data gets used — often multiple times, by multiple criminals
Here is the detail that most breach notification emails deliberately omit: your data does not get used once and discarded. It circulates.
When a criminal buys a stolen email and password, they try it on dozens of other platforms — your bank, your Amazon account, your PayPal, your email provider. This is called credential stuffing, and it is largely automated. One compromised credential can cascade into multiple account takeovers within hours if you reuse passwords across services.
The risk also does not expire. According to Wikipedia’s data breach documentation — drawing from multiple academic and law enforcement sources — a person’s identifying information circulates on the dark web for years after a breach, causing an elevated risk of identity theft long after the initial incident is forgotten. A breach from three years ago can result in a fraudulent credit application today.
Biometric data — fingerprints, facial recognition data — is particularly permanent in its risk because unlike passwords, it cannot be reset. If your biometric data is stolen, that specific vulnerability is with you for life.
Step 4: The consequences you will actually experience
The consequences of a breach fall into three categories, and most people only think about the first one.
Financial fraud: Unauthorized transactions on your accounts, fraudulent purchases on credit cards linked to your name, or drained bank accounts are the most immediately visible consequences. These are typically detectable within days and most banks provide some degree of fraud protection that limits your direct loss — though the process of recovering funds and disputing charges is time-consuming and stressful.
Identity theft: This is slower and more damaging than financial fraud. With enough personal information, criminals can open credit accounts, take out loans, file tax returns, or apply for government benefits in your name. Victims of identity theft spend an average of 200 hours and years of correspondence resolving the damage to their credit history. The ITRC reports that 20% of fraud victims in a single year reported losses over $100,000.
Downstream phishing: Once criminals have your email address and enough personal context — your name, your bank, your employer, your location — they can craft highly convincing phishing attacks specifically targeted at you. These are not the generic ‘dear customer’ emails that spam filters catch. They are personalized messages that reference your actual bank, your actual employer, or your actual recent purchases. These are significantly more difficult to recognize and significantly more likely to succeed.
What to do immediately if you receive a breach notification
- Change your password on the breached service immediately: And change it on any other service where you used the same password. If this is a long list, that itself is the problem — use a password manager going forward.
- Enable two-factor authentication: On the breached account and on any other accounts you have not already secured. This is the most effective single step because it blocks account takeover even if your credential is known.
- Check HaveIBeenPwned: Visit haveibeenpwned.com and enter your email address. It shows you which known data breaches have exposed your credentials. This is free and takes 30 seconds.
- Monitor your credit report: In the US, you are entitled to free credit reports from all three bureaus through AnnualCreditReport.com. Check for accounts you did not open. Consider placing a credit freeze — it is free and prevents new accounts being opened in your name.
- Watch for suspicious emails for the next six to twelve months: Breached data is used to launch targeted phishing campaigns. Be more vigilant than usual about verifying the sender of any email that asks you to click a link, enter credentials, or approve a payment.
Questions people ask after a breach
How long should I be worried after a breach?
Honestly? Years. Stolen data circulates on dark web markets for a long time after a breach. The immediate risk window — the period when your specific data is most actively being used — is typically six to twelve months. But identity theft using stolen data has been recorded years and even decades after the original breach. Set up credit monitoring, keep two-factor authentication active on all important accounts, and stay vigilant. That is not paranoia — it is proportionate to how this market actually operates.
Should I pay for identity theft protection services?
Some are worth the cost and some are not. The most effective free steps — credit freezes, two-factor authentication, HaveIBeenPwned monitoring, and careful email vigilance — provide meaningful protection at no cost. Paid services like Aura, Experian IdentityWorks, and similar platforms add dark web monitoring and fraud resolution assistance. If your breach involved financial account credentials or a full identity package (SSN, date of birth, address), a paid monitoring service for twelve to twenty-four months is a reasonable investment. If only your email was exposed, the free steps are sufficient for most people.
Will the company that was breached compensate me?
Possibly, through class action lawsuits if enough people were affected. AT&T settled for $177 million over two 2024 breaches. Neiman Marcus settled for $3.5 million over a 2024 incident. The settlements in most cases provide modest compensation per individual — often $100 to a few hundred dollars for standard losses, with higher amounts for documented financial harm. The legal process takes years. Class action lawsuit notification websites like TopClassActions.com track open settlements that affected individuals may be eligible for.
The bottom line
A data breach notification is not the end of the story — it is the beginning of a period of heightened risk. The data has already been stolen. It is already circulating. The question now is how effectively you respond to limit the damage. Change compromised passwords, enable two-factor authentication, monitor your credit, and stay alert for targeted phishing attempts. None of this reverses the breach. All of it meaningfully reduces the likelihood that the breach results in serious financial or identity harm to you.
Sources & Methodology
Statistics sourced from IBM Cost of a Data Breach Report 2025, ESET Security Research, BlackFog breach analysis, Identity Theft Resource Center 2025 Business Impact Report, Wikipedia Data Breach documentation, Class Action U, and ITRC reports. Last reviewed: April 21, 2026.