What Is a Data Breach? How It Happens and How to Protect Yourself

~/sheets/what-is-a-data-breach.md
What Is a Data Breach and Why Should You Care?
A data breach happens when an unauthorized person gains access to confidential information — usually from a company's database. This can include your email address, passwords, credit card numbers, Social Security numbers, medical records, and more. Even if you practice perfect security, a breach at a company you use can expose your data without any fault of your own.
Major breaches happen constantly. Yahoo exposed 3 billion accounts. LinkedIn leaked 700 million user records. T-Mobile, Equifax, Facebook — the list grows every month. The question is not whether your data has been breached, but how many times.
How Data Breaches Happen
Companies get breached through several common attack vectors:
Phishing attacks — an employee clicks a malicious link, giving attackers a foothold inside the company network
Weak or reused passwords — attackers use credentials leaked from one breach to access systems at another company (credential stuffing)
Unpatched software — known vulnerabilities that were never fixed become entry points
Misconfigured databases — cloud storage left publicly accessible without authentication
Insider threats — disgruntled or bribed employees with legitimate access
SQL injection — attackers manipulate database queries through poorly coded websites
What Data Gets Exposed?
The severity of a breach depends on what was stolen:
Low risk — email addresses, usernames, public profile data
Medium risk — phone numbers, dates of birth, physical addresses
High risk — passwords (even hashed ones), security questions
Critical risk — credit card numbers, Social Security numbers, medical records, government IDs
Even "low risk" data is dangerous because attackers combine data from multiple breaches to build complete profiles for identity theft.
How to Check If You Are Affected
The first step is finding out if your email appears in known breaches. Use our Email Breach Checker to search your email address against databases of known compromised accounts. This gives you a clear picture of which services leaked your data and when.
What to Do After a Breach
Change the password immediately — for the breached service and any other account where you used the same password. Use our Password Strength Checker to ensure your new password is strong
Enable two-factor authentication — this makes a stolen password alone insufficient for access. See our 2FA guide
Watch for phishing — after a breach, attackers often send targeted phishing emails pretending to be the breached company. Be skeptical of any email asking you to click a link or provide information
Monitor your accounts — check bank statements, credit reports, and account activity for anything unfamiliar
Consider a credit freeze — if sensitive financial data was exposed, a credit freeze prevents new accounts from being opened in your name
How to Protect Yourself Before the Next Breach
You cannot prevent companies from being breached, but you can minimize the damage:
Use unique passwords everywhere — read our Password Manager Guide to make this practical
Give companies minimal data — do not fill in optional fields on signup forms
Use email aliases — some email providers let you create aliases so each service gets a different address
Check your exposure regularly — run our Email Breach Checker periodically
Review your digital footprint — understand what data is already out there about you
Bottom Line
Data breaches are not your fault, but dealing with the consequences is your responsibility. Start by checking if your email has been compromised at our Email Breach Checker, then run a full Privacy Checkup to evaluate your overall security. The combination of unique passwords, two-factor authentication, and regular monitoring is your best defense against the inevitable next breach.
Last updated: April 2026