We may earn affiliate commissions for the recommended products. Learn more.

You've been breached and don't even know it: silent leaks fueling identity theft

Last updated: 28 July 2025
data breach silent leaks

The abundance of data breaches and personally identifiable information (PII) leaks has a desensitizing effect. In 2018, I was stunned by the massive 50 million Facebook user account breach, which paled in comparison to the 100GB RockYou2021 credential dump with over 8 billion entries.

Just a month ago, our researchers stumbled upon the biggest password leak with 16 billion account credentials. Considering that that's two breached accounts for every person on the planet, you may ask whether securing your online identity has any palpable purpose.

The diminishing concern over exposed PII is also discussed in the ACM Transactions on Computer-Human Interaction (TOCHI) scientific journal, which I refer to in this article. It reveals that even after a data breach, only 12% survey respondents enabled two-factor authentication (2FA), which is one of the most efficient current online account security methods.

That leaves plenty of accounts open for exploitation. In turn, they can be used to infect user devices with infostealers that carry out silent data breaches to extract more sensitive data. Unlike the hit-and-run Facebook breach, these unnoticed data leaks can last for months, resulting in colossal credential dumps.

I intend to shed some light on the unseen breaches and their identity theft risks. I'll start with common data leak misconceptions, but you can also jump to my advice on digital identity protection in the last section.

My tips on data leaks

Don't downplay data privacy risks. A common misconception is that identity theft always happens to someone else. While a relatively small number of personal information leak victims experience genuine financial losses, not protecting your digital identity can make you one. Also, hackers may be using your information for long-term scams, like synthetic identity fraud, and you may face consequences years after the breach.

About me
Valdas Bertašavičius
Personal Cybersecurity & Privacy Expert

I started my career as a master of political science, analyzing how contemporary media represents social and political tensions. During the following PhD studies, I moved toward critical media theory, including online surveillance issues. During 7 years in the private sector, I represented personal online privacy software, transforming encryption algorithms and password hashing into articles for tech-savvy and casual readers.

Take quick action. When hackers obtain a set of leaked credentials, they use automated software to target hundreds of accounts in a short time. In 2019, thousands of Disney+ accounts were hacked just after the service launched. Hackers used credential stuffing to steal accounts with previously leaked passwords, and users who didn't update their logins quickly had to pay for another subscription.

Check for data leaks. You can only take quick action if you are aware when your data is stolen. One way is to use the free Have I Been Pwned website, which has a massive database of email-related leaks. I also recommend getting an identity theft protection service, which also monitors credit bureaus, alerts to SSN leaks, and, preferably, offers a password manager to change your credentials quickly.

Use two-factor authentication (2FA). Even if you use strong and unique passwords, they may appear in new data leaks. 2FA forces a second authentication step, like verification via email, SMS, or biometrics. This way, even if hackers obtain your authentic credentials, they cannot pass the additional 2FA verification, so be sure to set it up on all services that support this feature.

How silent breaches fuel identity theft

This year, the FTC reported that US citizens lost $12.5 billion to fraud in 2024, with $5.7 billion attributed to investment scams. Hackers use personal information obtained through data leaks and silent breaches, social media feeds, and hacked accounts to craft appealing investment offerings and lure victims into transferring money, promising returns.

In this case, silent hacking techniques are particularly efficient. Infostealers like RedLine and Vidar are widely available on dark net forums, which, after infecting unsecured devices, can gather user data for months unnoticed.

These invisible cyberthreats target businesses and individual users alike. This was the case with the infamous 2018 Marriott hotel data leak, which exposed up to 500 million guest records. Through a third party, hackers infiltrated Marriott's computer network in 2016 and gathered data for two years, until it was successfully extracted. Marriott was fined approximately $23.9 million.

Scams you should know of

After learning your data was exposed, you should know the exact identity theft risks you may face in the future. Here are three scam examples that heavily rely on information leaks.

Romance scams

Romance scams are widespread on dating apps like Tinder and Bumble and can be devastating for the victim. The FBI reports that "in 2023 alone, 17,832 victims reported more than $650 million in losses" to romance scams.

In Orange County, California, one successful businesswoman was seduced into transferring $2.3 million into a fraudulent crypto trading platform by a scammer she met on the dating app Luxy. Although only a few romance scams can boast of such losses, they reveal how devastating they can be.

They are also highly efficient when fueled by personal information. Fraudsters scout social networks for victims' hobbies, work experience, interests, and any other details to initiate the conversation and successfully attract the victim. Once they establish a relationship of fake mutual trust, they start asking to transfer money and disappear afterward.

Synthetic identity fraud

Synthetic identity theft combines PII, usually SSN, from cybersecurity leaks with fake information. Scammers look for victims with clean credit records, which can also be a child. They then combine a legitimate SSN with a fake name, address, and phone number to open up a credit profile.

Then, they slowly and secretly build a positive credit history. After "warming up" the credit account for months or even years, fraudsters finish by taking out huge loans and maxing out all other available credit lines.

TransUnion credit bureau reports that potential losses to synthetic identity scams amounted to $3.3 billion in 2024. To learn more about such cyber crimes, I invite you to visit our complete guide to scams in 2025.

Phishing

You may have heard about the Nigerian prince fraud, which is one of the earliest phishing scams dating back to the 1990s. Also called an advance-fee scam, it promises to transfer a huge sum of money after the victim pays a fee to initiate the transfer.

As naive as it sounds, it was highly efficient in the early days of the internet. The complete lack of cybersecurity awareness and the get-rich-quick tone tricked many. According to Surfshark cybersecurity experts, "Americans lost over $500 million to advance-fee scams in the past five years."

Contemporary phishing scams like this are much more efficient. Instead of a "Dear Sir or Madam" greeting, they use the real victim's name and surname. A convincing phishing letter may also include a real address, credit card, and phone numbers, all obtained through silent data breaches.

Why Cambridge Analytica harvested Facebook profiles

Near the end of my PhD studies on critical media theory in 2018, the Cambridge Analytica scandal broke out, which I followed closely. Cambridge Analytica was a British political consultancy and data science company that assisted politicians during their election campaigns.

In 2014, the company started harvesting Facebook user profiles, exploiting the platform's API vulnerabilities. The scheme was disguised as a survey. Facebook users who filled in the survey unknowingly shared their data with Cambridge Analytica. More importantly, every contact in their friends list was also snatched.

A successful scheme managed to harvest up to 87 million Facebook profiles. In turn, Cambridge Analytica allegedly used it to forge personalized ads for Donald Trump's 2016 election.

Due to the extraordinary complexity of the scheme, proving a direct Cambridge Analytica involvement in the election outcomes proved to be too challenging. However, the FTC fined Facebook $5 billion for failing to protect its user profiles, and Cambridge Analytica went bankrupt soon after the news broke out.

Although not a case of identity theft, this scandal is one of the best examples of the misuse of personal information. Victims, in this case, did not experience financial losses. Instead, they were subjected to political targeting and manipulation, outlining the importance of online privacy protection.

cambridge analytica timeline
Cambridge Analytica timeline

Cybersecurity breaches you may have missed

The previous section revealed how data leaks fuel identity theft and schemes that go beyond monetary gains. The abundance of data breaches makes it hard to follow who exactly has and uses your information.

To give you a better view, take a look at the infographic of the biggest data breaches of our century below:

biggest data breaches of our century
Biggest data breaches of the 21st century

The unfortunate reality is that most people will experience a personal data leak simply because they are active online. Although governments issue hefty fines for businesses that fail to protect their users, cyber hygiene for identity protection is a must until private businesses and government agencies sufficiently improve their cybersecurity.

How data leaks affect victims

There is a lack of scientific research on the exact data leak effects on victims. I was lucky to find a fresh Crime and Justice Journal study on this exact topic. I also reviewed the lengthy "Individuals' Reactions to Data Breaches" study published by TOCHI.

Both studies analyze personal data leak effects from different angles. Let's start with the Crime and Justice Journal.

Personal data breach effect study

The first study surveyed 552 data breach victims from Australia. Researchers analyzed a broad spectrum of negative outcomes that do not necessarily include financial loss. The researchers defined four negative data breach outcomes: emotional, relationship, financial, and health well-being decline.

Some findings are self-explanatory, such as the leak of personal images was associated with increased emotional stress. Others were more interesting, as victims associated email leaks with both physical and financial well-being. Meanwhile, the phone number leak primarily caused emotional strain.

Losing personal images encompasses all four negative outcomes, which was also the case with data breaches resulting in monetary loss. Lastly, a data breach from a supposedly trustworthy source was also more likely to cause all four negative outcomes.

As the researchers agree, the 552 sample is very limited, and scientific papers should continue exploring the topic. However, its actual value lies in the differentiation of the negative data breach outcomes.

For a long time, data breaches were viewed predominantly from a financial loss perspective. This research reveals that the outcomes are more complex as we depend more and more on our virtual habitat.

The result is identifying data leaks that cause the most stress in the four categories. In turn, data protection should focus on the most sensitive data first, and data breach and identity theft remediation should include support particular to that specific situation.

Personal (in)action during and after data breaches

The study by TOCHI called "Awareness, Intention, (In)Action: Individuals' Reactions to Data Breaches" takes a similar approach with a different focus. The researchers surveyed 413 people who were shown their data leaks on the Have I Been Pwnd website.

The sample was provided with five initial and two follow-up questions six months later. The study's focus was to identify the reactions to exposed data breaches and then mark down what actions were taken to protect their online identities.

75% responders rated data breach concerns as low. However, more sensitive information leaks, like passwords and home addresses, were more expressed, causing anger, frustration, and fatigue. A very similar number, 74% of responders, were also unaware that their data had been leaked at all.

The study also found that only 14% accurately identified the cause of the breach, often mistakenly blaming email clients. I found the follow-up questions intriguing, as they are oriented toward monitoring data breach victims' actions after the incident.

69% of responders who answered the follow-up questions stated they have "reviewed their credit reports and/or their financial statements." However, only 11% signed up for a data breach notification service. Similarly, only 8% signed up for identity theft monitoring. Lastly, only 4% put their credit on freeze.

The numbers were significantly better with 34% responders changing the password of the affected account and other accounts that used it. 23% deleted the breached account, but, as mentioned previously, only 12% enabled two-factor authentication.

This research reveals that even when faced with an actual cyberthreat, most people rarely take action to mitigate identity theft risks. Many responders didn't consider data breaches concerning, while others said that identity theft protection costs and efforts outweigh the potential risks.

My tips for online identity protection

The discussed research outlines intertwined issues. Firstly, data breach impact on victims goes beyond financial losses but also encompasses emotional stress, relationship corrosion, and physical well-being decline.

On the other hand, only a minority of people took a proactive approach toward securing their online identities. They either didn't consider it anything serious or lacked the motivation and resources to do so.

The business-side cybersecurity is improving, but the continuous data leaks prove there's a long way to go. I strongly advise taking initiative, so here are my tips on preventing identity theft online:

  • Monitor data leaks. Develop a habit of keeping an eye on personal data leaks. There are numerous excellent and free email leak tools, but consider subscribing to dedicated identity theft protection software that issues automated alerts.
  • Use unique passwords. Password hacking is still the most popular account takeover method. Make sure you use long passwords with upper and lower case letters and symbols. Do not reuse the same password twice, enable 2FA whenever possible, and consider getting a password manager with an autofill feature.
  • Reduce digital footprint. Hackers rarely break into actual devices to steal data. Instead, they visit data broker sites and dark web illegal markets to buy this information risk-free. You can contact data broker sites yourself or use an online data removal service with dark web monitoring to do it for you.
  • Limit oversharing. Personal information on social media is used to personalize convincing phishing letters and carry out synthetic identity fraud. Limiting oversharing is best, but there's no need to lose your virtual social life. Inspect your social network settings and make your account private.

Final thoughts

The cybersecurity paradox is that if it does its job well, then nothing happens. The discussed scientific research reveals that too many people mistakenly downplay data breach risks. Simultaneously, the FTC and FBI continuously report growing losses to investment, romance, and similar frauds.

The 16 billion credential leak we exposed recently will likely be used at least against a fraction of accounts on that list. But keep in mind that identity theft is often a long-term play. Even if you don't experience any adverse effects in the immediate aftermath, it does not mean you will not be targeted in the future.

Recommended for you
Attackers drop terrabytes of US manufacturing giant’s data
TikTok skips DM encryption, leaving privacy experts concerned
Any browser extension can secretly install malware, researchers demonstrate
One-click disaster: Microsoft’s Entra tokens can grant access to corporate emails, and that’s a problem
Security researcher hacks PS5 to run Linux and Steam games, releases code publicly
Scammers vibecode server to verify stolen credit cards, leak details of 345K cards