Scammers hacked into his phone and stole thousands of pounds. How did you obtain your data?

Data breaches are becoming so common that it can be difficult to know how to react when it happens to you. It’s often easy to ignore, but there is a risk.

Being a victim of a data breach increases your chances of being targeted by criminals and scammers.

Sue Shore told the BBC how scammers targeted her. We discovered that his details had been leaked online.

Sue was a victim of what is known as a Sim swapping attack, where fraudsters trick a network operator into thinking they are the account holder in order to obtain a new Sim card for a mobile device.

They used it to take over almost all of their online accounts through their phone. He said the experience was “horrible.”

“Scammers took over my Gmail account and then blocked me from accessing my bank accounts because they didn’t pass security checks,” he said.

Sue also had a credit card opened in her name and the criminals bought more than £3,000 in vouchers.

It took multiple trips to his bank branches and mobile phone provider to recover his accounts.

And the thieves weren’t done.

“The criminals also did something sinister after breaking into my WhatsApp,” he said. “They sent messages to riding groups. I’m warning that people were on their way to stab the horses.”

We searched hacker databases using online tools such as haveibeenpwned.com and Constella Intelligence to see if Sue’s details were previously compromised.

His phone number, email address, date of birth and physical address were exposed in data breaches on gaming platform PaddyPower in 2010 and email validation tool Verifications.io in 2019. Other compilations of hacked records also included his details.

Hannah Baumgaertner of cyber firm Silobreaker said the attackers likely used personal data leaked in previous breaches to carry out the Sim-swapping attack.

“Once they had access to Sue’s phone number, they were able to intercept the security codes sent to verify her identity in her Gmail account,” he said.

But scammers aren’t always looking for big payouts.

Fran, from Brazil, told the BBC that she discovered that a user had signed up for her Netflix account and increased her monthly subscription.

“They charged my payment card $9.90 (£7.50) even though I had not made this purchase,” he said.

“I immediately contacted my family to see if anyone had added another profile to the account we shared, but they all said no.”

Fran was the victim of a common scam in which a freeloader hijacked her Netflix account.

It’s not known exactly how they got into your account, and the murky world of cybercrime means it’s difficult to determine whether a single data breach led to someone being scammed.

But we discovered that Fran’s email address had been exposed in at least four data breaches, including attacks on Internet Archive (2024), Trellov (2024), Descomplica (2021) and Wattpad (2020), according to the website havibeenpwned.com.

The password you used for your Netflix account is not in publicly known databases, but it could be in others.

“There is a huge market for hacked Netflix, Disney and Spotify accounts,” said Alon Gal, co-founder of cybersecurity company Hudson Rock.

“It is a low-barrier entry point for cybercrime, turning a company’s data breach into widespread and ongoing abuse.”

Scammers often combine stolen private information with public information.

Leah, who did not want to give her real name, runs a small business that uses Facebook ads and was recently the target of a long-running scam that apparently originated in Vietnam.

“I received a phishing email from ‘notifications@facebookmail.com’ saying I should receive a refund. I clicked the link and entered my details on the fake Meta page and the scammers were able to take over my trading account even though I had 2-factor authentication.

“Then they posted child sexual abuse videos under my name, which got me blocked. They even banned me from using Messenger to complain to Meta.”

In the three days it took Leah to recover her trading account, scammers had posted hundreds of pounds worth of ads paid for by her. He finally got the money back.

Alberto Casares of Constella Intelligence searched hacker databases and found that Leah’s email address and other details were obtained in data breaches at Gravatar (2020) and this year’s Qantas (third party breach).

“It appears that the attackers used a common technique of linking Leah’s stolen private email address to her publicly listed business number to launch a targeted phishing attack against the email account.”

They could have done it themselves or used a data broker to pay for a series of potential targets, he said.

Massive data breaches are fueling scams and secondary attacks around the world, with several high-profile attacks set to occur in 2025 alone.

According to the Proton Mail Data Breach Observatory, 794 verified breaches have been discovered from identifiable sources so far in 2025 with over 300 million individual records exposed.

“Criminals pay high prices for stolen data because they constantly generate profits through fraud, extortion and cyberattacks,” said the company’s Eamonn Maguire.

Other than notifying customers and regulators about breaches, there are no hard and fast rules for what companies must do for victims.

Offering free credit monitoring, for example, used to be common.

Last year, Ticketmaster (which saw 500 million people affected by a breach) offered this to some people.

But this year fewer companies are doing this. Marks and Spencer and Qantas, for example, have not offered these services to customers.

The Co-op opted to give victims a £10 voucher if they spent £40 in its stores.

Some are trying to seek compensation in court, with a growing trend of class-action lawsuits, although they are notoriously difficult to win because it is difficult to prove how people have been affected.

But some have been successful.

T-Mobile has begun paying customers affected by a major data breach in 2021 that affected 76 million customers.

The company agreed to pay $350 million, with payments reportedly ranging from $50 to $300.