Why Are Thieves After Your Data?
In 2023, a Russian ransomware organization began exploiting a popular file transfer software. They went on to breach government organizations, schools, banks, and businesses [*].
They stole and leaked millions of state driver's licenses, financial information from universities, and sensitive data from hundreds of organizations around the globe.
The hackers claimed that they have no interest in "government, city, or police service" data. They also spared individuals. Instead, they appeared to focus on ransoming companies to uncover flaws in federal cybersecurity [*].
Not all hackers follow this approach. Some steal personal data to sell it on the Dark Web or use it for identity theft purposes. Others use it for blackmail, extortion, grandstanding, and activism.
Whatever the reasons, breaching and leaking personally identifiable information (PII) and other sensitive data can lead to disastrous outcomes for those involved.
This guide outlines the different types of information that hackers steal and what they can do with it. We’ll also show you how you can stop them.
What Can Hackers Do With Your Stolen Data?
If hackers obtain your sensitive information, they have the potential to cause you substantial harm — leading to both financial and legal difficulties. Here are 10 schemes for which fraudsters may use your stolen data.
1. Sell your data on Dark Web marketplaces
The Dark Web is a popular haven for stolen data because of its various black markets and relative anonymity. Here, illicit marketplaces sell all types of data pertaining to individuals and organizations.
Types of data on the Dark Web
Data on individuals: Hackers steal personal details, such as credit card information, phone numbers, and Social Security numbers (SSNs). Research from Comparitech found that full credential bundles for U.S. victims sell for an average of $8 on the Dark Web, the cheapest of any country [*].
Data on organizations: Stolen organizational data may include corporate login credentials, system vulnerabilities, or even proprietary code and trade secrets from private ChatGPT queries [*].
Research has found that the average price of corporate access data approached $5,000, depending on company revenue [*].
2. Credential stuffing attacks
Wielding limited personal information, cybercriminals can access accounts by using credential stuffing. With information from previous data breaches, hackers can break into other accounts to steal more information or make purchases.
People who reuse login credentials risk becoming victims of these attacks, especially if their credentials were exposed in the past.
Types of credential stuffing
To harvest personal information: Many online accounts contain personal information, such as a victim's name and other identifiers. In 2022, hackers breached nearly 35,000 PayPal accounts by using leaked login information. They then acquired names, addresses, SSNs, tax ID numbers, and dates of birth [*].
For e-commerce fraud: Accessing e-commerce accounts might reveal payment details or allow cybercriminals to make purchases. For example, when credential stuffers breached General Motors’ customer accounts in April of 2022, they obtained private customer data and redeemed reward points for gift cards [*].
3. Targeted phishing attacks
While general phishing attacks cast a wide net, targeted phishing attacks focus their aim on select individuals and organizations. These attacks use personal information to increase apparent authenticity and effectiveness.
Types of phishing attacks
Social engineering: Social engineering attacks prey on people's natural tendency to trust. The more information with which scammers arm themselves, the more convincing these schemes become.
In 2023, scammers used a spoofed phone number and cloned voice to con a California senior into thinking she was sending $14,000 to her grandson [*].
Corporate espionage and theft: Phishing can dupe employees into downloading malware on their corporate computers or revealing confidential information.
Research from Barracuda Networks found that most organizations receive five personalized spear-phishing attempts each day, and 25% of organizations had at least one compromised account in 2022 [*].
🎯 Related: What To Do If You Click on a Phishing Link →
4. Hijack company networks
Hackers hijack company networks for many different reasons. They may want a ransom payment — or unimpeded access to company and employee information.
They might make political or ideological statements, or simply demonstrate their hacking prowess. Regardless of the motive, the consequences can be catastrophic.
Effects of hijacked company networks
Overwhelming costs: According to IBM, data breach damages averaged $4.35 billion globally — 83% of affected organizations had been targeted more than once [*].
While large companies may survive, significant data breaches can bankrupt smaller organizations. In the end, the customer usually foots the bill; 60% of breached companies raised their prices in response.
Large-scale shut-downs: To limit damages, hijacked companies may shut down their networks. This happened to the Tallahassee Memorial Hospital in Florida [*]. After an apparent cyberattack, the hospital took its system offline and diverted emergency patients to other facilities.
5. File fraudulent claims
Stolen data can lead to many different types of identity theft, including fraudulent government funding claims. For example, when the government started providing pandemic benefits to eligible communities, the Federal Trade Commission (FTC) saw a 3,000% increase in identity theft complaints [*].
Types of fraudulent claims
Tax return fraud: In 2023, the Internal Revenue Service (IRS) flagged over one million potentially fraudulent claims [*]. It confirmed over 12,000 claims as fraudulent, and blocked more than $105 million in refunds.
Despite rigorous clampdowns, unlawful claims still slip through. A Florida man with a fake passport and stolen information was able to cash his victim's tax return check for over $24,000 [*].
A California couple, for instance, had unemployment claims filed in their names without their knowledge [*]. It was only after the Employment Development Department (EDD) seized $1,800 from their tax returns that they knew their identities had been stolen.
6. Account takeover fraud
Fraudsters can use stolen information, malware, and other methods to gain access to your devices and accounts.
Once in, they can commandeer accounts by changing the login information. According to Javelin research, account takeover fraud losses increased by 90% between 2020 and 2021 [*].
Types of account takeovers
Spear-phishing: In California, a scammer posing as a credit union representative convinced a military service member to click on a password reset link [*].
The call came from a spoofed number; scammers knew the victim's name, address, and military rank. Once they had the man's password, the scammers took over his bank account, stole $7,000, and even took out a $6,500 loan.
SIM card swaps: A 2023 T-Mobile data breach resulted in many customers losing their phone service due to SIM swap scams [*]. With control of a victim's phone, hackers had easy access to online bank accounts and the thousands of dollars within them.
7. Demand a ransom
Hackers often extort their victims, threatening to expose data or hijack networks. In the first half of 2023, companies paid out nearly $450 million in ransoms to such scams [*].
Types of ransom
Targeting organizations: In 2021, a hacker collective gained access to the entire Colonial Pipeline system using a single compromised password [*].
The hackers encrypted the organization's data and held it hostage, forcing Colonial to shut down its system and pay nearly $5 million for the decryption key. The attack caused massive fuel shortages and increased fuel prices.
Targeting individuals: For years, sextortion scams have circulated, threatening the public release of private and compromising images in exchange for money.
Hackers also ransom PII and other revealing data. In 2022, hackers ransomed Knox College students with the threat of releasing their private medical records [*].
8. Threaten to leak your data
Hackers use the threat of leaked data as a means to manipulate and control their victims. They may blackmail targets for ransom money or other forms of advantage. In some cases they leak data to ruin the reputation or credibility of their victim.
Types of leaked data
Hacktivism: Despite starting out as a ransom request of $4.5 million, the hacker group that stole 80 gigabytes (GB) of Reddit data in 2023 resorted to hacktivism [*]. The hackers demanded that Reddit abandon its plans to introduce steep pricing for third-party app access.
Doxxing: The term doxing comes from the '90s hacker playbook of "dropping docs" about someone private for the public to see [*].
Three decades later, people use doxxing as a means of retaliation, deterrence, and harassment. When a gaming company staffer celebrated a collaboration with a Black streamer, hackers leaked his employee ID [*]. Racial slurs, voicemails, and texts followed. He also endured a barrage of hostile phone calls and explicit death threats.
9. Open fraudulent credit cards or bank accounts
Scammers use stolen data to open new financial accounts to steal, launder money, and evade taxes. According to the Insurance Information Institute, new credit card and bank account fraud ranked first and third among the most common types of identity fraud in 2022 [*].
Types of fraudulent financial accounts
New credit cards: Fraudsters can open a credit card in your name and overshoot your credit limit before you receive a single notification.
That's what happened to a New Jersey man who received a new Visa card in the mail that he didn't request. To his dismay, the card had an outstanding balance of $6,000 accumulated from cash advances and purchases [*].
New bank accounts: The U.S. Department of Labor blamed fraud for the bulk of the $163 billion in errant unemployment benefits disbursed throughout the pandemic [*].
Fraudsters often set up illegal accounts to collect and deposit benefits in other people's names. A Chicago man encountered this scam in 2022 [*]. Thieves altered his unemployment information to reroute his payments to their bank account.
10. Obtain identity-related documents
Data thieves use stolen information to create official-looking documents in order to better impersonate you. This helps them evade taxes or criminal charges and/or gain access to services in your name.
Types of identity-related documents fraud
Forged driver's licenses: A fake driver's license adds to the authenticity of thieves’ money-making plots — helping them elude the law.
A Philadelphia man only discovered a fabricated driver's license in his name after he received a car accident citation in the mail [*].
Forged medical records: When hackers stole about 11 million patient records from HCA Healthcare in 2023, the ensuing chaos was inevitable [*]. One victim of the breach — a Georgia woman — received a text, phone call, and bill for over $3,600 from an Emergency Room (ER) visit that she never made.
How To Protect Your Personal Information
The most effective way to protect your personal information is to take preventative steps. Keep documents like your driver's license and SSN safe and private. Never share your debit and credit card numbers or card details, and exercise caution when shopping online.
By using the steps below, you can recover from hacks and stolen data without suffering long-lasting effects:
- Assess what data was exposed. Use Aura’s leaked password scanner or a service like HaveIBeenPwned to confirm if a breach included your emails and passwords. You can also learn details about the breach, such as what other personal information was compromised.
- Update all critical account passwords. Secure your online accounts with strong passwords that mix words and symbols and omit personal information. Also set up a password manager and two-factor authentication (2FA).
- Contact any organization that collects data about you. Alert any credit reporting agencies (CRAs), healthcare providers, insurance companies, and the IRS of a potential identity theft. They can flag your file and take extra precautions with your identity.
- File a report with the FTC if applicable. The FTC fields identity theft reports and shares the information with law enforcement as needed. Print out a recovery plan and sample letters from the FTC to help communicate with other organizations. File an identity theft complaint at: identitytheft.gov.
- Recognize and report phishing scams. Once exposed, your data can be used against you in convincing phishing scams. Learn how to identify phishing scams and report them to the FTC at: reportfraud.ftc.gov.
- Limit social media sharing. Cybercriminals weaponize information from social media to crack passwords and improve their scams. Reduce how much personal information you share online, audit your contact list, and delete any unused accounts.
- Opt out of data broker sites. Start by removing yourself from data broker sites that have easy opt-out forms. Then tackle the more complex opt-outs that require submitting identification or notarized letters.
- Use email aliases for non-critical accounts. Consider using an alternate email when creating online accounts. If these databases get breached, your primary information won't be at risk.
- Sign up for identity theft protection and Dark Web monitoring. Aura's protection solution includes credit and Dark Web scans that send you alerts if your email was found on the Dark Web.
- Invest in antivirus software. Consider an antivirus software that scans your devices and files for malicious software or programs. This will alert you if hackers send you malware intended to steal your data or seize remote access.
- Avoid unfamiliar Wi-Fi networks, and/or use a VPN. Hackers may set up fake Wi-Fi or hotspot networks to spy on your activity. A virtual private network (VPN) ensures that your internet traffic and information pass through an encrypted tunnel, hiding it from onlookers.
No single protection method can keep your personal information safe. You likely need to deploy all or most of the steps above to protect yourself. You might also consider an all-in-one digital security package.
Aura takes much of the legwork out of data protection, monitoring your personal information, and sending you timely alerts. And if the worst should happen, Aura's U.S.-based team of 24/7 White Glove Fraud Resolution Specialists will walk you through the recovery process to make sure you don't miss a step.