A data breach is when private information — like email addresses, passwords, credit card numbers, or personal details — is stolen or exposed without permission. It usually happens when hackers break into a company’s computer systems and copy their database of user information.

What is a data breach in simple terms?

Think of it like this: you gave your email and password to a website when you signed up. That website stored your information in a database. A data breach happens when someone breaks into that database and steals a copy of everyone’s information.

You did nothing wrong. The company failed to protect the data you trusted them with.

The stolen information typically ends up being sold or shared on underground forums and dark web marketplaces, where other criminals buy it and use it to try to break into your accounts or steal your identity.

How does a data breach happen?

Most breaches happen through one of these methods:

Hacking — Attackers find a vulnerability in a company’s website, servers, or software and exploit it to gain access to their database. This is the most common cause of large breaches.

Phishing attacks on employees — An attacker tricks an employee into revealing their login credentials through a fake email or website. Once inside the company network, they access customer databases.

Ransomware — Malicious software encrypts a company’s files and systems. The attackers demand payment to unlock them, and often steal data before encrypting it as extra leverage.

Insider threats — A current or former employee with access to customer data steals or leaks it, either for financial gain or out of negligence.

Misconfigured systems — A company accidentally leaves a database exposed to the public internet without any password protection. Automated scanners find these open databases within hours.

Third-party breaches — A company’s vendor, partner, or service provider gets breached, and your data is exposed because it was shared with or stored by that third party.

What information gets stolen in a data breach?

It depends on what the company stored. The most commonly stolen data includes:

  • Email addresses — found in almost every breach
  • Passwords — sometimes stored in plain text (very bad), sometimes hashed (better but still crackable)
  • Full names — makes phishing attacks much more convincing
  • Phone numbers — used for targeted SMS scams and SIM swapping
  • Home addresses — used for physical fraud and identity theft
  • Dates of birth — used to pass identity verification questions
  • Credit card and bank details — used for financial fraud
  • Social Security numbers — used for serious identity theft
  • Medical records — used for insurance fraud

The type of data stolen determines how dangerous the breach is for you personally.

How serious is a data breach really?

It depends entirely on what was stolen. Here is a rough severity scale:

Low risk — email address only. You will probably get more spam and phishing emails. Annoying but manageable.

Medium risk — email + password. If you used that password on other sites, those accounts are now at risk. Change them immediately.

High risk — email + password + personal details. Attackers can craft highly targeted phishing attacks and may attempt identity theft.

Critical risk — financial data or Social Security numbers. This can lead to direct financial fraud, fraudulent accounts opened in your name, and long-term identity theft.

Even “low risk” breaches matter because attackers combine data from multiple breaches to build a more complete profile of you. Your email from one breach, your name from another, and your phone number from a third can be combined into a very convincing phishing attack.

How do you find out if you were in a breach?

Companies are legally required to notify you if your data was involved in a breach, but these notifications often come weeks or months later — sometimes buried in your spam folder.

The faster way is to check proactively. EmailLeaked scans over 12 billion records from 962+ known breaches and tells you instantly if your email appeared in any of them. It is free, takes under 10 seconds, and shows you exactly what data was exposed.

What should you do after a data breach?

If your email appears in a breach, take these steps immediately:

  1. Change the password on the breached account — use something completely new, at least 16 characters
  2. Change that password everywhere else you used it — attackers try leaked passwords on other sites automatically
  3. Enable two-factor authentication — this stops attackers even if they have your password
  4. Watch for phishing emails — be extra cautious about urgent emails for the next 90 days
  5. Monitor your accounts — check bank statements, email sent folder, and login activity for anything unusual

For a complete walkthrough, read our full guide on what to do after a data breach.

Can companies be held responsible for breaches?

Yes, increasingly so. Data protection laws like GDPR (Europe), CCPA (California), and similar regulations worldwide require companies to protect user data and notify affected individuals promptly after a breach.

Companies that fail to protect data adequately can face:

If you were affected by a major breach, check whether a class action lawsuit or settlement exists — you may be entitled to compensation or free credit monitoring.

How common are data breaches in 2026?

Extremely common. Thousands of breaches are reported every year, and the number keeps growing. In 2026 alone, major breaches have already hit healthcare systems, government agencies, financial companies, and consumer services.

The uncomfortable truth is that if you have been using the internet for more than a few years, your email is almost certainly in at least one breach. This is not a reason to panic — it is a reason to use unique passwords, enable two-factor authentication, and check your email regularly.

Frequently asked questions

Is a data breach the same as being hacked?

Not exactly. “Being hacked” usually means someone broke into your personal account. A data breach means a company’s system was hacked and your data was among the information stolen. You can be affected by a breach without your personal accounts being directly hacked — but the stolen data can be used to hack your accounts later.

How long before a company tells you about a breach?

It varies wildly. GDPR requires notification within 72 hours of discovery, but many breaches go undetected for months. The average time between a breach occurring and being discovered is over 200 days. Then add the time it takes to investigate, determine who was affected, and send notifications. This is why proactive checking with tools like EmailLeaked is so important.

What is the biggest data breach ever?

The Yahoo breach of 2013 affected all 3 billion Yahoo accounts, making it the largest breach in history. Other massive breaches include Facebook (533 million records in 2019), LinkedIn (700 million records in 2021), and numerous healthcare and government breaches affecting hundreds of millions of people.

Can you get money back after a breach?

Sometimes. Major breaches often result in class action settlements that provide small payouts to affected individuals, typically $25-$100 per person, plus free credit monitoring. Check if a settlement exists for any breach you were part of.

What is a mega breach?

A mega breach is an informal term for a data breach that affects more than one million people. These attract significant media attention and usually trigger regulatory investigations and class action lawsuits.

What does “encrypted” mean and does it protect me?

Encryption scrambles data so it cannot be read without a special key. If a company stored your password in an encrypted (hashed) form, it is harder for attackers to use — but not impossible. Weak passwords can be cracked from hashes within seconds using modern hardware. Strong, unique passwords are much harder to crack even when the hashes are stolen.