Simply put, a data leak is when personal, private, or sensitive details are exposed without your permission or intent. In other words, your data is leaked online.
When we talk about data leaks here at Guardio, we mean the criminal act of someone exposing your data on the dark web with the intention of selling it for profit or causing harm. The dark web is not somewhere you want your data to be, and if it is, then it’s likely going to be used for some illegal purpose.
Yep - we know that sounds alarming, but any data leak needs to be taken seriously, whether it happened yesterday or five years ago.
It doesn't matter how old a data leak is. You still need to make sure it has been dealt with and resolved. Maybe your password was stolen and leaked 3 years ago, but if you’re still using the same password, then it is still a major risk to your security. It’s even more of a risk if you’re using the same password to protect any other online accounts. Don’t ignore data leaks just because they seem to be old and irrelevant.
Even the smallest details can help an expert scammer to gain your trust. Imagine you’re busy at work, and your bank calls to say there’s a problem with your account. They know your date of birth and the last 4 digits of your card, so they definitely sound legitimate. And hey, you’re busy and maybe panicking a little. So you answer their questions, including handing over your account details - which you thought you were just confirming. You didn’t even think for a second that the caller may not actually be someone from your bank…. How would someone know all that information if they weren’t from the bank?
Here’s a fact that will make you start counting in your head: most people have anything up to 150 or so online accounts. Think about it for a second. Amazon, Netflix, Spotify, Facebook, Instagram, LinkedIn, Twitter, Candy Crush… Ok. That’s a start.
And what about all your online shopping? Groceries, clothes, gifts, holiday decorations, airline tickets, Airbnb, restaurants, more clothes?
And now your bank, credit card, insurance, medical, doctor? And don’t forget your favorite pizza delivery.
Every time you sign up or log in to any online service, site, or platform, you usually hand over your email address, a password, and maybe some other details (like your credit card, for example).
In other words, there’s a whole lot of data about you floating around the internet. Sure, it’s secure and under lock and key (password and 2-factor authentication protected). But when did that ever stop a criminal? Stealing, selling, and using your data makes money for criminals.
A hacker will try everything to steal your data and sell it for profit. While this is obviously completely illegal, it’s actually a huge, thriving industry. There are plenty of forums on the dark web where our personal information is traded for money and criminal intent.
And those who buy or get hold of our data can use it to steal from us and to scam our families and us. A stolen Facebook account costs $75 on the dark web, and it can generate $1,000’s of profit - and complete misery and ruin for a victim.
So the moment your data is leaked online, you have a limited amount of time to act to secure yourself and your identity. This is why we talk so much about data leaks and getting alerts. On average, it takes organizations 212 days to even realize they’ve been hacked and then another 75 days to deal with the fallout. That gives criminals a 9-month head start to find all kinds of imaginative ways to use your personal data.
Yeah yeah, you say that, but it’s not going to happen to me…
Hmm. There’s a good chance it already has, and you just don’t know about it. What if we told you that in 2021, the personal data of 533 million Facebook users were stolen and posted online in a hacker’s forum? Or that more than 500 million LinkedIn profiles were found on the dark web (including email addresses and phone numbers), as well as 500 million Zoom usernames and passwords?
There’s a cyber attack on a site or platform every 12 seconds (some say 2 seconds, some say 9 - 12 seconds is optimistic). In other words, it’s not a question of if it’s when. That’s the reality. And it means you need to know how to protect yourself and how to make safeguarding your identity an everyday routine instead of an emergency scenario.
As we already said, criminals and hackers want your data. And to get it, they are willing to break into companies’ systems, servers, platforms, and sites. They are looking to get a hold of as many data records as possible - in other words, as many pieces of information as possible on each customer. The more information they have, the better. Here are some more numbers for you:
- 422 million Americans were affected by data breaches in 2022
- 221 million Twitter users had their data exposed online in January 2023
- In the first 3 months of 2023 alone, 37 million customer records were stolen from T-Mobile, 20 million from PeopleConnect, and 9 million from AT&T
- 35,000 PayPal accounts were accessed by a hacker who had stolen passwords from different accounts and was trying their luck on PayPal (this is known as credential stuffing)
- 3.3 million Heritage Provider network patients had their medical records and social security numbers stolen. With that information, a criminal can very easily take over their identity and cause years of untold harm and misery.
The actual number of data breaches fell in 2022 (the FBI attributed this to the Russian war in Ukraine), but the number of affected Americans has risen dramatically.
And before you think it’s only the vulnerable or careless that get hacked, the US Marshal’s Service was breached in February 2023. Yes, the United States Marshal’s Service. Just think of the implications of someone gaining access to ongoing cases and investigations, not to mention the Witness Security Program.
Sadly the answer is, of course! Here are just two examples:
- The Accidental
Frank from accounts is sending over the payroll details to HQ. It’s late on a Friday afternoon, and in Frank’s brain, he’s already on the way home. With one accidental press of the wrong button, Frank sends the company payroll details to all his email contacts. That means that the 1,749 people in Frank’s contact list now have extremely sensitive details about everyone in the company.
- Scams, phishing, and things like that
Frank got an email this morning telling him his LinkedIn account has been locked until he renews his password. Frank dutifully clicks on the link provided in the email and updates his password, first typing in the old one before providing a brand new one. Unfortunately, Frank had no idea that this was a fake email and that he’s just been scammed. This phishing attack has given a criminal 2 passwords that Frank likes to use and his email address. You see Frank, like most of us, reuses the same 2 or 3 passwords for nearly every online account he has. With his email address and a couple of passwords, there’s a good chance that a hacker will be able to access a significant number of Frank’s online accounts - his email account (personal and work), insurance, Netflix, bank, Walmart, doctor, credit card, his favorite karaoke bar, and so on.