How data leaks are fueling the surge in identity theft cases

Imagine personal information like your email address, password, and even your Social Security number floating around online, accessible to anyone who knows where to look. It’s not just a possibility—it’s the reality for millions of people. 

Identity theft cases in the U.S. have surged by over 68% since 2022, with data leaks a key driving force. A single leak can expose everything hackers need to commit identity theft, leading to fraudulent purchases, stolen bank accounts, and loans you never applied for. 

And it doesn’t stop there. Once criminals get hold of one piece of personal data—like your email and password—they can use it to break into other accounts, gather more sensitive details, and even steal your identity. A single exposed credential can set off a chain reaction, making you an easy target for financial fraud and scams.

So what can you do? We have some tips to help you. Let’s explore the rise of identity theft, how leaked data fuels this fraudulent activity, and how a data leak lookup tool —like ExpressVPN’s ID Alerts—can help protect your information by notifying you when your credentials appear in known breaches.

The rise of identity theft

Identity theft is a booming industry for cybercriminals, and leaked personal data is their most valuable resource. According to the Identity Theft Resource Center, there were over 3,200 data breaches in 2023, exposing billions of records. A number that’s set to increase in 2025. 

Once leaked, personal information often becomes part of a domino effect. Criminals use one piece of data—like an email address or phone number—to gain access to other accounts or databases. A breached email address might lead to phishing scams, stolen login credentials, and ultimately drained bank accounts or fraudulent loans.

A single Social Security number might sell for 1 USD on the dark web, while complete identity profiles can cost hundreds. This data enables everything from low-level scams to organized crime operations, making it a highly profitable business.

Here’s what thieves can do with this information:

• Financial fraud: Details like Social Security numbers, dates of birth, or credit card information enable criminals to open credit accounts, take out loans, or make unauthorized purchases in your name.
• Account takeovers: Login credentials (email addresses and passwords) exposed in breaches allow criminals to access online accounts. This could be anything from your online banking to social media accounts, allowing scammers to exploit them.
• Synthetic identities: Scammers can combine real data (e.g., Social Security numbers) with fake information to create synthetic identities to commit fraud. These are difficult to detect and often go unnoticed for years.
• Targeted scams: Leaked data makes phishing and social engineering attacks more effective. For example, a scammer with your phone number and partial banking information can convincingly pose as your bank to extract more sensitive details.

How does personal data get leaked?

Personal data leaks are a growing issue, and they happen in various ways—many of which are preventable. 

Here are some of the most common ways in which personal data gets leaked:

• Hacking incidents targeting large organizations: Cybercriminals often attack corporations with vast user data, exploiting vulnerabilities to steal information. These breaches can expose millions of personal records in one event.
• Phishing scams and social engineering attacks: Scammers often trick individuals into sharing sensitive information, such as login credentials or financial details, by impersonating trusted entities like banks or employers.
• Poor data protection practices: Unsecured databases, misconfigured servers, and weak encryption are common culprits. When companies fail to prioritize security, they leave sensitive data vulnerable to theft or accidental exposure. Cybercriminals can easily infiltrate unsecured networks to gain access to sensitive information. 

Types of data at risk

Cybercriminals target all kinds of personal data, but the more sensitive it is, the more valuable it becomes. Any information that can be used to impersonate you is a potential goldmine for criminals. Let’s break down the most commonly targeted types of data and how they’re exploited.

Personal Identifiable Information (PII)

Names, addresses, phone numbers, and Social Security numbers are some of the most sought-after pieces of PII. These details form the foundation of your identity and can be used to commit identity theft, apply for fraudulent loans, or create synthetic identities. Synthetic identity fraud, for instance, involves combining real PII with fake details to create new identities that go undetected for years.

Login credentials

Your email addresses and passwords are prime targets in data breaches. Once exposed, these credentials give hackers direct access to your accounts, such as online banking, social media, or shopping platforms. 

The problem becomes worse when people reuse passwords across multiple accounts, giving criminals a way to infiltrate multiple platforms with just one set of stolen credentials.

Financial details

Credit card numbers, bank account information, and other financial data are frequently targeted by fraudsters seeking immediate monetary gain. This data can be used for unauthorized purchases, fraudulent wire transfers, or creating fake accounts in your name. Financial details are particularly lucrative because they enable direct theft, leaving victims scrambling to recover their funds and secure their accounts.

The cost of identity theft

Identity theft can be incredibly damaging. It’s a financial and emotional burden that impacts millions of people and businesses every year.

For individuals

The personal cost of identity theft is staggering. Victims often face significant financial losses as criminals exploit their stolen information to open fraudulent credit accounts, drain bank accounts, or rack up unauthorized charges. For example, the 2017 Equifax breach exposed the Social Security numbers, birth dates, and addresses of 147 million people—exactly the kind of data criminals use to commit these acts. The leaked data included over 200,000 card payment numbers and expiry dates, leaving people scrambling to restore their finances and creditworthiness.

Recovering from identity theft is a time-consuming process, often requiring countless hours disputing charges, freezing credit, and re-establishing a secure financial standing. The emotional stress of dealing with compromised personal information can also lead to anxiety and a lasting sense of vulnerability.

For businesses

Businesses also bear the brunt of identity theft and data breaches, which damage customer trust and can result in significant financial penalties. The 2021 Facebook data leak caused by a misconfigured server exposed the personal details of over 530 million users. This data was later used for phishing scams and other cybercrimes, damaging Facebook’s reputation and raising concerns about its commitment to user privacy.

Businesses can also face regulatory fines, lawsuits, and operational disruptions from breaches. In 2023, the MOVEit Transfer breach affected over 1,000 organizations and 60 million individuals. It exposed sensitive employee and customer data from around the world, leading to costly investigations and legal actions. 

For the global economy

On a broader scale, the economic cost of identity theft is immense. Cybercrime, including identity theft, is estimated to cost the global economy over 6 trillion USD annually, with this figure expected to rise in the coming years. The Equifax breach alone cost the company over 425 USD million in settlements, showing just how great the financial impact can be. 

Top signs your personal data might have been leaked

Most organizations will notify you if your data has been leaked, but you should also keep a watchful eye.

Knowing the signs of a potential data leak can help you act quickly and minimize the impact on you. Here are some key signs to watch out for:

• Strange activity in your accounts: Look out for unfamiliar logins, unexpected charges, or password reset attempts you didn’t initiate.
• Increased spam or phishing emails: If you start receiving emails tailored to your personal information, it could mean your data has been exposed.
• Unfamiliar credit inquiries or new accounts: If you notice credit inquiries or accounts you didn’t authorize on your credit report, it’s a strong indicator your information is being misused.
• Locked out of your accounts: If you can no longer access an account because the password has been changed without your knowledge, it could mean someone else has taken control.
• Fraudulent social media activity: Friends or contacts reporting strange messages or posts from your accounts may indicate a compromise.
• Unexplained drop in credit score: A sudden decrease in your credit score without any obvious reason might signal unauthorized credit activity.
• Mail or bills you didn’t expect: Receiving bills for services you didn’t sign up for or unexpected mail regarding loans or accounts in your name could mean someone is using your information fraudulently.

How to check if your data has been leaked

Keeping track of whether your personal data has been exposed can feel overwhelming, especially with the sheer number of breaches happening every year. Many companies won’t notify you immediately when a breach occurs—or at all. In some cases, your data may already be on the dark web before you even realize it. That’s why actively monitoring for leaks is essential.

Identity Defender simplifies this by doing the heavy lifting for you. Its ID alerts data leak lookup tool continuously scans data breach databases and the dark web for your personal information. This includes sensitive information like your email addresses, phone numbers, and Social Security number. If your data is found, Identity Defender sends you real-time alerts so you can take immediate action to secure your accounts.

Here’s how Identity Defender works to protect you:

• Dark web monitoring: ID Alerts scans the dark web to detect if your personal information—such as email addresses, Social Security numbers, or financial details—has been exposed. If your data is found, you’ll be notified immediately, allowing you to take swift action.
• Social Security number monitoring: Receive alerts if your SSN is used for loans, payments, employment applications, or other suspicious activities. This critical feature helps you catch fraud early before it causes significant damage.
• Change of address monitoring: Criminals may attempt to redirect your mail to access your accounts and information. ID Alerts notifies you if your home address has been changed, giving you the chance to act quickly and prevent further fraud.

Read more: Is identity theft insurance worth it?

How to protect yourself from data leaks and identity theft

Protecting your personal information from data leaks and identity theft requires a combination of smart preventative measures and proactive tools:

• Use strong, unique passwords: Create complex passwords for each account, avoiding common phrases or reused combinations. Consider using a password manager to keep track of them.
• Enable two-factor authentication (2FA): Add an extra layer of security to your accounts by requiring a secondary verification method, such as a text message or authentication app.
• Monitor financial accounts regularly: Keep an eye on your bank statements, credit card transactions, and credit reports to catch unauthorized activity early.
• Be cautious about sharing sensitive information: Avoid entering personal details on unsecured websites or public Wi-Fi networks. When possible, use secure (HTTPS) websites and private internet connections.

*The insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company, under group or blanket policies issued to Array US Inc, or its respective affiliates for the benefit of its Members. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions. Review the Summary of Benefits.