Scammers hacked her phone and stole thousands of pounds

Knowledge breaches are getting so widespread that it may be arduous to know react when it occurs to you. It is usually straightforward to shrug it off, however there is a danger.

Being a sufferer of a knowledge breach will increase your probabilities of being focused by criminals and scammers.

Sue advised the BBC how scammers went after her. We discovered her particulars had been leaked on-line.

She was a sufferer of what is generally known as a Sim swap assault – the place scammers trick a community operator into pondering they’re the account holder to get a brand new Sim card for a cell system.

They used it to take over nearly all her on-line accounts by means of her telephone. She stated the expertise was “horrible”.

“The scammers took over my Gmail account after which locked me out of my financial institution accounts as a result of they failed safety checks,” she stated.

Sue additionally had a bank card opened in her identify and the criminals bought greater than £3,000 in vouchers.

It took a number of journeys to the branches of her financial institution and cell phone supplier to get her accounts again.

And the thieves weren’t performed.

“The criminals additionally did a sinister factor after breaking into my WhatsApp,” she stated. “They despatched messages to horse using teams I’m in warning there have been folks on their option to stab the horses.”

We searched hacker databases utilizing on-line instruments like haveibeenpwned.com and Constella Intelligence to see if Sue’s particulars had been beforehand compromised.

Her telephone quantity, e-mail tackle, date of delivery and bodily tackle had been all uncovered in information breaches at playing platform PaddyPower in 2010 and e-mail validation device Verifications.io in 2019. Different compilations of hacked data additionally included her particulars.

Hannah Baumgaertner, from cyber agency Silobreaker, stated attackers doubtless used the non-public information leaked in earlier breaches to conduct the Sim swap assault.

“As soon as that they had entry to Sue’s telephone quantity they had been had been in a position to intercept any safety codes despatched to confirm her identification for her Gmail account,” she stated.

However scammers aren’t all the time concentrating on large payouts.

Fran from Brazil advised the BBC she discovered a consumer had registered to her Netflix account – and elevated her month-to-month subscription.

“I used to be charged $9.90 (£7.50) on my cost card, though I hadn’t made this buy,” she stated.

“I instantly contacted my household to seek out out if anybody had added one other profile to the account we share, however all of them stated no.”

Fran was a sufferer of a standard rip-off the place her Netflix account was hijacked by a freeloader.

It isn’t identified precisely how they acquired into her account and the murky world of cybercrime means it’s tough to pinpoint if a single information breach led to somebody being scammed.

However we discovered Fran’s e-mail tackle had been uncovered in no less than 4 information breaches together with hacks of Web Archive (2024), Trellov (2024), Descomplica (2021) and Wattpad (2020) in accordance with the web site haveibeenpwned.com.

The password she used for her Netflix account just isn’t in publicly-known databases however is likely to be in others.

“There’s a large marketplace for cracked Netflix, Disney and Spotify accounts”, stated Alon Gal, co founding father of cyber safety firm Hudson Rock.

“It is a low-barrier entry level for cybercrime, turning one firm’s information leak into widespread, ongoing abuse.”

Scammers usually mix stolen personal data with public data.

Leah, who did not need to give her actual identify, runs a small enterprise utilizing Fb adverts and was just lately focused in a protracted operating rip-off apparently originating from Vietnam.

“I acquired a phishing e-mail from ‘notifications@facebookmail.com’ saying that I used to be due a refund. I clicked on the hyperlink and entered my particulars on the faux Meta web page and the scammers had been in a position to take over my enterprise account though I had 2 issue authentication.

“They then posted youngster sexual abuse movies below my identify which acquired me blocked. I used to be even barred from utilizing Messenger to complain to Meta.”

Within the three days it took Leah to get again her enterprise account again the scammers had run a whole bunch of kilos of adverts paid for by her. She finally acquired the cash again.

Alberto Casares from Constella Intelligence searched hacker databases and located Leah’s e-mail tackle and different particulars had been taken in information breaches at Gravatar (2020) and this yr’s Qantas (third-party breach).

“It appears to be like just like the attackers used a standard strategy of linking up Leah’s personal stolen e-mail tackle together with her publicly listed enterprise quantity to launch a focused phishing assault towards the e-mail account.”

They may have performed this themselves or used a knowledge dealer to pay for plenty of potential targets he stated.

Mass information breaches are fuelling scams and secondary hacks world wide, with a number of excessive profile assaults coming in 2025 alone.

In line with Proton Mail’s Knowledge Breach Observatory, there have been 794 verified breaches from identifiable sources found thus far in 2025 with greater than 300 million particular person data uncovered.

“Criminals pay premium costs for stolen information as a result of it persistently generates revenue by means of fraud, extortion, and cyberattacks,” stated Eamonn Maguire from the agency.

Other than notifying prospects and regulators about breaches, there aren’t any arduous and quick guidelines on what firms ought to do for victims.

Providing free credit score monitoring, for instance, was once widespread.

Last year, Ticketmaster (which noticed 500m folks affected by a breach) provided this to some folks.

However this yr fewer companies are doing this. Marks and Spencer and Qantas, for instance, haven’t provided these providers to prospects.

Co-op selected to provide victims a £10 voucher – in the event that they spent £40 in its outlets.

Some are attempting to hunt compensation within the courts, with a rising development of sophistication motion lawsuits – although these are notoriously arduous to win as a result of it’s tough to show how people have been impacted.

However some have been profitable.

T-Cellular has begun paying prospects affected by a serious information breach in 2021 which affected 76m prospects.

The agency agreed to pay $350m – with funds reportedly starting from $50 to $300.

Get our flagship e-newsletter with all of the headlines you have to begin the day. Sign up here.