Data breaches have become so routine that it's easy to become numb to them. But the numbers are staggering: in 2025 alone, over 8 billion records were exposed in publicly disclosed data breaches, according to the Identity Theft Resource Center. That's more than the entire population of Earth — three times over. Whether your email appears in the next breach depends on how prepared you are. And if you've ever received that dreaded "your data may have been compromised" email, you know the sinking feeling that follows. This guide explains how breaches happen and exactly what steps to take when they do.
Understanding the attack vectors helps you take targeted preventative measures. The three most common causes of major data breaches are:
Despite being one of the oldest vulnerabilities in the book, SQL injection (SQLi) remains the top cause of database breaches. It occurs when a website fails to properly sanitize user input before sending it to its database. An attacker types a malicious SQL command into a login form or URL parameter, and the database executes it — returning all usernames, emails, and password hashes instead of just checking one login.
The 2024 TicketMaster breach that exposed 560 million records began with SQL injection in a customer-facing API endpoint. The attacker was able to run arbitrary SELECT queries against the user database, extracting the entire customer table over several days before detection.
As companies migrated to the cloud, they left a trail of exposed data. Misconfigured Amazon S3 buckets, Google Cloud Storage, and Azure Blob containers are accessible to anyone who knows the URL — and attackers use automated scanners to find them. In 2025, a misconfigured backup bucket from a major healthcare provider exposed 40 million patient records, including medical histories and Social Security numbers. The bucket had been left publicly readable for over 14 months.
Many high-profile breaches don't involve exploiting technical vulnerabilities at all. Instead, attackers phish an employee's credentials, log into the corporate VPN, and move laterally through the network. The 2022 Uber breach and the 2023 MGM ransomware attack both started with simple phishing calls — an attacker tricking an employee into sharing their password or approving a multi-factor authentication push notification.
Attackers increasingly target smaller vendors with weaker security to reach their larger customers. The 2024 MoveIt file-transfer breach is a prime example: a vulnerability in a widely used enterprise file-transfer tool was exploited, giving attackers access to the systems of hundreds of organizations that used it — including government agencies, banks, and healthcare providers. Over 80 million records were compromised through this single software vulnerability.
Companies are required to notify affected users in most jurisdictions, but notifications can arrive weeks or months after the actual breach. Don't wait for a letter. Check proactively:
If the breached service stored passwords (most do), change that password right away — even if the company says they used "strong encryption." Hashing algorithms can be cracked over time. Use a strong, unique password generated specifically for that service. Never reuse the old password anywhere else.
If you reused the breached password on other sites — and statistics say you probably did — every account sharing that password is now at risk. Attackers will try the leaked credentials on email, banking, social media, and shopping sites within hours of the data being posted online. Use a password generator to create unique passwords for every account that shared the compromised credential.
If the affected service offers 2FA and you haven't enabled it, now is the time. Even if you've already changed your password, 2FA prevents attackers who may have already established sessions or stolen session cookies from maintaining access. Use an authenticator app or hardware key, not SMS.
Log into the breached account and check for unrecognized login activity, devices, and API keys. Revoke all active sessions (most services have a "sign out of all devices" option). Remove any third-party app connections you don't recognize.
If the breach involved payment information, monitor your bank and credit card statements closely for the next 60–90 days. Set up transaction alerts for any charge over $0 — many attackers test with tiny amounts before draining accounts. If you see unauthorized transactions, report them to your bank immediately.
If the breach exposed your Social Security number, driver's license, or other personally identifiable information, place a fraud alert (free, 90 days) or credit freeze (free, indefinite) on your credit reports at Equifax, Experian, and TransUnion. A credit freeze prevents anyone from opening new accounts or lines of credit in your name.
You can't prevent every data breach — even the most secure companies have been compromised. But you can contain the damage. Using unique passwords for every account, enabled 2FA everywhere it's offered, and monitoring your digital footprint with HIBP and credit monitoring are the three pillars of breach preparedness. The goal isn't to never be breached — it's to make sure a breach of one account doesn't become a breach of all of them.
Unique passwords are your best defense against breach chains.
Generate strong, unique passwords for every account — free, instant, no sign-up required.
Generate Secure Passwords Now →