The notification letter from a breached company typically arrives weeks after the breach occurred and includes an offer of one year of free credit monitoring. This letter is not the beginning of your problem — it's acknowledgment of a problem that already started. By the time you read the notification, your data has likely already moved through several stages of an underground economy. Understanding that economy tells you what the actual risks are, and what protections actually match those risks.
The Full Timeline: What Happens to Breached Data
Breach and Exfiltration
The attacker penetrates the target system and begins extracting data. In most cases, the breached company doesn't know this is happening. According to IBM's Cost of a Data Breach report, the average time to identify a breach is 204 days — meaning data is typically circulating in criminal markets for months before the victim organization even knows it was stolen.
Dark Web Listing and Initial Sales
Fresh breach data appears on dark web marketplaces and private Telegram channels. Pricing varies significantly by data type: bulk email and password combinations sell for $0.50–$2 per record. Complete identity profiles with name, SSN, date of birth, and address command $10–$150 per record. Financial account access credentials sell for much more — often 1–10% of the account balance. High-value targets (corporate executives, government officials, high-net-worth individuals) are sold separately and command premiums.
Data Enrichment and Aggregation
This is the stage most people don't know about. Attackers and data brokers "enrich" breach data by cross-referencing it with other stolen databases and public records. An email address from one breach gets matched with a phone number from another breach, a home address from a third breach, and financial information from a fourth. The result is a much more complete identity profile than any single breach contained. Criminal groups and commercial data brokers both do this — through slightly different channels and for slightly different purposes, but the mechanism is the same.
Commercial Data Broker Absorption
Enriched breach data flows into commercial data broker databases. This is legal. Data brokers purchase from gray-market data resellers, claiming they conduct due diligence on sources — but enforcement of those claims is minimal. The practical result: the email address from the 2024 AT&T breach ends up on Spokeo with your current home address attached, even though you never gave Spokeo that email or linked it to your address. The breach data and the public records merge into a single exploitable profile.
Credential Stuffing and Account Takeovers
Automated tools test breached email/password combinations against hundreds of websites simultaneously. This is called credential stuffing. If you reused a password from a breached site on your email account, banking account, or any other service, attackers will find and use it. These attacks are not targeted — they're automated at massive scale. The 2024 Snowflake breach, which affected over 160 organizations, was preceded by credential stuffing attacks on contractor accounts using credentials from previous unrelated breaches.
What Credit Monitoring Actually Covers (And What It Misses)
When a company offers free credit monitoring after a breach, they're offering protection against one specific attack type: new account fraud, where an attacker uses your SSN and personal information to open new credit accounts in your name. Credit monitoring catches this because any new inquiry or account opening triggers an alert.
Credit monitoring does not protect against account takeovers (attackers logging into your existing accounts with stolen credentials), medical identity theft (someone using your insurance information for medical care, leaving you with fraudulent medical bills and a corrupted medical record), tax identity theft (someone filing a fraudulent return in your name to collect your refund before you file), synthetic identity fraud (combining your SSN with a different name and address to create a new identity), or social engineering attacks that use your leaked profile information to impersonate you to customer service representatives.
A 2024 Javelin Strategy study found that account takeover fraud — the type credit monitoring doesn't catch — caused average losses of $8,400 per victim in the most severe cases, with some cases exceeding $1 million. The losses from the credential-stuffing and account-takeover threat vastly exceed the losses from new-account fraud that credit monitoring addresses.
The Data Broker Enrichment Problem Is Underappreciated
The path from a breached email address to a complete identity dossier is shorter than most people realize. Here's a concrete example: Your email address is in the 2019 Collection #1 breach, a dataset of 773 million email addresses and 21 million passwords. The email address is your personal one — gmail.com. It's not linked to your home address in that breach dataset.
A data broker runs that email address against voter records to match the email registration to a name. Matches the name to property records to find the home address. Matches the address to the phone number registered to the property. The result: your email address from a 2019 breach is now enriched with your current home address from 2026 public records, even if you've moved multiple times since 2019. The breach data is five years old, but the home address attached to it is current — because the enrichment happened recently.
This is why data broker removal matters even if you've never been breached. It closes the enrichment pathway. Even if attackers have your email address from a breach, they can't easily attach your current home address if that address isn't on Spokeo.
Why the One-Year Credit Monitoring Offer Is Insufficient
The standard breach response — one year of free credit monitoring from Experian, Equifax, or TransUnion — became standard partly because it's legally protective for companies and partly because it's genuinely cheap to provide. The cost per user to a credit bureau offering this service is typically under $1 per year. The benefit to the victim is real but narrow.
The bigger problem is duration. Breached data doesn't expire. The SSN from a 2015 breach is just as valid in 2026 as it was the day it was stolen. Criminals hold datasets for years, using them when the right opportunity presents. Offering one year of monitoring for data that circulates indefinitely is structurally inadequate — it protects against the most acute phase of the attack window while ignoring the chronic risk.
What Actually Reduces Your Risk After a Breach
- Unique passwords for every account, stored in a password manager: This is the single most impactful technical control. If each account has a different password, a breach at one site compromises only that site. Credential stuffing attacks become ineffective. Recommended password managers: Bitwarden (free, open source), 1Password, Dashlane.
- Hardware security key or authenticator app for critical accounts: Add two-factor authentication to your email, financial accounts, and any account that has access to sensitive information. Hardware keys (YubiKey) are strongest; authenticator apps (Authy, Google Authenticator) are strong; SMS is weakest but still better than nothing. SMS is vulnerable to SIM swap attacks — if you're a high-risk target, avoid relying on SMS 2FA for critical accounts.
- Credit freeze at all three bureaus: A credit freeze is free at Experian, Equifax, and TransUnion. It prevents anyone — including you — from opening new credit in your name without removing the freeze. This directly addresses the new-account fraud that credit monitoring detects only after the fact. A freeze is better than monitoring for this threat.
- Data broker removal: Removing your profile from Spokeo, BeenVerified, Whitepages, and the major aggregators closes the enrichment pathway. Attackers who have your breached email can't easily find your current home address. This is particularly important after a major breach that included your email address.
- Dark web credential monitoring via HaveIBeenPwned: Troy Hunt's HaveIBeenPwned (haveibeenpwned.com) is free and monitors for your email address appearing in new breach datasets. Set up notifications so you know immediately when a new breach contains your email — allowing you to change the affected password before credential stuffing attacks use it.
The most common mistake after receiving a breach notification: Accepting the free credit monitoring, assuming the problem is addressed, and not changing the password that was breached. Changing the compromised password — and any other account that shared that password — is the single most important step, and it's free.
How Long Does the Risk Last?
The uncomfortable answer is: essentially indefinitely for the most serious data. SSNs, dates of birth, and full names don't change. Once these are in circulation, they remain usable for identity fraud as long as the victim is alive and the attackers retain the data. Email addresses and phone numbers are less permanent (people change them), but the address can still be used to access accounts and conduct social engineering long after the breach.
The practical implication is that a breach from 2015 can produce a successful attack in 2026. The data broker enrichment pipeline means that old email addresses get refreshed with new home address data continuously. There is no "waiting it out" — the appropriate response is to implement permanent structural controls (unique passwords, credit freeze, data broker removal) rather than one-time reactive measures.
If you take one action today: Go to haveibeenpwned.com, enter your primary email address, and see which breaches it's been included in. Then change the password for any account where you still use the same password that was exposed. This takes fifteen minutes and directly addresses the credential stuffing threat — which causes more financial damage than any other downstream breach consequence.
See How Exposed You Actually Are
Run a free scan to see exactly where your personal data is being sold — and what it would take to remove it.
Run Free Privacy ScanSources & References
- IBM Security - Cost of a Data Breach Report 2024: average time to identify and contain breaches
- Javelin Strategy & Research - 2024 Identity Fraud Study: account takeover losses and tactics
- Troy Hunt - Have I Been Pwned: breach dataset documentation and notification service
- Snowflake breach analysis 2024 - Mandiant incident response and credential stuffing attribution
- FTC - Data broker industry practices and breach data resale documentation
- ITRC (Identity Theft Resource Center) - Annual Data Breach Report and victim impact statistics
- Krebs on Security - Data enrichment and commercial broker absorption of breach data