Scammers hacked her phone and stole thousands of pounds

Information breaches are getting so frequent that it may be onerous to know the way to react when it occurs to you. It is typically simple to shrug it off, however there is a threat.

Being a sufferer of an information breach will increase your possibilities of being focused by criminals and scammers.

Sue instructed the BBC how scammers went after her. We discovered her particulars had been leaked on-line.

She was a sufferer of what is often called a Sim swap assault – the place scammers trick a community operator into pondering they’re the account holder to get a brand new Sim card for a cellular system.

They used it to take over nearly all her on-line accounts via her cellphone. She mentioned the expertise was “horrible”.

“The scammers took over my Gmail account after which locked me out of my financial institution accounts as a result of they failed safety checks,” she mentioned.

Sue additionally had a bank card opened in her title and the criminals bought greater than £3,000 in vouchers.

It took a number of journeys to the branches of her financial institution and cell phone supplier to get her accounts again.

And the thieves weren’t performed.

“The criminals additionally did a sinister factor after breaking into my WhatsApp,” she mentioned. “They despatched messages to horse driving teams I’m in warning there have been individuals on their method to stab the horses.”

We searched hacker databases utilizing on-line instruments like haveibeenpwned.com and Constella Intelligence to see if Sue’s particulars had been beforehand compromised.

Her cellphone quantity, e-mail deal with, date of delivery and bodily deal with had been all uncovered in information breaches at playing platform PaddyPower in 2010 and e-mail validation software Verifications.io in 2019. Different compilations of hacked data additionally included her particulars.

Hannah Baumgaertner, from cyber agency Silobreaker, mentioned attackers possible used the private information leaked in earlier breaches to conduct the Sim swap assault.

“As soon as that they had entry to Sue’s cellphone quantity they had been had been capable of intercept any safety codes despatched to confirm her id for her Gmail account,” she mentioned.

However scammers aren’t all the time focusing on massive payouts.

Fran from Brazil instructed the BBC she discovered a person had registered to her Netflix account – and elevated her month-to-month subscription.

“I used to be charged $9.90 (£7.50) on my cost card, despite the fact that I hadn’t made this buy,” she mentioned.

“I instantly contacted my household to seek out out if anybody had added one other profile to the account we share, however all of them mentioned no.”

Fran was a sufferer of a standard rip-off the place her Netflix account was hijacked by a freeloader.

It is not identified precisely how they obtained into her account and the murky world of cybercrime means it’s troublesome to pinpoint if a single information breach led to somebody being scammed.

However we discovered Fran’s e-mail deal with had been uncovered in at the very least 4 information breaches together with hacks of Web Archive (2024), Trellov (2024), Descomplica (2021) and Wattpad (2020) in line with the web site haveibeenpwned.com.

The password she used for her Netflix account just isn’t in publicly-known databases however is perhaps in others.

“There’s a enormous marketplace for cracked Netflix, Disney and Spotify accounts”, mentioned Alon Gal, co founding father of cyber safety firm Hudson Rock.

“It is a low-barrier entry level for cybercrime, turning one firm’s information leak into widespread, ongoing abuse.”

Scammers typically mix stolen non-public info with public info.

Leah, who did not need to give her actual title, runs a small enterprise utilizing Fb adverts and was not too long ago focused in an extended working rip-off apparently originating from Vietnam.

“I obtained a phishing e-mail from ‘notifications@facebookmail.com’ saying that I used to be due a refund. I clicked on the hyperlink and entered my particulars on the faux Meta web page and the scammers had been capable of take over my enterprise account despite the fact that I had 2 issue authentication.

“They then posted baby sexual abuse movies below my title which obtained me blocked. I used to be even barred from utilizing Messenger to complain to Meta.”

Within the three days it took Leah to get again her enterprise account again the scammers had run a whole lot of kilos of adverts paid for by her. She ultimately obtained the cash again.

Alberto Casares from Constella Intelligence searched hacker databases and located Leah’s e-mail deal with and different particulars had been taken in information breaches at Gravatar (2020) and this 12 months’s Qantas (third-party breach).

“It appears to be like just like the attackers used a standard strategy of linking up Leah’s non-public stolen e-mail deal with along with her publicly listed enterprise quantity to launch a focused phishing assault in opposition to the e-mail account.”

They might have performed this themselves or used an information dealer to pay for various potential targets he mentioned.

Mass information breaches are fuelling scams and secondary hacks around the globe, with a number of excessive profile assaults coming in 2025 alone.

In accordance with Proton Mail’s Information Breach Observatory, there have been 794 verified breaches from identifiable sources found to this point in 2025 with greater than 300 million particular person data uncovered.

“Criminals pay premium costs for stolen information as a result of it constantly generates revenue via fraud, extortion, and cyberattacks,” mentioned Eamonn Maguire from the agency.

Apart from notifying prospects and regulators about breaches, there are not any onerous and quick guidelines on what corporations ought to do for victims.

Providing free credit score monitoring, for instance, was once frequent.

Last year, Ticketmaster (which noticed 500m individuals affected by a breach) supplied this to some individuals.

However this 12 months fewer companies are doing this. Marks and Spencer and Qantas, for instance, haven’t supplied these companies to prospects.

Co-op selected to provide victims a £10 voucher – in the event that they spent £40 in its outlets.

Some are attempting to hunt compensation within the courts, with a rising pattern of sophistication motion lawsuits – although these are notoriously onerous to win as a result of it’s troublesome to show how people have been impacted.

However some have been profitable.

T-Cell has begun paying prospects affected by a serious information breach in 2021 which affected 76m prospects.

The agency agreed to pay $350m – with funds reportedly starting from $50 to $300.

Get our flagship publication with all of the headlines it’s good to begin the day. Sign up here.