What Happens After a Data Breach — The Full Pipeline

The TLDR

A data breach doesn’t end when the company sends you that apologetic email. That’s when it starts. Your data enters an ecosystem — dark web marketplaces, automated credential stuffing tools, fraud networks — that will extract value from it for years. The breach notification is the beginning. The fraud, the account takeovers, and the identity theft that follow are the actual cost. And if you reused passwords, every account sharing that password just became an open door.

The Reality

Here’s what a typical breach timeline actually looks like:

Day 0: An attacker exfiltrates a database. Maybe it’s SQL injection, maybe it’s a misconfigured S3 bucket, maybe it’s a compromised employee credential. The company probably doesn’t know yet. The average time to detect a breach is 194 days according to IBM’s Cost of a Data Breach Report.

Days 1–30: The stolen data gets organized. Emails paired with passwords. Credit cards sorted by bank. Social Security numbers matched with names and dates of birth. If the passwords are hashed, cracking begins. MD5 hashes fall in hours. Even bcrypt hashes yield to targeted dictionary attacks if the passwords are common.

Days 30–90: The data hits the market. BreachForums, Telegram channels, paste sites. A database of 10 million credentials might sell for a few hundred dollars. Individual identity packages — name, SSN, DOB, address — go for $1 to $15 depending on completeness.

Days 90–365: Credential stuffing begins at scale. Automated tools like MITRE ATT&CK T1110.004 — Credential Stuffing test your email/password combination against hundreds of services simultaneously. If you used the same password on LinkedIn and your bank, the attacker doesn’t need to hack your bank. They log in.

Year 1+: The data gets aggregated into combo lists — massive compilations like Collection #1 through #5 (2.2 billion records) or RockYou2024 (nearly 10 billion entries). Your credentials from a breach you forgot about in 2019 are still circulating in 2026.

What to Do RIGHT NOW If You’ve Been Breached

This is your emergency checklist. Do this before you do anything else:

1. Change the compromised password immediately — and every account where you reused it. Yes, all of them.
2. Enable 2FA on everything — start with email and banking. Use an authenticator app, not SMS if you can help it.
3. Call your bank and credit card companies — tell them your information may be compromised. Ask about fraud alerts.
4. Freeze your credit — contact all three bureaus (Equifax, Experian, TransUnion). A freeze is free and prevents new accounts from being opened in your name.
5. Check Have I Been Pwned — see what breaches you’re already in.
6. Monitor your accounts — watch for unauthorized transactions, password reset emails you didn’t request, or login notifications from unfamiliar locations.
7. File a report — identitytheft.gov for identity theft, FBI IC3 for cybercrime.

This isn’t optional. This is damage control. The faster you move, the smaller the blast radius.

How It Works

What Gets Exfiltrated

Not all breaches are created equal. What was stolen determines how bad it gets:

• Email + plaintext password: Worst case. Immediate access. Credential stuffing begins the same day.
• Email + hashed password: Better, but depends on the hash. MD5 with no salt? Cracked in hours. bcrypt with a work factor of 12? Most passwords survive. But “password123” doesn’t survive any hash.
• PII (name, SSN, DOB, address): Identity theft fuel. Used for synthetic identity fraud, tax return fraud, and account takeover via customer support impersonation.
• Credit card numbers: Shortest shelf life — cards get cancelled. But if full track data is stolen (CVV, expiration, billing address), the window is wide enough.
• Session tokens / API keys: Immediate access without needing a password at all. These are the silent killers.

The Dark Web Marketplace

Stolen data has a supply chain like any other product:

Initial sale: The attacker sells the raw database. Large databases go for surprisingly little — a few hundred to a few thousand dollars. The value is in volume.

Processing: Middlemen specialize in cleaning, sorting, and enriching the data. They match email addresses across multiple breaches to build more complete profiles.

Retail: Individual credentials, identity packages, and credit card details get sold on marketplaces. An FBI IC3 report noted that a complete identity package (name, SSN, DOB, mother’s maiden name, credit history) sells for $10–$30.

Automation: Credential stuffing tools like OpenBullet or SentryMBA automate the testing of credentials across thousands of sites. These tools are free, documented, and widely available.

Combo Lists

This is where individual breaches become an existential problem. Combo lists aggregate credentials from multiple breaches into a single, searchable database. Collection #1, discovered in 2019, contained 773 million email addresses and 21 million unique passwords from dozens of separate breaches.

The math is simple: if your email and password from the 2012 LinkedIn breach also work on your 2026 banking portal, that seven-year-old breach just became today’s problem.

How It Gets Exploited

The LinkedIn Pipeline

In 2012, LinkedIn was breached. 6.5 million password hashes were initially reported stolen. The company downplayed it.

Four years later, in 2016, it emerged that 117 million credentials had actually been stolen. By then, the passwords had been cracked and the data was circulating freely on dark web markets.

Those credentials were tested against email providers, banking sites, social media platforms, and corporate VPNs. People who used the same password for LinkedIn and their email found their email compromised. From email, attackers performed password resets on everything else.

One breach. Years of consequences. All enabled by password reuse.

Credential Stuffing at Scale

According to CISA’s credential stuffing advisory, credential stuffing attacks succeed at a rate of 0.1% to 2%. That sounds low until you realize attackers are testing billions of combinations. A 0.1% success rate on 1 billion credentials is 1 million compromised accounts.

These attacks run 24/7. They’re automated. They’re distributed across botnets to evade rate limiting. And they’re profitable enough that entire criminal ecosystems exist to support them.

Synthetic Identity Fraud

When a breach exposes PII instead of (or in addition to) credentials, the fraud goes deeper. Attackers combine a real SSN with a fake name and address to create a synthetic identity — a person who doesn’t exist but has a real credit history.

The FTC estimates synthetic identity fraud costs billions annually and is the fastest-growing type of financial crime in the United States.

What You Can Do

The Structural Fix

Password managers are the single most effective defense against the breach pipeline. If every account has a unique, randomly generated password, a breach at one service compromises exactly one account. The chain breaks.

• Use a password manager with zero-knowledge architecture (Bitwarden, 1Password, KeePassXC)
• Generate unique passwords for every account — 16+ characters, random
• Enable 2FA on every account that supports it — authenticator app preferred, SMS as a fallback

Breach Monitoring

• Set up Have I Been Pwned email notifications — you’ll get alerted when your email appears in a new breach
• Check HIBP periodically for all your email addresses
• Some password managers (Bitwarden, 1Password) integrate breach monitoring directly

Downstream Controls

• Credit freeze at all three bureaus — this prevents new accounts from being opened with your SSN. It’s free. There’s no reason not to do it.
• Fraud alerts through your bank — flag your account for additional verification on unusual transactions
• Tax PIN from the IRS — prevents fraudulent tax returns filed with your SSN

If You’re Already a Victim

1. Go to identitytheft.gov and follow the recovery plan
2. File a report with FBI IC3
3. Place a fraud alert (or freeze) on your credit
4. Change every password, starting with email and banking
5. Enable 2FA on everything

Sources & Further Reading

• Have I Been Pwned — Troy Hunt’s breach notification service and methodology
• CISA Credential Stuffing Advisory — federal guidance on credential stuffing defense
• IBM Cost of a Data Breach Report — annual breach cost and timeline analysis
• MITRE ATT&CK T1110.004 — Credential Stuffing — attack technique documentation
• FTC Identity Theft Resources — federal identity theft recovery framework
• FBI IC3 Annual Report — cybercrime statistics and trends
• Krebs on Security — breach reporting and credential stuffing analysis