GUIDE

Has My Data Been Leaked?

If you are asking, the honest answer is almost certainly yes. It has been true for years, and it stops being useful the moment you accept it. A better question sits underneath it, and most breach coverage never reaches it: which of your data is exposed, and can you change it?

Start with the number, because the number is what frightens people and it is the least informative part of the story.

In June 2025, researchers at Cybernews reported a compilation of roughly 16 billion login records, drawn from around thirty datasets that infostealer malware had harvested over several years. Headlines called it the largest leak ever recorded. Eighteen months earlier, a similar find labelled the "mother of all breaches" held about 26 billion. Neither was a single event. Both were compilations: old and recent breaches, malware logs, and earlier collections, merged into one searchable pile.

Two things about those totals matter more than their size. The first is duplication. When Digital Shadows counted credentials circulating in criminal markets in 2022, it reported 24.6 billion. After removing duplicates, 6.7 billion remained. Most of a compilation is the same accounts appearing again and again.

The second is the denominator. Around 5.5 billion people are online. DataReportal counts 5.66 billion social media identities on their own, and is careful to call them identities rather than people, because so many are duplicates and second accounts. The average person now keeps somewhere between one and two hundred online accounts, according to password-manager surveys, which have a commercial interest in the figure but broadly agree on the order of magnitude. Multiply that out and the number of login credentials in existence runs into the hundreds of billions. A sixteen-billion-record pile is a slice of that.

So being "in the leak" tells you very little. Almost everyone is. What decides your actual risk is which fields of yours are in there, because leaked data does not all behave the same way.

Two kinds of leaked data

Leaked data splits into two kinds, and the split is not about how sensitive the data feels. It is about whether you can change it.

The first kind is rotatable. A password, a card number, a login token. If it leaks, you can replace it, and the leaked copy is worthless the moment you do. This is the data most people picture when they think about a breach, and it is what most breach advice is about.

The second kind cannot be rotated. Your date of birth, your full legal name, the addresses you have lived at, your mother's maiden name, your children's names, the schools you attended, the employers on your record. None of it can be reissued. A leak from 2019 that carried these fields is as accurate today as it was then, and it will be as accurate in 2032.

RotatableImmutable
Examplespasswords, card numbers, session tokensdate of birth, full name, address history, family, past employers, ID numbers
What fixes itchange it oncenothing; it stays accurate
Risk half-lifehours to daysyears to permanent
What free advice coversthisrarely this

A password change closes the rotatable half. Nothing closes the other one. That is why "I changed my passwords after that breach" is a smaller reassurance than it sounds. It resolved the part of the exposure that was going to expire anyway.

The half you can't change is the half that verifies you

Immutable data is dangerous for a specific reason. It is the same data that systems use to confirm you are you.

When you are locked out of an account, the recovery process asks for what only you should know. A previous address, perhaps, or the name of your first school. These are knowledge-based checks, and they rest on the assumption that the answers are private.

In 2015, Google published a study of its own account-recovery data, covering millions of recovery attempts and hundreds of millions of secret-question answers. It found that security questions are far weaker than passwords. A large share of users gave false answers to make them harder to guess, and did so in predictable ways. Many could not remember their own answers when it mattered. The conclusion was that secret questions are neither secure nor reliable enough to stand alone.

That study measured guessing and recall. It did not measure breach data. But the two meet at an obvious point. The true answers to most knowledge-based questions, your mother's maiden name or the street you grew up on, are exactly the fields that sit in breach compilations and, more reliably, in the records that people-search sites and data brokers assemble and sell. An attacker who wants to pass your recovery check often does not have to guess. The answers can be looked up.

This is the mechanism behind the delayed takeover. A password stolen in an old breach may be long since changed. The identity details attached to it are not, and they are what let an attacker reset the password you did change, answer the question that guards the reset, or give a support agent a convincing enough story to do it for them. We set out the full sequence in the anatomy of an account takeover.

Verification is not the only use. The same details make social engineering credible. A caller who knows your address, your bank, and a recent transaction does not sound like a stranger, and most of what makes them convincing can be sourced without ever touching your accounts. For higher-profile targets, this is the raw material of deliberate targeting.

The only way to know which of your immutable fields are already assembled and searchable is to look at what a researcher would find. A free Snapshot Scan shows you.

See what's exposed

"Have I been hacked?" is a different question

Sometimes the worry is more immediate: an account you can't get into, a login alert you don't recognise, a password that stopped working overnight. That is a live-compromise question, not an exposure one, and it has its own answer. Change the password from a device you trust, turn on two-factor, and check the account for sessions or forwarding rules you did not set. If credentials are already being used against you, our breach-response guide walks the first hours. This article is about the quieter problem underneath it: the data exposed long before any single account was touched, which stays useful to an attacker whether or not you were ever hacked.

Why the free check can mislead you

Most people who ask whether their data has leaked end up at a free breach-checker. Have I Been Pwned is the best known, and it is a genuinely useful service, run responsibly. It shows which breaches your email address appears in, and since early 2025 it also indexes malware stealer-log data, so it can surface passwords captured from infected devices and the sites they were used on.

Notice what that covers. It covers the rotatable half. It tells you a credential is exposed so you can change it, which is worth doing.

What a breach-checker does not show you is the immutable half. It does not tell you that your current address, your date of birth, your relatives' names, and your employment history are collected across a dozen people-search sites, cross-referenced into one profile, and available to anyone who runs a search. That profile is built from public records and broker feeds, not from a password breach, so it never appears in a checker's results.

The risk here is quiet. You check, you see a hit or two, you change those passwords, and you come away feeling you have handled it. You handled the part that was going to lapse. The part that lasts was never in the report you read.

What actually reduces the risk

You cannot change immutable data, and you cannot be alerted out of the problem. Monitoring, whether dark-web alerts or breach notifications, tells you after the fact that something has surfaced. For a password, that warning is actionable. For your date of birth, there is nothing to change. Dark-web monitoring has its uses, but this is not one of them.

The lever that works is reducing where the data is aggregated. Immutable fields are only dangerous when they are collected together and easy to find. A date of birth on its own is trivia. A date of birth sitting beside your current address, your last three addresses, your employer, and your relatives' names is a ready-made answer key. Break up that aggregation and the risk falls, even though the underlying facts have not changed.

In practice that means removing your records from the people-search sites and brokers that publish and sell them. Under the GDPR, you can require data brokers and people-search operators to erase and correct your personal data. Doing it across the whole ecosystem is slow and repetitive, because the same records reappear and have to be pushed back down again, but it is the part of your exposure you can actually move. Seeing the profile first makes the removal work targeted, and reducing it is the durable fix.

So: has your data been leaked? Yes, along with nearly everyone's, and the size of the pile is not the thing to measure. What matters is how much of the durable, identifying half of your data is exposed and correlated, and how much of it you can pull back. That is a question you can answer, and then act on.

If this is your situation

If your credentials might already be circulating, a Lockdown investigation maps the exposure.

Check breached credentials Request a free Snapshot Scan

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.

Or get the quarterly intelligence brief — significant breaches, OSINT technique shifts, and executive privacy risks, once a quarter. Read the briefing →