A hand taking a card that says data out of a wallet.

Hackers can exploit both human and software vulnerabilities to get your personal data. Sometimes, you can’t do anything to cover that gap, only minimize potential damage. Despite this, as a user, you still have a lot of power to protect your information. Read the article to learn more about how hackers gain unauthorized access to your data and what you can do about it. 

Table of contents

    How hackers get information about their victims

    Your data doesn’t simply fall into the hands of hackers or scam artists by chance. To steal your sensitive information, they use social engineering techniques, purchase data from brokers or dark web markets, and apply various other tactics. Let’s take a closer look at the methods most hackers use:

    1. Social media

    Most people are extremely unlikely to share their passwords on social media. However, anything else is apparently fair game, so any cybercriminal invested in their trade can scrape a lot of data from what we share ourselves:

    • Names and surnames;
    • Birth dates;
    • Home addresses;
    • Usernames; 
    • Friends and relatives;
    • …and more!

    Just think about the screenshots you post on X (previously Twitter), the stuff that goes into Instagram posts, or just your name on Facebook. That’s freely available data, baby!

    1. Data breaches and dark web markets

    These two factors have a symbiotic relationship that puts data in the hands of people who could do you harm:

    • Data breaches happen when an organization — a website, service, or corporation — suffers a security oopsie and reveals confidential information about its users/clients to someone not authorized to have access to such data. Or, in simpler terms, they get hacked, and the hackers make off with piles of data. 
    • Dark web markets are where the data leaked in breaches eventually end up. After all, not all hackers are interested in the arduous task of gaining data and using it in scams. So large batches of data are sold to scammers who then use it to target people affected by the breach

    You can’t do much to prevent data breaches. But you can get a service like Alert to notify you as soon as it detects your data has been leaked — to see how it works, try our online personal data leak checker. You might also want to consider Alternative ID, which generates working credentials to use for newsletters, one-time purchase stores, etc.

    1. Shoulder surfing

    “Shoulder surfing” literally means looking at your screen and keyboard while you’re entering data. This is the least sophisticated approach to gathering information about the victim, but it is possible. Why do you think passwords are always masked with **** when you enter them?

    This technique can be used for anything from card PIN numbers to log-in data. You’re the most vulnerable to shoulder surfing when you’re out in public: scrolling through your phone on public transport or browsing on your laptop at a cafe. That’s why card readers often have those barriers around the keyboard and why privacy screens exist. 

    1. Malware

    OK, when your data is yoinked via malware, this doesn’t mean you were personally targeted. Some types spread automatically via infected devices. This type of malware requires just a single misstep: downloading a suspicious email attachment or clicking on a malicious link sent by a friend, and that’s it. 

    The effects can be varied as well. A keylogger records and transmits your keyboard’s inputs back to the hacker. It’s an effective way to get your passwords: the hacker only needs to look for a string of text that looks like an email address or a username. Anything that follows it is likely to be your password. 

    This may also compromise weaker password vaults — after all, you need to log into those vaults to use them. 

    1. Man-in-the-middle attacks

    Despite the name, man-in-the-middle attacks don’t usually involve a man. They’re typically executed using devices designed to steal your data as it travels between your device and the website or service you’re trying to reach. 

    The simplest example is a dodgy free Wi-Fi spot. Imagine that someone puts up their router and names it something similar to the nearby Wi-Fi spot at a cafe. The person connecting to such a free Wi-Fi spot can use the internet, yes, but whatever passes through the router can be recorded by hackers. 

    Learn more about how to tell if someone hacked your router.

    1. Social engineering

    Social engineering exploits the weakest link in the cybersecurity chain: human beings. That’s because it requires less technical skill to trick a person than a system. And data gathered through social engineering is just as valuable to hackers as anything gathered via more passive techniques. 

    This method involves tricking a person into handing over their information. A common tactic is to call a person posing as a representative from a utility company, bank, or other entity. Any information collected this way could be used to pull off more elaborate — and potentially more lucrative — scams. Phishing attacks, which typically involve fraudulent emails and malicious links, are another type of social engineering. 

    And its devastating impact is starting to add up. A 2022 FBI report found social engineering scams in the US caused nearly $8.3B in financial losses, roughly $35K per victim.

    1. Buying information from data brokers

    Data brokers collect personal information from public databases, social media platforms, credit card companies, and other sources. In the US, they can even buy your consumer data from your ISP.

    While data brokers operate inside legal boundaries, hackers who purchase the information from them, don’t. They simply skip a few steps in their crimes and use the acquired information for scamming.

    Here’s how Darius Belejevas, Head of Incogni (data removal tool), illustrates this process:

    “Someone buys your LinkedIn information, someone else buys or collects your place of residence, then models what your income might be based on your zip code. They buy your shopping and browsing habits, which technically should be anonymized. However, a lot of research has shown it can be de-anonymized and linked. You end up with an entire ecosystem where some companies collect, analyze, and sell, and others can buy and supplement their data to get complex profiles about us, which we don’t even know ourselves.”

    What do hackers do with your information?

    The goal of your everyday hacker and scammer is to make a quick buck. Unfortunately for you, that means the buck will likely come out of your pocket. More specifically, here are some ways a hacker may use your information to harm you: 

    Email address

    Email addresses are fairly important in the online scheme of things. The two main ways a hacker could use it are these:

    1. Phishing attempts: phishing attempts require a target. An email is a target by itself. However, when combined with more information specific about you, scammers can craft a much more convincing phishing email.
    2. Spam messages: most places you sign up with your email don’t sell your address to spammers. But data breaches put thousands of email addresses in hackers’ stashes — data that is then sold to spammers. 

    Home address

    Letting hacker types know where you live doesn’t seem smart even before you consider the ways they can use such info: 

    1. Phishing attacks: the more data the scammer manages to collect, the more effective the phishing attempt is going to be. Including details such as your home address in an email or phone call would make the scammer seem more credible. 
    2. Threats: while it’s probably unlikely that the hackers will threaten you as soon as they get your address, this piece of data can be sold to stalkers, used to plan burglaries, etc. 

    Phone number

    Phone numbers have diminished in importance as we all move online, but they still remain important. Here’s what scammers can do with them:

    1. Send spam: from text messages to calls, the simplest yet most annoying threat is spam. This makes people who are already stressed about picking up the phone even more likely to associate calls with negative emotions.
    2. Identity theft: phone numbers are one of those official bits of data we enter in various forms. Armed with your name and phone number, scam artists can more easily buy, lease, or borrow something in your name.  

    Bank details

    Leaking your bank account details is a surefire way to lose money to hackers. Here’s what they can do:

    1. Steal money: if they know how to log into your financial accounts, they can just… withdraw money. The same thing applies to having your card and PIN number stolen. 
    2. Commit fraud: even if you don’t have money in your account, the hackers can use your bank account details to max out credit cards and do other expensive shenanigans. 

    How to protect yourself from hackers

    To protect yourself from hackers, you should use common techniques like two-factor authentication and keeping your software updated. Here’s a more in-depth look: 

    Enable two-factor authentication

    Two-factor authentication means that to access your online accounts, you need to verify your identity by two different means — preferably by using two different devices. For example, if you use Gmail, you may be prompted to verify that you’re logging into your account via a prompt on your phone. 

    Keep your software up-to-date

    Software is incredibly complex, and vulnerabilities can emerge or even be created over time. Hackers exploit these weaknesses to gain access to your devices or online accounts, but the developers are working hard to patch all of them out. Always download the freshest updates for your operating system, apps, and so on.

    Enable firewalls

    A firewall is meant to prevent unauthorized online access to your device. While a hacker might not be directly attempting to breach your defenses in real time, you could accidentally install malware that aims to do just that. That’s what the firewall is supposed to block. 

    Use an antivirus

    Antivirus apps are designed to stop viruses and other malicious bits of code in their tracks. Keep your antivirus app turned on so that it’s always working to detect threats. You should also constantly update the app: this way, it will be able to recognize and deal with the newest viruses.

    Use a VPN

    A VPN app sends your data via a VPN server, which encrypts and decrypts your communications. This means that other online parties can’t know your real IP address (and there are quite a few harmful things hackers can do just by knowing your IP address!) And if your data gets intercepted along the way, it will be encrypted and unreadable.

    Don’t click suspicious links

    Any link that looks suspicious probably is – that’s the first rule you need to learn if you want to avoid getting hacked on social media. Sometimes, such links may lead to websites intended to trick you into disclosing your sensitive data; other times, they may download software that can harm your device. So, pay close attention both to the links and how they reached you. 

    Use a password manager

    Using the same password on multiple accounts is a serious threat. A single password breach can compromise all those accounts. On the other hand, remembering a unique, strong password for every site and service is nearly impossible. With a password manager, you don’t have to — you only need to remember the password to the manager. 

    Use alternative personas online

    It’s a lot harder to lose your data to hackers if the data you provided isn’t true. And services like Alternative ID provide you with an easy way to create and manage online personas. With these services, it’s the persona’s details that you’ll enter in various forms online (you’ll still want to be truthful with banks, governments, etc.). Plus, services like this often come with additional benefits like phone number and email address generators.

    You should also learn to recognize a hacked device. Some of the signs include a drained battery, slow performance, overheating, your contacts receiving messages you haven’t sent, unauthorized purchases in your credit card history, etc. Read more here: How to know if your phone is hacked and How to tell if your computer has a virus.

    In conclusion: keep your data close 

    Hackers are hunting your data, even if they’re not targeting you personally. Some of their attack methods, such as corporate data leaks, might be beyond your control. But you are not defenseless against them. So start by encrypting your data with a VPN and obscuring your tracks with services like Alternative ID. 

    Keep hackers off your back
    No need to give out your actual data every time
    Surfshark

    FAQ

    What is the most common way hackers find information?

    Scraping social media and buying bundles of stolen data on the dark web are some of the most common ways to find information. However, the actual statistics are impossible to determine as there’s no way to record all hacks or the tools used to carry them out. 

    Can hackers see your screen?

    The hacker can see your screen if they’re “shoulder surfing” — a method that involves directly observing your screen and keyboard. Screen recording hacks are much rarer as they consume noticeable internet and device resources. Keyloggers — malware that records keystrokes — is a lot more common.

    What data do hackers want to steal?

    The most lucrative data for hackers, obviously, is your banking login details. This is the most direct way to get money. Other data hackers find irresistible:

    • Name and surname;
    • Email address;
    • Phone number;
    • Home address.

    How can I avoid getting hacked on social media?

    To avoid getting hacked on social media:

    1. Never give out your login credentials — no company representative will ever ask for them. 
    2. Be careful with the links you receive — if someone — especially a person you haven’t talked with in three years — suddenly sends you a weird link, don’t click it. 
    3. Use the regular hacking precautions — use two-factor authentication, update your software, etc.