Two long nailed hands are tightly holding a piece of paper with a silhouette of a person and the word INFO.

Cybercriminals don’t care about your opinions on the Marvel Cinematic Universe. They want to steal data that can be easily transformed into money. This involves personally identifiable information that is used to swindle you or your login data and online banking credentials to be used in more direct theft. Read this article to learn more about what personal details cyber criminals want to steal in any data breach.

Table of contents

    Types of data stolen by cybercriminals

    Hackers and other such online villains are on the lookout for your data. Here’s what they’re after:

    Personally identifiable information (PII)

    Personally Identifiable Information is information that could be used to discover the identity of a specific person. This can range from something as simple as your name and surname to email address to social security number

    Financial data

    Financial data describes how you’re doing in terms of money. This means your credit card statements, income, and expenses. There’s not much logic in robbing someone who’s poor, but swindling someone who has money to lose is a bit different. 

    Healthcare and insurance information

    Any data that identifies you as you in a medical context can be termed healthcare and insurance information. However, this data has to be helpful in pulling a scam, so it may encompass your medical records, full name, social security number, and your insurance number.

    Usernames and Passwords

    For older and less secure websites, your username and password are all needed to log in and mess up your stuff. But even on the day of the ever-present 2FA, having your login data gives cybercriminals a lot of data to work with.

    Work logins and information

    Cybercriminals may want to get your work login data because it would let them fry a much bigger fish. Suppose they know all the necessary precautions and have your data. In that case, they can either immediately rob or compromise the company or use it as a stepping stone toward a disastrous spearfishing attack. 

    Sensitive photos and videos

    Sensitive video or photo data can be anything, from photos that allow someone to identify where you live, or your companions, or your kids. And that is before we consider all sorts of lewd photography hackers may find and use in blackmailing attempts or cyberbullying.

    Debit and credit card numbers

    You’d think debit and credit card numbers would be hard to use when you don’t have the card, but cybercriminals have their ways. From fraudulent purchases to more sophisticated stuff like identity theft, this is a very pertinent piece of data for them. 

    Social media profiles

    The simplest way to steal your media profile is to clone all the data and create a new profile nearly identical to yours — and use it for criminal purposes. A more sophisticated version of this crime would seek to gain access to login data — your data. If they can pull that off, the crime-sky’s the crime-limit.

    Personal communications

    Emails. Text messages. Instant messaging. Video/audio clips you sent because you were too lazy to type. Physical mail. All of those are bound to contain PII, sensitive photos or videos, financial data, healthcare information, and so on.

    What can hackers do with your stolen information?

    Your information doesn’t automatically transform into actual money as it’s saved on the cybercriminal’s device. Here are some of the most common ways they cash in your data:

    Identity theft

    Identity theft uses your stolen information to pretend to be you. The easiest way to use it is to buy expensive stuff and avoid paying. After all, as far as the vendor is concerned, you’re the one who made the purchase, and you’re the one who’s supposed to pay.

    Financial fraud

    A more ambitious cybercriminal may use your stolen identity (or bank logins) to pull financial fraud. The easiest way is to take out a loan in your name and transfer the money to themselves. Once again, you’re the one who’s left to pick up the tab.

    Medical identity theft

    Medical identity theft can be used in various ways, from getting procedures and drugs you’ll have to pay for to gaining access to said drugs (for use or resale) in the first place. In the US, it can be used to submit fraudulent claims to Medicare or other insurers.

    Unauthorized account access

    If you’ve heard of, say, a celebrity’s social media account getting hacked and used to promote a crypto scam, you already understand what this is. Access to your accounts can mean anything from making fraudulent purchases to impersonating you to scam others

    Professional impersonation

    A scammer will use your data to convince you that they’re actually a bank or another trusted organization. After all, they already know all the sensitive data you’d entrust to a bank, so it’s much easier to coax you into transferring funds or giving away even more sensitive information. 

    Unauthorized transactions

    You would never transfer all the contents of your savings account to a complete stranger for no reason. But that’s a likely scenario if your data gets stolen by cybercriminals. Sure, financial institutions keep trying to put more barriers in place to prevent this from happening, but as always, the human person is the weak link in the security chain. 

    Blackmail and extortion

    For the simplest type of blackmail, a cybercriminal might extort the victim over not releasing their login data online — or offering them to buy back their hijacked account. Of course, with access to email or social media, the criminals suddenly find themselves with access to even more — and saucier — blackmail material. 

    Credential stuffing

    Credential stuffing means using login credentials gained from a breached service to enter another service. This is one of the main reasons you shouldn’t reuse passwords. If you do, then you’d need only one of the services you use to experience a leak, which would make all the services you use insecure. 

    Sale on the dark web

    The cybercriminal that intercepted your data is not going to necessarily be the same one that will use it. Stolen personal information is actually a valuable commodity. As such, your data is likely to be bundled up with sensitive information about a lot of other people and sold on the dark web.

    How to protect your personal information from hackers

    A folder with a chain around it and a lock on it. A hand is inserting a key into the locks keyhole.

    You can’t threaten the CEO of every entity you entrust with your data to shore up their company’s security — that’s wildly impractical. Instead, you should follow some common-sense advice to protect your personal information from hackers. 

    Update your passwords

    Updating your passwords is good, as not all breaches are identified immediately. Stay one step ahead of the hackers and change your passwords regularly. Our expert says that changing your password once a year should be enough. And, of course, never use the same password for two different websites/services/apps. 

    Enable two-factor authentication (2FA)

    Two-factor authentication means using two different devices — or at least services — to log in. This is usually achieved by asking the user to confirm their login via a mobile app or a link sent to their email address. It’s unlikely that the hacker will have compromised both. 

    Use a Virtual Private Network (VPN) on public Wi-Fi

    A public Wi-Fi spot may be compromised, and your data may be stolen. This way, any logins you use while connected to it may fall into the hands of hackers. But if you use a VPN, all that data will be transferred via a secure VPN tunnel. This ensures that any stolen information will be unreadable to hackers. 

    Install antivirus software

    You need an antivirus app on your device to protect you from malware. Viruses are often tailored to steal your data — and just being vigilant with what you click or download isn’t enough. An antivirus app can provide both real-time protection from new threats and root out old viruses. 

    Don’t ignore software updates

    Software updates do more than add functionality and fix annoying bugs. They’re also key for patching security vulnerabilities; sometimes, in apps, you wouldn’t expect to have any. Updates are essential for your operating system, antivirus software, and other cybersecurity tools. 

    Review your financial records

    Some criminals play the long game and skim your funds little by little. That’s why you should check your financial records for any irregularities. Payments — especially recurring payments — that you don’t recognize may be a sign of some skimming taking place. 

    Keep your sensitive documents in a secure place

    Maybe don’t have a copy of your passport stored on Imgur or another social media app. Be mindful that online PDF conversion places may be saving the copies of documents you upload. In all cases, make sure that your documents are stored on the least amount of apps and services. 

    Be cautious about unsolicited emails or text messages

    Why would anyone text or mail you out of the blue? That’s a good thing to be concerned about in this day and age of spam and phishing scams. Be especially cautious when you receive surprise amorous offers or promises of great riches. One way or another, they will be trying to steal your data. 

    Delete your contact details from data broker lists

    Data brokers are the ones that collect massive amounts of data on anyone they can. Those kinds of data collection are often the most useful for marketers and advertisers who will use them to target ads. But it could also be a crucial stepping stone towards launching a spearfishing attempt aimed at you. 

    Don’t save your credit card details on online stores

    Saving your payment details on a website is very handy for repeat purchases (and the websites count on that). However, it also means trusting that the online store is taking security measures seriously. They may not be — and in case of a leak, your credit card data would be exposed online. 

    Remove personal data from social media and public websites

    Some time ago, public personal data was a security risk because of all those security questions that let you access your account in case you forgot a password. Today, this data is more useful for spear phishing attempts — and even impersonation. Clear out any data you don’t absolutely need to share. 

    Keep your wallet, cards, and devices safe

    This is more of an analog advice, but keep your wallet, cards, and devices on you when you’re out and about. Even if they don’t get stolen, the information they carry can still be stolen and used to commit further, more damaging attacks. 

    Consider signing up for an identity theft protection service

    Are you up-to-date on your knowledge of the data breaches and leaks meta? No? Then, you may have missed one or several times when your data had leaked online. So, if you want to be notified of the times when your login data appears online, subscribe to a service like Surfshark’s Alert. 

    Protecting your identity: embracing alternative IDs

    One way of protecting your private information online is getting an alternative ID from a service like Surfshark’s Alternative ID (unexpected name, I know).

    Such a service will generate an online persona with a name, address, etc., which you can enter when prompted online. That way, you won’t need to expose your own identity when you do not want to.

    It also generates a disposable email address you can use for such signups. Any mail sent that way will be forwarded to your inbox, keeping your actual email private.

    In conclusion: keep your data un-yoinked

    Criminals are going to steal data while there is data worth stealing. What you can do is seal your data behind layers of best practices and security tools. If you only ever disclose the minimum required data and use temporary emails and generated personalities for the rest, you should be a lot more secure.

    Generate a personality today
    Alternative ID will provide you with data to disclose
    Surfshark

    FAQ

    What data can cybercriminals steal?

    Cybercriminals can steal any data, but they’re mostly interested in legal names, logins, email addresses, and bank and social security numbers.

    What do cybercriminals look for?

    Cybercriminals look for personally identifiable data, app and service login credentials, emails, and banking information. 

    What type of data is stolen the most?

    It’s hard to say what data is stolen as most criminals don’t disclose their statistics, but it’s generally agreed that customer records and login data are stolen the most. 

    Why do cybercriminals want your data?

    Cybercriminals want your data for crimes:

    • Stealing your money;
    • Stealing money from someone else by pretending to be you. 

    What do criminals do with stolen data?

    Criminals use stolen data to:

    1. Steal money from your accounts;
    2. Buy stuff or take out loans in your name;
    3. Launch phishing attacks aimed at you;
    4. Launch phishing attacks pretending to be you.

    Who do cybercriminals target the most?

    The two most popular targets of cybercriminals are:

    1. E-commerce websites: they’re plentiful, they don’t often have the most rigorous security, and they’re often based on common code and platforms and have common vulnerabilities.
    2. Small businesses: again, they’re plentiful; they may not have the funds to have top-notch security and may use common commercial platforms.

    What information is most valuable for hackers?

    The most valuable data for hackers is:

    1. Financial data: if they can log into your bank account, then it’s the straightest way to cash out.
    2. Login data: being able to access your online accounts may lead to your online banking data, which may lead to easy payouts.