Hand holding a phone with a red screen with “DATA” written on it and red fluid dripping onto another hand beneath.

Have you ever come across an email saying that someone tried to log into your account from a foreign country? This alert might mean your data ended up in a data leak

Naturally, your head might be buzzing with the question – what is a data leak exactly? 

We got your back on this one, let’s find out.

What is a data leak, and how is it different from a breach?

A data leak exposes confidential and sensitive data to unauthorized third parties. 

A data breach, on the other hand, happens as a consequence of a cyberattack. On the other hand, data leaks happen due to poor cybersecurity practices or accidental individual actions.

How do data breaches impact companies?

Data breaches happen due to hacking attempts on company databases by cyber-criminals. Breaches can cost a fortune to businesses as they have to:

  • Notify customers about the breach;
  • Pay government fines;
  • Suffer from a decrease in stock price;
  • Deal with temporary operations problems;
  • Pay attorney fees;
  • Conduct security investigations.

However, that’s not all. There is also long-lasting damage to:

  • Consumer and partner trust;
  • Intellectual property;
  • Brand and reputation;
  • Number of customers.

What causes a data leak?

A data leak can be caused by the following:

Phishing
Phishing is a cybercrime when a scammer impersonates a legitimate service and sends scam emails to victims. Clicking on links in such emails often results in a data leak.
Malware
Malware is malicious software such as viruses, spyware, etc. It steals your data for financial gain or damages your devices.
Dissatisfied employees leaking company data
A crime when a disgruntled employee leaks company data. The most popular are Snowden’s NSA data leaks to the media. After collecting confidential data from NSA databases, he revealed global citizen surveillance programs conducted by the Five Eyes Intelligence Alliance.
Mishandling of user data
When organizations unintentionally fail to ensure secure data storage, it results in data scraping. Data scraping entails illegal collection of data from a website and entering it into a spreadsheet.
Using unprotected public Wi-Fi
Public Wi-Fi is an open network. That means fewer security measures are at play here. It’s easy to steal data for any hacker connected to the same network.
Lost or stolen devices
Lost personal devices are a treasure chest of data for criminals because they are easy to break into with the right software. In contrast, corporate devices often have additional encryption to combat such cases.
Weak passwords
Short passwords that use keyboard sequences or contain personal details like names, birth dates, etc. Criminals can crack such passwords in just a few minutes with brute force attacks. A brute force attack is the guessing of passwords with software.
Outdated operating systems
Old operating systems are behind on the latest security updates. That’s why devices running them are easier to hack, putting your data in danger.

As you can see, there is a pattern here. Data leaks can occur both due to flaws in technology and user behavior. So it is crucial to be aware of whom you’re sharing your details with (maybe grandma was right about being wary of the internet after all, huh?).

What data do criminals collect during a data leak/breach?

Cybercriminals steal a variety of data during leaks. To name a few:

  • Financial information – Credit card numbers, bank details, invoices, transaction statements, etc.
  • Personally Identifiable Information (PII) – Social security numbers, names, addresses. Any data that criminals can exploit for identity theft.
  • Vulnerable and sensitive data – Meeting recordings, agreements, classified documents, any confidential information related to politics or the military.
  • Medical or Personal Health Information (PHI) – Medical records: healthcare data related to a person’s physical or mental health both in the past and present.
  • Intellectual property – Corporate information like patents, trade secrets, blueprints, customer lists, contracts.

Apart from this data, cybercriminals can also gain access to other data that doesn’t seem that significant at first glance. Names of your Facebook friends, what games you like to play (hello, Farmville), or who is that dear first crush of yours. 

This stolen information can lead to criminals creating an accurate digital profile of you. Scammers can use such a profile for impersonation and phishing people close to you.

To give you a better picture of what data breaches and leaks look like, let’s take a look at the top 3 corporate security breaches of the 21st century.

Top 3 data breaches and leaks of this century

  1. Yahoo! – Cyberattack

Date: August 2013

Type: Breach

Impact: 3 billion accounts

How did it happen? Hacked databases

What data was stolen? Security questions and answers, plain text passwords

The company only announced the data breach 3 years later, in December 2016. At first, Yahoo estimated that 1 billion customer accounts were affected. However, they revealed the actual number of 3 billion less than a year later.

The hack began with a spear-phishing email sent to a Yahoo company employee. One click on a malicious link was enough for Russian state security service hackers.

Latvian hacker Aleksey Belan successfully hacked into Yahoo databases. Then he installed a backdoor for continuous access, and stole a backup copy of the Yahoo user database.

Verizon (the new owner of the Yahoo brand) reassured that the information exposed didn’t include credit card and bank details. They also stated that the company took appropriate measures to inform all affected customers, including the newly estimated accounts.

  1. Alibaba – Poor security practices

Date: November 2019

Type: Leak

Impact: 1.1 billion pieces of user data

How did it happen? Unauthorized scraping

What data was stolen? Usernames and phone numbers

A developer working for an affiliate marketer was scraping customer data for eight months with crawler software. Data scraping is pulling information out of a website and into a spreadsheet and it is an efficient way to snatch information for analysis and processing.

The perpetrator and employer used the confidential data for marketing purposes and didn’t sell it on the black market. However, the court sentenced them to 3 years in prison and charged 450,000 yuan ($70,260) in fines.

A Taobao (Alibaba’s Chinese shopping website) spokesperson stated that the company is intensively working on the issue with law enforcement and that it will defend the interests of its customers and partners.

  1. LinkedIn Poor security practices

Date: June 2021

Type: Leak

Impact: 700 million users

How did it happen? API scraping

What data was stolen? Email addresses, phone numbers, geolocation records, genders, and other social media details

This data leak exposed more than 90% of LinkedIn’s user base. The compromised data was posted on a dark web forum by a hacker going by the nickname “God User”. The first data set included information about 500 million users. Then it was followed by the complete set of 700 million.

‘God User’ used data scraping, same as in the previously mentioned Alibaba data leak. The only difference is that he was never caught and punished.

LinkedIn denied any sensitive data being leaked (neat, huh?). However, scammers can exploit the leaked information for malicious purposes such as social engineering attacks and other threats.

The key takeaway from these examples is that your information is always susceptible to data breaches, and they can take you by surprise (more shocking than a sudden family visit!)

If you’d like to read more about recent data breaches and leaks, you can check our articles on the Top 8 recent data breaches and The biggest data leaks in 2021.

How can your data leaks be used against you?

How can your data leaks be used against you?

Here are a few common ways criminals can exploit your confidential data for personal gain:

  1. Commit payment card fraud – Use your existing credit cards (fraudulent charges) or open new ones under your name.
  2. Open new online accounts with your details (Facebook, Twitter, Amazon, etc).
  3. Doxxing – Publish confidential or protected information against your will.
  4. Surveillance – Predict and reshape your opinion, often used in political campaigns and to win over new customers.
  5. Impersonation – Pretend to be you (you have a clone now!).
  6. Black market sales – Sell your personal details on the dark web.
  7. Extortion – Demand payment to not disclose your sensitive information.

How do you prevent data leaks?

You can’t prevent data breaches, as that depends on how companies handle your data. However, you can indeed prevent data leaks.

Take security measures:

  • Use strong passwords – Make sure your passwords are at least 12 characters long and include symbols and lower-case and upper-case letters.
  • Use different passwords for every account – As convenient as it is, don’t reuse that same password on every account. This way, if it gets hacked, at least criminals won’t gain unauthorized access to your other accounts.
  • Update your devices’ operating systems – Don’t put off updates. The latest updates usually include security upgrades, so installing them is vital.
  • Set up 2FA authentication on accounts – It is an additional confirmation required from an authorized device to log in. Even if criminals know your password, they won’t be able to log in.
  • Protect your mobile devices – Set them up with a password, fingerprint, etc.
  • Watch out for spam emails – They often have suspicious domain names and links for phishing. Identity thieves or bots usually write with lousy grammar and the email domain name is either unheard of or is a bit different than usual.

Use security tools:

  • VPN (Virtual Private Network) – a VPN hides your IP address and location, encrypts your data, and prevents third parties like your internet provider or hackers from inspecting your internet traffic.
    And if you’re worried that using a VPN will prompt a lot of captchas or prevent you from entering certain websites, don’t. The Dedicated IP feature takes care of that.
  • Data breach checker – You can use a service like Surfshark Alert and check if your digital data was breached. You can do that by adding your email address, national ID, or credit cards to monitoring.
  • Antivirus – It will provide you with real-time monitoring of your device storage and delete any malware that might find its way onto your devices.
  • Password manager Security experts recommend this handy tool that will generate, store, and manage your passwords. This way, you can ensure complex and unique passwords for every single one of your accounts without having to remember them all. All you’ll need to remember is your master password.

How do you protect yourself if your details have already been leaked?

If your details were compromised, you should keep these tips in mind:

  • Change your passwords;
  • Contact your bank if your credit card details were compromised;
  • Scan your devices for malware;
  • Request deletion of the leaked account if you don’t use the service.

All in all, should you be concerned about data leakage? 

The short answer is: yes. More and more leaks occur due to advancements in technology, and ordinary security solutions are not keeping up. 

So why not take your online security into your own hands and give our One security suite a shot?

It’s better to be safe than sorry, right?

Protect yourself against data leaks

Get Surfshark One

FAQ:

What does it mean when there is a data leak? 

It means sensitive personal data has been exposed to unauthorized third parties. One way to tell if your personal data has been leaked is if you’re suddenly getting spam emails.

Data leaks can occur due to dissatisfied employees sharing confidential information or unintentional loss or exposure of data by users. On the other hand, data breaches are caused by cyberattacks on company databases.

Is a data leak bad? 

Yes, a data leak can be pretty severe. Your leaked details can be used for various cybercrimes like identity theft, credit card fraud, doxxing, surveillance, black market sales, and many more. Because of that, you have to take proper security measures to prevent them.

What causes a data leak? 

A data leak is mainly caused by careless user behavior and business mismanagement of data. For example, security loopholes in software or hardware, installing malware, poor password strength, and lackluster company cybersecurity practices.

What does it mean when your password appears on a data leak?

It means that all of your accounts using this password and the associated email address are highly vulnerable to unauthorized access and data theft for malicious purposes. Make sure to change the leaked passwords, set up 2FA authentication (if not already set up), or even delete the account itself if you don’t use it.

How do you prevent data leakage?

Take proper security measures: use strong and unique passwords, set up 2FA authentication on accounts, avoid spam emails, and secure your mobile devices. Security tools can give you a helping hand as well: use a VPN, data leak checker, antivirus software, and a password manager.