What Is a Data Breach?

In plain English

A data breach is when information a business holds about people is exposed or stolen. The details end up somewhere they were never meant to be, and the people they belong to are usually the last to know.

The idea

Every company you deal with keeps something about you. An email address at minimum, usually a password, often an address and an order history.

A breach is when that collection leaves. Sometimes it is a break-in. Sometimes it is a database left open with no password on it, which is duller and more common than people expect. Sometimes it is a supplier who held the data on the company's behalf.

The cause varies. The result does not. Once it is out, it is out, and it gets copied, traded and searched for years afterwards.

What tends to be exposed

It depends what was kept, which is the important lesson for owners further down.

  • Email addresses. Almost always. On their own they mostly mean more spam and better targeted phishing.
  • Passwords. Sometimes properly hashed and slow to crack. Sometimes hashed badly. Occasionally stored as plain text.
  • Names, addresses and phone numbers. This is what makes a follow-up scam convincing, because the caller already knows your last order.
  • Payment details. Less common, because most shops let their processor hold the card. When it does happen, it is serious.
  • Order history and support messages. Rarely mentioned in the announcement, and often the most personal part.

Why one breach becomes many

Because of password reuse. This is the single thing worth taking from this page.

Say a small forum you signed up to years ago is breached, and your email and password go with it. That pair then gets tried, automatically, against email providers, shops and banks. Not by a person. By software, at enormous scale.

If you used that password anywhere else, those accounts are now open too. The forum did not matter. The reuse did. And email is the worst one to lose, because every other account has a reset link pointing at it.

What to do if you are caught in one

Calmly, and in this order.

  • Change that password, and every place you reused it. The reused ones are the urgent part. The breached site itself is often the least of it.
  • Turn on two-factor authentication. Start with your email, then anything holding money. A stolen password stops being enough.
  • Use different passwords from here on. A password manager makes that practical. Nobody remembers unique passwords, and nobody should try.
  • Watch the accounts. Check statements, and take login alerts seriously rather than dismissing them.
  • Expect the follow-up. Breached details get used to make scams believable. A message that knows real things about you is not proof it is genuine. Our phishing guide covers the signs.

If you hold other people's data

The best defence is having less to lose. Keep only what you actually need, and delete what you no longer use.

Nobody ever regretted not storing something. Card numbers you did not keep cannot be taken. Old accounts you cleared out cannot appear in a dump. Every extra field is a liability you chose.

Beyond that, hash passwords properly, restrict who can reach the database, and take the same care with suppliers who hold data for you, because their breach becomes yours.

And publish a security.txt. Researchers regularly find exposed data and cannot work out who to tell, so it goes public instead. That file is a short, standard way of saying: here is where to send it. It costs nothing and it is the difference between a quiet fix and a bad week.

You can see whether your site has one, along with the rest of your setup, with a free check.

Need to fix this on your own site?

We have step by step instructions for every major platform, including the ones that will not let you.

See how to add security.txt

Related terms

Browse the full glossary →

See where your site stands.

Run a free check and find out which of these your site already passes, in seconds.

Run a free check Browse the fixes