What Hackers Do with Stolen Data & How to Reduce Your Risk After Data is Taken

The constant onslaught of data breaches is so exhausting that the term “breach fatigue” has emerged in recent years to describe the public’s growing sense of burnout. Let’s look at what hackers do with stolen data and how you can reduce your organization’s risks after your data is taken.

Attackers often leverage stolen data to commit more crimes, by breaking into accounts, transferring funds, perpetrating fraud, and more. Often, data stolen from one organization is used to hack into another, as criminals target customer accounts across many platforms and vendors with access to many systems.

While the problem of data breaches can seem overwhelming, the good news is that there are steps every organization can take to reduce risk to your community, even after a breach. In this article, we’ll discuss what hackers do with stolen data, and provide practical tips for reducing risk when—not if—sensitive information is leaked to the world.

What Hackers Do with Stolen Data

According to the 2021 Verizon Data Breach Investigations Report, the vast majority of criminals — around 90% — are motivated by financial gain. For example, a well-known cybercriminal gang, ShinyHunters, auctioned off a database which they claimed was stolen from AT&T. Supposedly, the database contained the personal information of roughly 70 million AT&T customers and was peddled at a starting price of $200,000. When AT&T denied that the data had come from them, ShinyHunters told BleepingComputer, “I don’t care if they don’t admit. I’m just selling.”

Let’s take a look at what hackers do with stolen data and the common types of data they target:

• Passwords: Attackers use stolen passwords to conduct credential stuffing attacks, in which they “stuff” credentials into the login forms of many different unrelated cloud services. Since many people re-use the same password for different sites, often the password for one service will work on another. For example, on the dark web, attackers can buy lists of stolen LinkedIn passwords and then use automated tools to try these passwords in popular ecommerce, banking, email hosting, and other services. Attackers may also use stolen passwords to gain access to an organization’s environment so they can carry out more advanced attacks, such as ransomware, and hold the whole organization hostage.
• PIN Numbers: Thinking back to our AT&T example, when account PIN numbers and passwords are exposed, it poses a real threat to any impacted customer. These two pieces of data can allow a scammer to have the SIM card linked to a user’s phone number changed to a new SIM card and device, effectively allowing them to take over phone numbers. This attack, known as SIMjacking, can enable criminals to hijack your phone line, log into your online accounts, and steal two-factor authentication codes sent via SMS or phone. When you think about what hackers can do with stolen data, this tactic is very concerning since it enables the hacker to bypass two-factor authentication security. In addition, many people re-use the same PIN for other purposes (including debit card withdrawals, credit card account access, and bank security codes), which means they are valuable for criminals seeking access to other accounts as well.
• Social Security Numbers (SSNs) and Tax IDs: Criminals use stolen SSNs to facilitate a wide range of fraud. For example, a criminal might telephone a bank and use a stolen SSN to gain access to account information or make a transfer. Since millions of SSNs have been breached and cannot be changed, organizations are moving away from relying on them as a sole form of authentication—but often, the SSN is used in combination with other information to verify a customer’s identity. Today, criminals use stolen SSNs as leverage in extortion attacks, threatening to publish them unless the targeted organization pays their demand.
• Employee W-2 Forms: Stolen W-2s are gold for cybercriminals, who can use this information to file for unemployment, open credit cards in a victim’s name, collect tax refunds, and more. You’d be surprised how many organizations will fail to notice fraudulent unemployment claims related to people who are still working for them. The larger the company, the easier it is for a few fraudulent claims to fly under the radar.
• Payment Card Information: Payment card numbers often sell for anywhere from $25 – $240 each. These are a quick source of cash for criminals, who can sell them in bulk on the dark web or monetize them by making fraudulent purchases or withdrawing cash. When paired with a matching stolen identify, it can be a big payday!
• Medical Records: Stolen medical records can be worth to $250 per record on the dark web (we’ve also seen them listed for more). These are considered very valuable since they often include extensive personal details that can be used for financial fraud, prescription drug fraud, identity theft, insurance fraud, extortion, and more.

Tips to Reduce Risk to Your Organization

Now that we’ve discussed what hackers do with stolen data, let’s look at reducing you risks after your data is taken. Once confidential data is released, the genie can’t be put back in the bottle—the information is out. However, there are effective steps that your organization can take to minimize the impact of stolen data.

• Shift Away from Knowledge-Based Authentication: Organizations routinely verify the identity of individuals using secrets. You type your password into a login form, provide your Social Security Number over the phone, share your first pet’s name with call centers. All of these are examples of knowledge-based authentication (KBA). While these systems are easy to set up, they can easily be subverted by criminals with access to the right stolen secrets. Instead, explore alternatives for authentication that don’t rely on static secrets. For example, you can have customers set up authenticator apps on their phones which you can use to verify their identity over the phone or online. Many organizations now issue hardware fobs such as the Yubikey for authenticating employees, or set up biometric authentication using fingerprints or facial recognition. While it can take time and training for your team to get used to a new form of authentication, these alternatives are growing in popularity.
• Use Multifactor Authentication (MFA): Instead of relying on one form of authentication, consider combining multiple methods to reduce the risk of an attack. A password may be stolen, but if the user is additionally required to confirm a login request via an app, then this adds an extra layer of defense. See LMG Security’s tip sheet on passwords and authentication for more details.
• Deploy a Password Manager: In this day and age, we need passwords for everything, and our brains can only store so much of that information by itself. Implementing a secure password manager can be a cost-efficient way to help your community resist attacks. With a password manager in place, your team can choose unique, strong passwords, without having to remember them all. (Bonus: No more ugly Post-It notes with passwords scrawled across them!)
• Conduct Regular Phishing Training and Simulations: Criminals often leverage stolen information in their scams. Make sure that your staff are prepared to recognize and resist attacks, even when criminals are armed with powerful information. Be sure to include vishing (voice phishing) training in these simulations. Voice can be tricky, especially when criminals have more information than you might think, allowing them to be particularly convincing.

Fighting Fatigue

“Information wants to be free,” wrote writer Stewart Brand. Unfortunately, data breaches can have devastating consequences and perpetuate even more cybercrime. Since you now know what hackers do with stolen data, you are better prepared to face an attack. Remember that by relying less on secrets, and more on strong security technologies, you can better protect your organization.