Data breaches have become so routine that many people treat them like background noise — an annoying email, a password reset, then back to life. But the real danger often arrives later, when leaked details are stitched together into targeted attacks that feel personal, plausible, and hard to stop.
A BBC investigation into scam victims shows how this pipeline works in practice: old data leaks help criminals perform SIM swap attacks, hijack email accounts, open credit in someone’s name, or seize control of business advertising accounts. What looks like “just an email address leak” can become a direct route to money, identity fraud, and months of cleanup.
This explainer breaks down the mechanics: how SIM swaps succeed, why two-factor authentication can fail, and what practical steps actually reduce risk.
The breach-to-scam pipeline (in plain English)
Most scams that end in stolen funds follow a repeatable sequence:
- Personal data is exposed (through a breach of a company you used years ago).
- Criminals enrich it by combining multiple breaches, public info, and sometimes data-broker sources.
- They target the weakest link (a mobile number, an email inbox, or a “forgot password” workflow).
- They escalate — using the first compromise to reset passwords and take over other accounts.
The BBC’s cyber correspondent Joe Tidy notes that being a victim of a breach increases your chance of being targeted. The key is not that every breach leads to a scam, but that breaches supply the raw materials criminals need for believable impersonation.
SIM swap attacks: why your phone number is a master key
In one case, a woman named Sue told the BBC her digital life was hijacked via a SIM swap.
A SIM swap attack works like this:
- A criminal convinces a mobile network operator they are the real account holder.
- The operator issues a new SIM (or transfers the number), and the victim’s phone loses service.
- The criminal now receives calls and texts meant for the victim — including verification codes.
Once attackers control your number, they can intercept SMS-based security codes used for password resets and login verification.
Sue said scammers took over her Gmail and then locked her out of bank accounts after failed security checks. She also had a credit card opened in her name, and criminals purchased more than £3,000 in vouchers. Getting control back required several trips to her bank and mobile phone provider.
This story is a textbook example of why security professionals recommend moving away from SMS as your primary second factor for important accounts.
Where the scammers got Sue’s details
The BBC reports that Sue’s phone number, email address, date of birth and physical address were exposed in earlier breaches — including gambling platform PaddyPower (2010) and email validation tool Verifications.io (2019). Other compilations of hacked records also included her details.
A cybersecurity analyst cited by the BBC, Hannah Baumgaertner of Silobreaker, said attackers likely used leaked personal data to conduct the SIM swap. Once they had Sue’s phone number, they could intercept security codes sent to verify identity for Gmail.
This is the “breach aftershock” problem: even if the original breach is a decade old, the data can keep circulating, being repackaged, and being used as social-engineering proof.
How small hacks scale: the market for hijacked subscriptions
The BBC story also highlights a lower-stakes but extremely common kind of cybercrime: subscription account takeover.
Fran, in Brazil, told the BBC she found someone had registered to her Netflix account and increased her monthly subscription — a classic “freeloader” hijack.
The article says it’s not always possible to pinpoint a single breach as the root cause. But the BBC found Fran’s email address had been exposed in at least four breaches, including Internet Archive (2024), Trellov (2024), Descomplica (2021) and Wattpad (2020).
A security researcher quoted in the piece, Alon Gal of Hudson Rock, described a market for cracked streaming accounts, turning one company’s leak into ongoing abuse.
When two-factor authentication still fails
One of the most unsettling parts of modern scams is that attackers can sometimes bypass protections users assume are “enough.”
The BBC describes a small business owner, Leah, targeted by a phishing email that appeared to come from Facebook. She clicked a link, entered details on a fake Meta page, and scammers took over her business account even though she had two-factor authentication.
Attackers then posted child sexual abuse videos under her name (getting her blocked) and ran hundreds of pounds of adverts paid for by her in the three days it took to regain control (she eventually got the money back).
How can 2FA still fail? Common paths include:
- Real-time proxy phishing: the fake site relays credentials to the real site and asks for the 2FA code, using it immediately.
- Session theft / token capture: some phishing kits capture the session cookie after login.
- Account recovery loopholes: if recovery email/phone is compromised, attackers reset access without triggering normal checks.
The point isn’t that 2FA is pointless — it’s that the strongest account is the one with multiple layers, not a single checkbox.
The role of data brokers and “enrichment”
Even when a breach doesn’t include everything an attacker wants, criminals can combine sources.
The BBC notes that scammers often mix stolen private information with public information. Investigators described how an attacker could connect a stolen email address with a publicly listed business number to send a more convincing phishing message.
That’s what makes modern scams feel creepy: the message doesn’t look like spam. It looks like it was written for you.
The scale problem: mass breaches fuel a global scam economy
The BBC notes that several high-profile attacks in 2025 exposed millions of records, listing examples such as:
- 6.5 million affected by a Co-op breach (April)
- a hack affecting Marks & Spencer customers (the company did not specify how many)
- 400,000 Harrods customers affected
- 5.7 million impacted in a Qantas hack
It also cites Proton Mail’s Data Breach Observatory: 794 verified breaches from identifiable sources discovered so far in 2025, exposing more than 300 million individual records.
At that scale, criminals don’t need to be brilliant. They need to be persistent and industrial.
What companies do (and don’t do) after breaches
Victims often discover there is no standard “breach aftercare.”
The BBC reports that offering free credit monitoring used to be common, but fewer firms are doing it now. It notes that some companies did not offer these services, while Co-op offered a voucher under conditions.
The article also mentions a growing trend of class action lawsuits — though hard to win because proving individual impact is difficult — and a notable settlement: T-Mobile agreed to pay $350m after a 2021 breach affecting 76m customers, with reported payments ranging from $50 to $300.
A realistic response plan if you suspect a SIM swap
Because SIM swaps are time-sensitive, it helps to have a checklist.
- If your phone suddenly loses service (and you’re not in a dead zone), treat it as urgent.
- Call your carrier from another phone and ask if a SIM transfer or number port happened.
- Request an immediate lock on further SIM changes and reset the account credentials/PIN.
- Secure your primary email account next, because it can reset everything else.
- Change passwords for banking, payment apps, and any accounts tied to SMS codes.
- Check for new accounts/credit activity in your name.
Even if the attack turns out to be a network issue, you lose little by moving fast.
Practical steps that reduce risk (without paranoia)
You can’t prevent a company you used years ago from being breached. But you can make leaked data less useful to attackers.
1) Protect your mobile account
- Ask your carrier about account PINs, port-out locks, and extra verification.
- Minimise how many services use SMS as a recovery method.
2) Use stronger authentication where possible
For your most important accounts (email, banking, password manager), prefer:
- authenticator apps (TOTP)
- passkeys
- or hardware security keys
…over SMS codes.
3) Use a password manager + unique passwords
Credential stuffing is still cheap. Unique passwords stop one breach from unlocking everything.
4) Treat your primary email like the “root account”
If criminals get your email inbox, they can reset almost every other account. Make your email:
- strongly authenticated
- recovery options secured
- and monitored for suspicious logins
Bottom line
Data breaches aren’t just a privacy problem — they’re the supply chain for scams. Old leaks can be combined with public information to impersonate you, steal your phone number through a SIM swap, bypass logins, and turn a single compromise into a cascade across email, financial accounts, and social profiles. The most effective defence is layered: protect your phone number, secure your primary email, and move away from SMS-based security wherever you can.
English
العربية
Čeština
Dansk
Nederlands
Eesti
Suomi
Français
Deutsch
Ελληνικά
Magyar
Italiano
日本語
한국어
Latviešu valoda
Lietuvių kalba
Norsk bokmål
Polski
Português
Română
Русский
Slovenčina
Slovenščina
Español
Svenska
Türkçe