OneKitTools logoOneKitTools
security5 min read

What Actually Happens to Your Data When a Site Gets Hacked

When a company announces a "data breach", what does that actually mean for you? Here's the real timeline — from the hack to your inbox — and what to do about it.

OneKitTools TeamApril 14, 2026

"We Take Your Security Seriously"

You've received the email. A company you use has suffered a "security incident." They "take your privacy seriously." They're "working with leading cybersecurity experts." They recommend you "change your password as a precaution."

What does this actually mean? What happened to your data? And what are those hackers doing with it right now?

How a Breach Actually Happens

The most common scenarios, in order of frequency:

SQL injection — An attacker finds a form on the site (search, login, contact) where they can inject database commands. Instead of a username, they type ' OR 1=1 --. The database returns everything. This vulnerability is decades old and still the most common.

Credential stuffing — Attackers take passwords from other breaches and try them on the target site. If you reused a password from a site that was breached in 2019, the attacker has your credentials ready to try.

Phishing an employee — Someone in the company clicks a convincing fake email, gives up their credentials, and the attacker now has internal access. Many major breaches started with one employee's phishing click.

Unpatched software — A server running an old version of a framework or library with a known vulnerability. The attacker exploits it, gains access, extracts data.

Insider threat — Rarer but real. A disgruntled employee, a contractor with too much access.

What They Take

Not all breaches are equal. What an attacker extracts depends on what the company stored:

Tier 1 — Worst (frequently sold for $5–50 per record)

  • Full name + email + phone + date of birth + physical address
  • Partial or full credit card numbers
  • Social security / national ID numbers
  • Passwords in plaintext (yes, this still happens)

Tier 2 — Bad

  • Email + hashed password (how it usually is)
  • Username + account metadata
  • Purchase history

Tier 3 — Annoying but contained

  • Email address only
  • IP addresses

The company's breach notification typically describes what was exposed. Read it carefully.

What Happens to the Data Next

Hour 0 — The exfiltration

The attacker copies the data. They may have been inside the system for days or months before anyone noticed — the average "dwell time" before discovery is 197 days.

Days 1–7 — Internal use or sale

The attacker either:

  • Uses the data themselves (if it's their target company or if they want specific accounts)
  • Sells it on darknet markets immediately for maximum freshness value

Weeks 1–4 — The breach goes public

Either the company discovers it (through security tools, a researcher's tip, or ransom demand) or it appears on a hacker forum. The company notifies users — often weeks after it happened.

Month 1–12 — Credential stuffing campaigns

Attackers run your email+password combination against major services: Gmail, Netflix, PayPal, banks. Automated tools try thousands of combinations per minute. If you reused that password anywhere, it will be found.

Year 1+ — The long tail

Breached data doesn't expire. A 2018 breach might be used for phishing campaigns in 2026. Data from multiple breaches gets combined ("data enrichment") to build more complete profiles for targeted attacks.

How Passwords Are (Should Be) Stored

When a company stores your password, they should never store the actual password. Instead they store a hash — a one-way mathematical transformation.

  • You set password: hunter2
  • Site stores: 6f3b56e15f5f9a5b... (SHA-256 hash)
  • When you log in: site hashes your input and compares the hashes

The problem: not all hashing is equal.

MD5 — Fast to compute, fast to crack. A single GPU can try 10 billion MD5 hashes per second. A hacked MD5 database of 10 million passwords can be cracked in minutes.

SHA-256 (unsalted) — Better, but still fast. Rainbow tables (precomputed hash databases) can crack common passwords instantly.

bcrypt / Argon2 — Designed to be slow. A GPU that cracks 10 billion MD5s per second can only crack ~100 bcrypt hashes per second. A breach of bcrypt-hashed passwords buys you months, not minutes.

Plaintext — Yes, some companies still store passwords in plaintext. If a breach notification says "passwords were exposed," not "hashed passwords were exposed," this is a red flag.

What to Do When You Get the Email

Immediate (first 24 hours):

  1. Change your password on that site — even if the breach only affected hashed passwords
  2. If you used that same password anywhere else, change it there too — everywhere, that same day
  3. Check if the site offered sensitive data (credit card, SSN) — if so, monitor your credit

Within the week:

  1. Enable 2FA on the breached site if it wasn't already on
  2. Check your email against the HaveIBeenPwned database to see the full picture of your exposure
  3. Generate a new unique password for every site you find has been breached (Password Generator)

Long-term:

  1. Use a different password for every site — always. A password manager makes this tractable.
  2. Enable 2FA on email — it's the recovery key for everything else
  3. Consider a credit freeze if your SSN/national ID was exposed

The One Thing That Actually Matters

Password reuse is the root of most account takeovers after a breach. If your LinkedIn password from 2012 is the same as your Gmail password today, a 12-year-old breach is still a current threat.

Check if your email has been in a breach. If it has, treat every password you used at that time as compromised — and generate fresh ones.

Share

Related articles

security

"2FA Explained: Why SMS Codes Are Less Secure Than You Think"

5 min read
security

"Password Security: How to Check If Your Password Has Been Leaked"

2 min read

Tools mentioned

Email Breach Checker
Password Generator
Hash Generator