Scammers hacked her phone and stole thousands of pounds

Data breaches are becoming so common that it can be difficult to know how to react when one happens to you. It's often easy to brush this off, but there are risks.

Becoming a victim of a data breach increases your chances of becoming a victim of criminals and scammers.

Sue told the BBC how she was targeted by scammers. We discovered that her data was leaked on the Internet.

She was the victim of a so-called SIM swap attack, where scammers trick the network operator into thinking they are the account owner in order to get a new SIM card for a mobile device.

They used it to take over almost all of her online accounts through her phone. She said the experience was “horrible”.

“Scammers took over my Gmail account and then blocked me from accessing my bank accounts because they did not pass security checks,” she said.

Sue also opened a credit card in her name and the criminals purchased more than £3,000 worth of vouchers.

It took her several trips to her bank and mobile phone service providers to get her bills back.

And the thieves didn't stop there.

“The criminals also did a sinister thing by hacking my WhatsApp,” she said. “They sent messages to riding groups, I'm warning that there were people who were going to hit the horses.”

We searched hacker databases using online tools such as haveibeenpwned.com and Constella Intelligence to see if Sue's data had previously been compromised.

Her phone number, email address, date of birth and physical address were exposed in data breaches on gaming platform PaddyPower in 2010 and email verification tool Verifications.io in 2019. Other collections of hacked records also included her data.

Hannah Baumgertner from cyber firm Silobreaker said the attackers were likely using personal data leaked in previous hacks to carry out the SIM card swapping attack.

“Once they had access to Sue's phone number, they were able to intercept any security codes sent to verify her identity for her Gmail account,” she said.

But scammers are not always targeting large payouts.

Fran from Brazil told the BBC she discovered a user had signed up to her Netflix account and increased her monthly subscription.

“My payment card was charged $9.90 (£7.50) even though I didn’t make the purchase,” she said.

“I immediately contacted my family to see if anyone had added another profile to our shared account, but they all said no.”

Fran became the victim of a common scam when her Netflix account was taken over by a freeloader.

It's not known exactly how they got into her account, and the murky world of cybercrime means it's difficult to pinpoint whether one data breach resulted in anyone being scammed.

But we found that Fran's email address was exposed in at least four data breaches, including the Internet Archive hack (2024), Trellov (2024), Descomplica (2021) and Wattpad (2020), according to the website haveibeenpwned.com.

The password she used for her Netflix account is not in public databases, but may be in others.

“There is a huge market for hacked Netflix, Disney and Spotify accounts,” said Alon Gal, co-founder of cybersecurity company Hudson Rock.

“This is a low-barrier entry point for cybercrime, turning one company's data breach into widespread and ongoing abuse.”

Fraudsters often combine stolen personal information with publicly available information.

Leah, who did not want to give her real name, runs a small business using Facebook ads and was recently the target of a long-running scam allegedly originating in Vietnam.

“I received a phishing email from [email protected] saying I was owed a refund. I clicked the link and entered my details on the fake meta page and the scammers were able to take over my business account even though I had two factor authentication.

“Then they posted a child sexual abuse video under my name, which got me banned. I was even banned from using Messenger to complain to Meta.”

In the three days it took Leah to get her business account back, scammers placed hundreds of pounds worth of adverts she had paid for. Eventually she got her money back.

Constella Intelligence's Alberto Casares searched hacker databases and found that Leah's email address and other data were obtained from the Gravatar (2020) and Qantas data breaches this year (third party hack).

“It appears that the attackers used a common technique: linking Leah’s personal stolen email address to her public work number to launch a spear phishing attack on the email account.”

They could do it themselves, or use a data broker to pay a range of potential targets, he said.

Massive data breaches are fueling fraud and secondary hacks around the world, with several high-profile attacks occurring in 2025 alone.

According to the Proton Mail Data Breach Observatory, there were 794 confirmed breaches from identifiable sources in 2025, with more than 300 million individual records exposed.

“Criminals pay a high price for stolen data because they continually profit from fraud, extortion and cyber attacks,” the company's Eamonn Maguire said.

Beyond notifying customers and regulators of violations, there are no hard and fast rules about what companies should do for victims.

For example, it used to be common to provide free credit monitoring.

Last year Ticketmaster (500 million people were affected by the hack) suggested this to some people.

But this year, fewer firms are doing so. For example, Marks and Spencer and Qantas did not offer similar services to customers.

The Co-op decided to give victims a £10 voucher if they spent £40 in its stores.

Some are attempting to seek compensation through the courts, with a growing trend of class action lawsuits, although these are notoriously difficult to win as it is difficult to prove how individuals are affected.

But some have been successful.

T-Mobile has begun paying customers affected by a major data breach in 2021 that affected 76 million customers.

The firm agreed to pay $350 million, with payments reportedly ranging from $50 to $300.

Get our top newsletter with all the headlines you need to start your day. Register here.