Identity Theft Protection
Stressed woman at laptop after a data breach, showing identity theft and dark web exposure risk.

How hackers sell personal data, and what happens to yours after a breach

OmniWatch
OmniWatch Author
Updated on 9 min read

When criminals steal personal data in a breach, their next step is almost always to sell it. This happens on dark web marketplaces, hidden corners of the internet accessible only through specialized software, where stolen information is bought and sold like any other commodity. Cybercriminals list data by type, volume, and freshness, set prices based on supply and demand, and complete transactions using cryptocurrency to stay anonymous. The process moves fast: stolen records can appear for sale within hours of a breach occurring.

The scale of that underground market is enormous. In 2024 alone, the FTC received 3.7 million reports of fraud and identity theft, which works out to more than 10,000 reports every day.1 Consumers also reported losing more than $12.5 billion to fraud in 2024, underscoring how quickly stolen data can turn into real financial harm.2

Understanding how this market works explains why you may receive breach alerts from companies you don’t recognize, why your data can surface years after a breach, and why protecting yourself requires ongoing monitoring rather than a one-time scan. That is also why tools like dark web monitoring and identity theft protection matter after a breach, not just before one.

How hackers sell personal data, step by step

Step 1: A company is breached

Hackers break into a company’s database through tactics like phishing, malware, credential stuffing, or unpatched software vulnerabilities. Once inside, they steal as many records as possible, sometimes millions at once.

Step 2: The data is sorted and bundled

Raw stolen information is sorted by type and value. Hackers may sell individual records, but more commonly they package data into bundles. A “fullz” package (industry slang used by cybercriminals) is a complete identity profile containing a person’s name, address, date of birth, Social Security number, and financial account details. Fullz packages fetch higher prices because they give a buyer everything needed to commit identity theft without additional research.

Step 3: It is listed for sale on dark web marketplaces

Data is listed on dark web forums and marketplaces that operate like underground e-commerce sites. Sellers post product descriptions, pricing, and in many cases, buyer ratings from previous transactions. Well-known forums such as BreachForums have facilitated the sale of massive amounts of stolen data before being disrupted by law enforcement.

Step 4: A buyer purchases the data

Buyers often pay using Bitcoin or other cryptocurrencies, which obscures the identities of both parties. The price depends on what kind of data is being sold, how complete it is, and how recently it was stolen.

Step 5: The data keeps spreading

Purchased data rarely stays with one buyer. Records are resold, bundled into new packages called combo lists, and redistributed across multiple platforms for months or even years. This is why the same compromised credentials can appear in breach alerts long after the original incident.

That risk is magnified by the sheer volume of compromised credentials already circulating online. An estimated 24.6 billion username and password combinations are in circulation on the dark web—roughly four for every person on Earth.3

What stolen personal data sells for

Not all personal data carries the same value on dark web marketplaces. Pricing is driven by how useful a data type is for committing fraud, how recently it was stolen, and how much of it is currently available. The following price ranges are drawn from the Privacy Affairs Dark Web Price Index, a widely cited industry research resource.4

Data type

Approximate dark web price

Social Security number

$1 – $10

Credit card details (with CVV)

$10 – $240 depending on balance and country

Bank account login credentials

$30 – $4,000 depending on account balance

Full identity package (“fullz”)

$16 – $228

Driver’s license or passport

$100 – $3,800 depending on country of origin

Medical record (EMR)

$100 – $350

Email address and password

$1 – $20

Online payment platform login

$20 – $200

These figures illustrate why data breaches are not just an IT inconvenience; they are a supply chain for a profitable criminal industry. Separate market analysis found more than 22,000 dark web listings for stolen data and over 720,000 completed sales tied to those listings.5

The broader economic impact extends far beyond any one victim or one breach. Cybercrime was projected to cost the global economy $10.5 trillion annually by 2025.6

Why you might not recognize the company in your breach alert

Because stolen data is repackaged, resold, and redistributed through multiple layers of the criminal marketplace, the company name on your breach alert may not be one you recognize or remember interacting with. To understand why, it helps to look at what happens to personal data after it is stolen and sold.

One of the biggest reasons unfamiliar company names show up in alerts is the spread of combo lists. Combo lists are large collections of stolen usernames and passwords gathered from multiple breaches and combined into a single file. Criminals buy and sell these lists in bulk, then use them to try the same login credentials across other accounts in a tactic known as credential stuffing. Because many people reuse passwords, a single exposed login from one breach can lead to unauthorized access attempts across dozens of unrelated services.

That means your information may appear in a breach alert tied to a company you do not recognize, even if that company was not the original source of the exposure. Instead, your credentials may have been bundled into a combo list, resold on a dark web forum, and later detected in circulation.

If you are trying to make sense of a strange alert, it can also help to read related guidance on what to do if your financial information is found on the dark web.

Six reasons you might not recognize a breach

1. Your data was part of a combo list

Stolen usernames, passwords, and other account details are often bundled into large files known as combo lists. These lists can pull together credentials from many different breaches, then get resold again and again. Criminals use them for credential stuffing, trying the same email-and-password combinations across banks, shopping sites, streaming services, and other accounts. That means your information can show up in a breach alert tied to a source that feels completely unrelated to anything you remember using.

2. The breached company owns a brand you do use

Sometimes the name on the alert is a parent company, not the customer-facing brand you recognize. Large companies often own multiple businesses, products, or services, and customer data may be stored under the parent company’s systems. So even if the breached name looks unfamiliar, it may still be connected to a company you have done business with.

3. The breached company provides services behind the scenes

Many companies rely on third-party vendors to handle things like cloud storage, payments, customer support, analytics, or account infrastructure. If one of those vendors is breached, your data may be exposed under the vendor’s name rather than the brand you signed up with directly.

4. A data broker or affiliated entity had your information

Not every company holding your data is one you chose to interact with directly. Credit bureaus, public-record aggregators, data brokers, government agencies, and affiliated entities may already have personal information tied to your identity. If one of those organizations is breached, the name may not be familiar even though the data involved is yours.

5. The company changed its name

In some cases, the company on the alert is simply operating under a different name than the one you remember. Businesses rebrand, merge, split, or rename products over time. A quick search may reveal that the breached company is actually one you know by another name.

6. Someone else used your email to create an account

Sometimes the unfamiliar company name is a sign that someone used your email address to open an account, sign up for a service, or join a mailing list without your knowledge. If none of the other explanations fit, this may be worth checking. Resetting the password for that account and reviewing the profile details may help confirm whether your email was used.

Frequently asked questions

Q: How do hackers sell personal data?

A: Criminals sell stolen personal data on dark web marketplaces and underground forums accessible only through anonymizing software like Tor. They package data by type and sell it to other criminals using cryptocurrency. Listings may include individual records, large data sets, or complete identity packages known as “fullz.”

Q: How quickly does stolen data appear on the dark web?

A: Stolen records can appear on dark web marketplaces within hours of a breach. Criminals often try to profit from it before the company discloses the breach or the affected person has time to change passwords and secure accounts. This is why fast detection is crucial.

Q: What is a “fullz” package?

A: A fullz package is a bundle of personally identifiable information that can include a person’s name, address, date of birth, Social Security number, and financial account details. These packages sell for more than individual data points because they give buyers much of what they need to commit identity theft or account fraud.

Q: What types of personal data do hackers sell most often?

A: The most commonly sold data types include credit card numbers, banking credentials, Social Security numbers, email addresses and password combinations, and full identity packages. Medical records are also valuable because they can be used for insurance fraud and other scams.

Q: Can you remove your data once it’s on the dark web?

A: No. Once personal data is posted, shared, or resold on the dark web, it is typically copied and redistributed rapidly. It usually cannot be meaningfully removed. The best protection is early detection through dark web monitoring, which alerts you when your information is found so you can change credentials and limit the damage.

What cybersecurity professionals are saying

Chester Wisniewski

Principal Research Scientist at Sophos

“Looking forward into 2023 has me very concerned with what developments we see with the malicious use of machine learning technologies”

Matt Kapko

Cybersecurity Reporter

"Threat actors don’t just follow the news — they react to it and identify new ways to target potential victims during moments of heightened sensitivity."

Chester Wisniewski

Principal Research Scientist at Sophos

"ChatGPT3 could easily be weaponized to help criminals write more convincing phishing and business email compromise scams."

This guide is published by OmniWatch. Follow OmniWatch on Facebook for ongoing guidance on identity protection, digital safety, and scam awareness.

Sources:

1 FTC, Consumer Sentinel Network Data Book 2024, 2025

2 FTC, $12.5 billion lost to fraud in 2024, 2025

3 ReliaQuest, Weak credentials are fueling a new generation of cyber threats, 2022

4 Privacy Affairs, Dark Web Price Index 2023, 2023

5 NordVPN, How hackers can earn 17.3M USD from your data

6 Cybersecurity Ventures, Cybercrime To Cost The World $10.5 Trillion Annually By 2025, 2020

Protection for identity theft, scams, and losses banks won't cover

View plans
OmniWatch app showing alerts and scan features