Every few months, a company announces a data breach. The press release follows a template: "we take your security seriously," "we have engaged leading cybersecurity experts," "affected users have been notified." Your inbox gets an email telling you to change your password. You do. You move on.
Behind the scenes, the breach data has a lifecycle of its own — and your email address is often the most durable piece of information in it.
The breach-to-darkweb pipeline
When attackers compromise a database, the data doesn't disappear into a void. It follows a predictable path.
Initial exploitation happens within hours of the breach being discovered by the attacker. The most sensitive data — credit card numbers, social security numbers, plaintext passwords — is extracted and used immediately or sold to specialists.
Darkweb listing typically follows within days to weeks. The attacker or an intermediary packages the data into a "combo list" — usually a text file with millions of email:password pairs — and sells it on darkweb marketplaces. Prices vary by freshness, completeness, and the perceived value of the platform. A breach from a financial services company commands a higher price than one from a gaming site.
Mass distribution happens next. As the data ages, it becomes worth less to the original sellers. It's bundled with other breaches into ever-larger compilations. The infamous "Collection #1" breach from 2019 contained 773 million email addresses compiled from thousands of earlier breaches. These compilations are distributed freely on file-sharing forums. By this stage, your leaked data has been seen by thousands of people.
Credential stuffing: why password reuse is so dangerous
The primary use of breached email-and-password combinations is credential stuffing. Attackers run automated tools that try leaked credentials against other services — your bank, your streaming accounts, your email provider, Amazon.
The attack works because most people reuse passwords. If your email and password leaked from a clothing retailer's breach in 2021, and you used the same password for your email account, the attacker now has access to your email. From there, they can reset passwords on every service linked to that address.
This is why security experts give the advice to use a unique password for every service. It's not paranoia. It's the direct response to a routine attack that happens billions of times per year. A password manager makes unique passwords manageable; there's no reason not to use one.
Phishing: the human layer
Breached email addresses, even without passwords, have value. An attacker with your email address knows you use a specific service. They can craft a phishing email that looks exactly like a communication from that service — with your name, account details, and a plausible reason to click a link.
The link leads to a fake login page. You enter your credentials. The credentials go to the attacker. This is called spear phishing — targeted phishing using real personal data — and it's far more effective than generic spam because the email contains information that makes it feel legitimate.
The spam and harassment layer
At the bottom of the value chain, breached email addresses end up in spam lists. You'll receive offers for things you never wanted, notifications from services you never signed up for, and increasingly sophisticated scams. Some of these are harmless annoyances. Others — like the sextortion scam, where an attacker emails you claiming to have footage of you and demands payment in cryptocurrency — cause real distress.
The sextortion scam works in part because the email often includes a real password you used in the past (obtained from a breach), which creates the illusion that the attacker has actually compromised your device. They haven't. The password is just breach data.
How to know if you've been breached
Troy Hunt's Have I Been Pwned is the most reliable free service for checking whether your email has appeared in known breaches. Enter your address and it will return a list of every breach in which your address appeared, along with what data was exposed. Many password managers now include this check automatically.
If your email appears in a breach, the immediate steps are:
- Change the password for that service if you haven't already
- If you reused that password anywhere else, change it there too
- Enable two-factor authentication on any account that matters
The long-term approach: compartmentalization
Reactive measures help but don't solve the structural problem. Your email address is your universal identifier across the internet. Every site that has it is one breach away from it being public.
Compartmentalization reduces the blast radius. Using different email addresses for different purposes — one for financial services, one for shopping, one for social media — means that a breach in one category doesn't affect the others.
For the long tail of services where you have no ongoing relationship, a disposable email address that expires is the cleanest solution. If it leaks, there's nothing to compromise: the address is dead, there's no password associated with it, and it can't be linked back to your real inbox.
This isn't a cure-all. Your real address lives somewhere — your bank, your employer, your closest relationships — and those services are worth protecting with strong, unique passwords and two-factor authentication. But every service that doesn't have your real address is one less vector for credential stuffing, phishing, and spam.
Protect your real inbox. Use a disposable address for sites you're not sure about.