What is a data breach? Types, causes and consequences
Behind every "we were breached" headline is the same basic story: data that should have been private ended up somewhere it shouldn’t. Understanding the shape of a breach is the first step to limiting its damage.
What counts as a data breach
A data breach is any incident in which data is accessed, disclosed, altered or lost without authorisation. It does not have to involve a dramatic intrusion — leaving a database exposed to the internet, emailing a spreadsheet to the wrong person, or losing a laptop can all be breaches.
Under the EU GDPR the formal term is a "personal data breach", and one that risks harm to individuals must be reported to the regulator within 72 hours.
Common causes
- Stolen or leaked credentials — reused or phished passwords that unlock accounts.
- Misconfiguration — databases, cloud storage or backups left publicly accessible.
- Software vulnerabilities — unpatched flaws exploited to reach data.
- Phishing and social engineering — tricking a person into granting access.
- Third-party compromise — a supplier or service you use is breached, exposing your data.
What gets exposed
The impact of a breach depends heavily on what leaked:
- Credentials (email + password): the most reusable and dangerous, enabling account takeover elsewhere.
- Personal data (PII): names, addresses, phone numbers — permanent, and fuel for phishing and identity fraud.
- Session tokens and keys: can grant access without a password, sometimes bypassing MFA.
- Financial data: card and banking details enabling direct fraud.
Why the damage outlasts the breach
A leaked password from a site you forgot about can be used years later, because attackers aggregate old and new leaks into combolists and replay them automatically. This is why "it was an old account" is not reassurance — and why breach monitoring and unique passwords matter long after the original incident.
FAQ
Related questions
Is a data leak the same as a data breach?
They’re often used interchangeably. A "leak" usually emphasises data becoming exposed (sometimes accidentally), while a "breach" emphasises unauthorised access. Both can leave your data in the hands of attackers.
What is the most common type of data stolen in breaches?
Login credentials — email-and-password pairs — because they are directly reusable against other services and are the starting point for account takeover.
How quickly must a breach be reported under GDPR?
A personal-data breach that is likely to risk individuals’ rights must be reported to the supervisory authority within 72 hours of the organisation becoming aware of it.
Keep reading
More guides
-
Credential stuffing: how one leaked password becomes account takeover
Attackers don’t guess passwords — they replay leaked ones. Here’s how credential stuffing turns an old breach into a hijacked account.
Read guide -
What to do after a data breach: a step-by-step response
Found out you’re in a breach? Here’s the order to act in — from the leaked password to monitoring for what comes next.
Read guide