What Hackers Actually Do With Your Stolen Data

What happens in the first 24 hours

Most people discover a breach weeks or months after it happened. By that point the stolen data has already moved through several hands and been used in ways the victim never sees. Understanding that timeline is the first step to defending against it.

Breaches rarely start with a random attacker stumbling onto an unprotected database. They are usually the result of months of reconnaissance, a purchased initial access point, or an employee falling for a phishing email. Once inside, attackers move quietly, collecting data over days or weeks before exfiltrating it all at once.

197 average days attackers spend inside a network before being detected

24h typical time from exfiltration to the first credentials being listed for sale

15B+ stolen credentials currently circulating across dark web markets and forums

72h how long high-value credentials remain exclusive before being shared or sold broadly

The attacker who stole your data is often not the same person who uses it. Credential theft is a supply chain. Different groups specialise in different parts of the operation, and stolen data flows through that chain with remarkable efficiency.

The stolen data supply chain

Here is the complete journey your data takes from the moment it is stolen to the moment it arrives in the hands of someone using it against you. Each stage has different actors and a different purpose.

💥

Stage 01 — Exfiltration

Data is extracted and packaged

After months of access, the attacker exports the database, often compressing it into structured files sorted by data type. Email lists, password hashes, and payment data are separated because they have different buyers and different values. The raw dump is verified for completeness before the attacker moves on.

Day 0

🌑

Stage 02 — Initial Listing

Exclusive sale on private forums

High-value breaches are first listed on private, vetted dark web forums where prices are highest and buyers are sophisticated. The seller offers sample records to prove authenticity. At this stage only a handful of buyers see the data, paying a premium for exclusivity. This window typically lasts 24 to 72 hours for major corporate breaches.

Day 1 to 3

🛒

Stage 03 — Broad Market

Listed on dark web marketplaces

After the exclusive window closes, data moves to larger, more accessible markets. Prices drop significantly as competition increases. Buyers at this stage include mid-tier fraudsters running credential stuffing operations, phishing kit operators who personalise attacks using the real names and account details in the dump, and bulk data aggregators who combine multiple breaches into larger combo lists.

Day 3 to 14

📋

Stage 04 — Combo Lists

Merged into massive credential databases

Individual breaches get folded into enormous combo lists containing billions of email and password pairs from dozens of sources. These are the raw fuel for credential stuffing. A single combo list might contain your credentials from five different breaches spanning ten years, all merged into one searchable file. These lists are sold cheaply in bulk or shared freely on public forums.

Week 2 onwards

🤖

Stage 05 — Automated Attack

Credential stuffing at industrial scale

Automated tools test your email and password combination against hundreds of services simultaneously. Banks, streaming platforms, e-commerce sites, airline loyalty programs, cryptocurrency exchanges. The tools rotate through residential proxies to avoid detection and log every successful login. A 1% success rate on a 100 million record list means one million compromised accounts.

Ongoing

💸

Stage 06 — Monetisation

Access converted to cash

Successful logins are monetised based on what was accessed. Bank accounts are drained or used for money mule transfers. Streaming accounts are sold in bulk for a few dollars each. Airline miles are redeemed or sold. Cryptocurrency balances are transferred immediately. Retail accounts are used for fraudulent purchases with stored payment methods. Each successful login has a market value that gets extracted quickly.

Immediate

What your data actually sells for

Dark web prices fluctuate based on freshness, the completeness of the record, and current demand. Here is a realistic picture of what different data types command in 2026 based on research into marketplace activity.

Data type Category Market price

Full identity package (SSN, DOB, address, email) Identity $40 to $200

Bank account with $2,000+ balance Financial $60 to $700

Credit card with full details and CVV Financial $17 to $80

Cryptocurrency account with balance Financial $200 to $2,000+

Corporate email account with access Access $100 to $1,500

Email and password pair (fresh breach) Credential $0.50 to $10

Streaming account (Netflix, Disney+) Account $0.50 to $3

Email address only (no password) Spam list $0.001 to $0.10

🌑

Freshness multiplies value dramatically

A credential from a breach announced yesterday can be worth 20 times more than the same credential from a two-year-old breach. Attackers race to monetise fresh data before victims change passwords. The faster you respond to a breach notification, the less value your data has to them.

How credential stuffing works at scale

Password reuse is the single biggest reason a breach at one company creates risk at every other company you use. Credential stuffing is the automated exploitation of that reuse, and it runs continuously against virtually every major platform.

A typical credential stuffing operation works like this: the attacker loads a combo list into a tool like Sentry MBA or a custom script. The tool sends login requests to a target site, rotating through thousands of residential proxies so each attempt looks like it comes from a different home user. Rate limiting and CAPTCHAs slow the attack but do not stop it. The tool logs every successful authentication and flags high-value accounts.

At a 0.5% success rate on a 500 million record list, that is 2.5 million successful logins. Against a bank that is potentially catastrophic. Against a retailer it means fraudulent orders charged to stored cards. Against any service it means access the attacker should not have.

🔁

If you reuse passwords, every breach affects every account

Credential stuffing only works because people reuse passwords. A breach at a small forum you joined years ago becomes a breach of your bank account if you used the same password. Unique passwords for every account is the only complete defence against this attack.

Where you can interrupt the chain

Each stage of the data lifecycle has a point where your actions can break the attack before it reaches you. These are ordered by impact.

01 — Before breach

Use unique passwords everywhere

If every account has a different password, a credential stuffed from one breach cannot open any other account. A password manager generates and stores them so you never have to remember them. This single change eliminates the credential stuffing threat entirely.

02 — Right after breach

Change the exposed password immediately

The freshness window is real. Changing a compromised password within hours means your credential is worthless by the time most buyers receive the data. Monitoring services like DataLeakz alert you the moment your email appears in a new dump.

03 — Against account takeover

Enable 2FA on every important account

Even if an attacker has your correct password, a second factor stops them from completing the login. Authenticator app codes and passkeys are phishing resistant. SMS is better than nothing. Any 2FA breaks the automated stuffing operation cold.

04 — Against identity fraud

Freeze your credit if personal data was exposed

If a breach included your name, address, date of birth, or SSN, a credit freeze at all three bureaus prevents new accounts being opened in your name. It is free and can be unfrozen in minutes when you need it. This directly interrupts the identity package monetisation pathway.

05 — Ongoing

Monitor your email continuously

New breaches are discovered on a delay. Data sold privately months ago may only surface in public monitoring databases now. Continuous monitoring means you catch exposure at every stage of the supply chain, not just when the breach is first announced.

06 — Financial accounts

Set up transaction alerts on all cards and accounts

Real-time alerts for every transaction mean you catch fraudulent use within minutes rather than at the end of the month. Most banks offer this for free. Dispute windows are time-sensitive, so early detection directly affects how much of the damage you can recover.

Find out if your data is already in circulation

Check your email against known breach databases instantly. Free, no account required.

Run a free scan →

⏱

Speed is the asymmetric advantage you have

Attackers depend on victims being slow. The credential stuffing operation runs for months because most people never change exposed passwords. The data stays valuable because nobody freezes their credit. Every fast action you take removes your data from the profitable part of this supply chain.

Sources

IBM Cost of a Data Breach Report 2024 — dwell time and breach lifecycle data
SpyCloud Annual Credential Exposure Report 2025 — combo list volume and credential stuffing statistics
Recorded Future dark web marketplace pricing research 2024
OWASP Credential Stuffing Prevention Cheat Sheet — attack methodology
Javelin Strategy and Research Identity Fraud Report 2025 — financial fraud conversion rates