BreachExpress

Cybersecurity, explained for the rest of us.

Identity Theft

Identity theft: what actually happens after the hack

Margot 'Magic' Thorne@magicthorneMay 3, 202611 min read
Timeline visualization showing data flowing from breach to criminal marketplace to fraud attempt

A data breach is the opening scene, not the finale. The breach gets the data out. What happens next is a series of decisions made by people you will never meet, using information about you in ways that follow predictable patterns but unfold on unpredictable timelines.

This is the explainer for what happens between the breach notification email and the fraudulent charge on your credit card, the tax return filed in your name, or the medical bill for procedures you never had. The mechanism is consistent. The timeline varies.

The first 72 hours: extraction and cataloging

The breach itself is over before you hear about it. By the time the company sends the notification, the data has been out for weeks or months. The operators have already extracted what they wanted.

What they extract depends on what the database held. A healthcare breach yields names, dates of birth, Social Security numbers, insurance details, and sometimes medical histories. A retail breach yields payment card numbers, billing addresses, email addresses, and purchase histories. A financial services breach yields account numbers, routing numbers, transaction histories, and authentication credentials.

The operators catalog the haul. They sort by data type, completeness, and freshness. A record with name, SSN, date of birth, and current address is more valuable than a record with just email and password. A record from 2026 is more valuable than a record from 2019.

Some data goes into private collections for the operators' own use. Some goes to marketplaces. The marketplaces are not public websites. They operate on encrypted forums, invite-only Telegram channels, and private servers accessible only through specific networks. Access requires reputation, referrals, or payment.

CISA describes identity theft as a multistage process that begins with data acquisition and moves through validation, exploitation, and monetization. The breach is acquisition. What follows is the rest.

The marketplace: pricing and bundling

Data sells in bundles. A "fullz" package contains everything needed to impersonate someone: name, SSN, date of birth, address, phone number, email, and sometimes mother's maiden name or answers to common security questions. Fullz packages sell for anywhere from a few dollars to a few hundred, depending on the victim's credit score, account balances, and geographic location.

Partial records sell cheaper. Email and password combinations go for pennies. Credit card numbers with CVV codes and expiration dates sell for a few dollars each. Medical records sell for more than financial records because they contain more exploitable information and remain valid longer.

Buyers are not always the end users. Some buyers resell to specialists. A buyer might purchase a bulk set of credentials, test them against common services, and resell the validated subset at a markup. Another buyer might purchase SSNs and dates of birth to create synthetic identities by combining real information from multiple people with fabricated details.

The marketplace operates on reputation. Sellers with verified track records command higher prices. Buyers leave reviews. Disputes get mediated by forum administrators. The structure resembles any other online marketplace, except the product is your information and the transaction is invisible to you.

Credential testing: the automated first pass

If the breach included login credentials, those credentials get tested immediately. Automated tools submit username and password combinations to thousands of websites to see what works. The process is called credential stuffing.

The testing happens fast. Within hours of a breach, your email and password combination might be tested against your bank, your email provider, your shopping accounts, your streaming services, and dozens of other platforms. If you reused that password, the attacker finds out which accounts share it.

Successful logins get flagged for manual review or immediate exploitation. An attacker who gains access to your email can reset passwords for other accounts. An attacker who gains access to a financial account can transfer funds, open new accounts, or request credit limit increases. An attacker who gains access to a shopping account can make purchases using stored payment methods.

This is why password reuse turns one breach into a skeleton key. The breach gives the attacker one password. Credential stuffing tells them everywhere else you used it.

Financial fraud: the visible manifestation

Financial fraud is what most people think of when they hear "identity theft." It is also the most likely to be detected quickly, because financial institutions monitor accounts for unusual activity and consumers check balances regularly.

The fraud takes several forms. The simplest is account takeover: the attacker logs into your existing account and makes purchases or transfers. This triggers alerts from the financial institution if the activity deviates from your normal patterns. You see the charge, dispute it, and the institution reverses it.

More sophisticated is new account fraud: the attacker uses your information to open a new credit card, loan, or bank account in your name. You do not see this immediately because the statements go to an address the attacker controls. You discover it when you check your credit report, apply for credit and get denied, or receive a collections notice for an account you never opened.

The FTC reports that credit freezes are the most effective tool against new account fraud because they block creditors from accessing your credit report, which prevents them from approving new applications. A credit freeze does not affect your existing accounts or your credit score. It just stops new credit from being issued without your explicit permission.

Tax fraud: the delayed discovery

Tax fraud is harder to detect because it happens once a year and the discovery timeline is long. An attacker files a tax return in your name, claims a refund, and receives the money before you file your legitimate return. When you file, the IRS rejects it because a return has already been filed under your SSN.

Resolving tax fraud requires filing a paper return, submitting an identity theft affidavit, and waiting for the IRS to investigate. The process can take months. You do not get your refund until the investigation concludes. If you were counting on that refund, the delay creates immediate financial strain.

Some attackers file fraudulent returns claiming children as dependents, unemployment benefits you never received, or business income you never earned. The fraud might not surface until the IRS sends you a notice about unreported income or the state sends a notice about unemployment benefits you supposedly collected.

The IRS offers an Identity Protection PIN program for victims of tax fraud. The PIN is a six-digit number that you must include on your tax return. Without the correct PIN, the IRS rejects the return. The PIN changes every year. It is not foolproof, but it adds a verification step that stops most automated tax fraud.

Medical fraud: the hidden liability

Medical fraud is the least visible and potentially the most damaging form of identity theft. An attacker uses your insurance information to receive medical care, fill prescriptions, or submit fraudulent claims. The fraud enters your medical records. The records now contain diagnoses, treatments, and prescriptions that are not yours.

You discover medical fraud when you receive an Explanation of Benefits for services you never received, when you hit your insurance coverage limit unexpectedly, when you apply for insurance and get denied based on a pre-existing condition you do not have, or when a debt collector contacts you about unpaid medical bills.

Correcting medical records is harder than correcting financial records because medical records are distributed across providers, insurers, and clearinghouses. Each entity maintains its own records. You must contact each one individually, provide documentation, and request corrections. There is no centralized dispute process.

Fraudulent medical records can affect your ability to get insurance, the premiums you pay, and the care you receive. If your records show a condition you do not have, a doctor might prescribe treatment based on incorrect information. If your records show prescriptions you never took, a pharmacist might flag a dangerous drug interaction that does not actually apply to you.

Synthetic identity theft: the long game

Synthetic identity theft combines real information from one person with fabricated information to create a new identity. An attacker might use your real SSN with a different name, date of birth, and address. They build credit under this synthetic identity by opening small accounts, making payments, and gradually increasing credit limits.

The synthetic identity can operate for years before anyone notices. The attacker is not trying to drain your accounts. They are building a separate financial profile that happens to use your SSN. When they finally max out the credit lines and disappear, the creditors come after the SSN holder: you.

You discover synthetic identity theft when you check your credit report and see accounts you never opened, or when a creditor contacts you about debts you do not recognize. Proving that the accounts are fraudulent is harder than proving account takeover because the accounts have payment histories and the identity details do not match yours exactly.

In The X-Files, Mulder and Scully investigate cases where the official record contradicts lived reality. One episode involves a man who discovers that his entire documented life history has been replaced with someone else's. He has memories, but the records say otherwise. Synthetic identity theft creates the inverse: the records document a life you never lived, and you have to prove the absence. The bureaucratic nightmare is the same.

Criminal identity theft: the legal entanglement

Criminal identity theft happens when someone uses your information during an arrest or citation. The arrest record, warrant, or court judgment gets filed under your name. You discover it when you get pulled over for a traffic violation and the officer arrests you on an outstanding warrant you knew nothing about, when you apply for a job and the background check shows a criminal record you do not have, or when you receive a court summons for a case you are not involved in.

Clearing criminal identity theft requires legal documentation. You must obtain police reports, court records, and sometimes fingerprint records to prove you were not the person arrested. You may need to appear in court, hire an attorney, and petition for record corrections. The process can take years.

Some jurisdictions offer identity theft passports or similar documents that you can present to law enforcement to prove your identity has been stolen. The passport does not automatically clear your record, but it provides a starting point for the correction process.

The recovery timeline: what you actually do

Recovery starts with documentation. You file a report with the FTC at IdentityTheft.gov, which generates an Identity Theft Report. This report is your evidence for disputes with creditors, credit bureaus, and other institutions. You also file a police report in the jurisdiction where the theft occurred, if you can determine it.

You place a credit freeze with all three major credit bureaus: Equifax, Experian, and TransUnion. The FTC confirms that credit freezes are free, permanent until you lift them, and do not affect your credit score. You can lift a freeze temporarily when you need to apply for credit, then reinstate it afterward.

You review your credit reports from all three bureaus. You are entitled to one free report per year from each bureau, but if you are a confirmed identity theft victim, you can request additional reports. You dispute any fraudulent accounts, hard inquiries, or incorrect information. The bureaus have 30 days to investigate and respond.

You contact the fraud departments of any affected financial institutions. You close compromised accounts and open new ones with new account numbers. You change passwords and enable two-factor authentication on all accounts. You monitor your accounts for unauthorized activity.

If tax fraud is involved, you contact the IRS and your state tax agency. You file Form 14039, the Identity Theft Affidavit, and follow the IRS's instructions for resolving the case. If medical fraud is involved, you contact your insurance company, request copies of your medical records, and dispute any fraudulent entries.

The administrative burden is significant. You will spend hours on phone calls, filling out forms, and tracking correspondence. You will repeat your story to multiple people. You will wait for investigations to conclude. The process is not fast.

Monitoring services: what they actually do

Identity theft monitoring services scan criminal marketplaces, paste sites, and public records for your information. When they find a match, they alert you. Some services also monitor your credit reports and notify you of new accounts, hard inquiries, or changes to existing accounts.

The alerts give you a head start. If your SSN appears on a criminal forum, you can place a credit freeze before anyone uses it to open accounts. If a new account appears on your credit report, you can dispute it immediately instead of discovering it months later.

Monitoring services do not prevent identity theft. They detect it faster. The value depends on how quickly you act on the alerts. If you ignore the alerts or delay taking action, the monitoring provides no benefit.

Some services include recovery assistance: case managers who guide you through the dispute process, help you file reports, and track your progress. Some include insurance that reimburses you for certain expenses related to identity theft recovery, such as legal fees or lost wages.

NordProtect offers identity theft monitoring with credit alerts, dark web scanning, and recovery support. The service scans for your personal information on criminal marketplaces and alerts you if it appears. If your identity is stolen, the recovery team provides step-by-step guidance through the dispute process. You can learn more about NordProtect here. We earn a commission on purchases through this link, at no extra cost to you.

The psychological toll: what the statistics do not measure

The statistics measure financial loss, time spent on recovery, and number of accounts affected. They do not measure the erosion of trust, the hypervigilance that follows, or the recurring anxiety every time you check your bank balance or open your mail.

Identity theft is a violation that continues after the initial theft. Every fraudulent charge is a reminder. Every dispute is a re-engagement with the theft. Every new account alert is a moment of panic until you confirm it is legitimate.

Some victims report feeling paranoid about sharing information, even in legitimate contexts. Some avoid online transactions entirely. Some check their credit reports obsessively. The psychological impact is real, even if it does not appear in the cost estimates.

What you can do before it happens

You cannot prevent a breach at an organization you have no control over. You can limit what happens after. Use a password manager to generate unique passwords for every account. Enable two-factor authentication on everything that supports it. Monitor your credit reports regularly.

Place a credit freeze if you are not actively applying for credit. The freeze is free, does not expire, and blocks new account fraud. You can lift it temporarily when needed. There is no downside.

Review your financial statements every month. Set up account alerts for transactions over a certain amount. Check your medical Explanation of Benefits when you receive them. File your taxes early in the season to beat fraudulent filers.

These actions do not guarantee you will avoid identity theft. They reduce the window of opportunity and limit the damage when it happens.

The long tail: years later

Identity theft does not always resolve cleanly. Some victims spend years disputing accounts, correcting records, and dealing with collectors who bought fraudulent debts. Some discover new fraudulent accounts years after the initial theft because the attacker sat on the information, waiting for attention to fade.

Credit bureaus are required to investigate disputes, but they are not required to believe you. If the creditor insists the account is valid and provides documentation, the bureau may side with the creditor. You then have to escalate through additional dispute channels, file complaints with regulatory agencies, or hire an attorney.

Medical records are even harder. There is no equivalent to a credit bureau for medical records. Each provider maintains its own records. Each insurer maintains its own claims history. Correcting all of them requires contacting each one individually and providing proof that the services were fraudulent. The process can take years.

The recovery is not a single event. It is a series of actions spread across months or years, punctuated by new discoveries and ongoing vigilance. The initial theft is over in seconds. The cleanup is measured in years.

You can find the NordProtect affiliate link in the "Monitoring services" section above.

Checklist of recovery actions with credit freeze and fraud alert icons
→ Filed under
identity theftdata breachesfraudcredit monitoringrecovery
ShareXLinkedInFacebook

Frequently asked questions

Data can appear on criminal marketplaces within hours of a breach, but the timeline from theft to fraud varies widely. Some credentials get tested immediately; others sit dormant for months or years until conditions favor the attacker.
They test credentials against other accounts, open new credit lines, file fraudulent tax returns, create synthetic identities, or sell the data to other operators who specialize in specific fraud types.
Not always. Financial fraud often triggers alerts from your bank or credit card company, but tax fraud, medical fraud, and synthetic identity theft can go undetected for months or years until you apply for credit, file taxes, or receive collection notices.
A credit freeze blocks new credit applications entirely until you lift it. A fraud alert requires creditors to verify your identity before opening new accounts, but doesn't block applications outright.
Most financial fraud can be reversed through dispute processes, but the administrative burden is significant. Medical and criminal identity theft are harder to resolve and may require legal assistance and years of documentation.

You might also like

Abstract illustration showing fragmented personal data flowing into criminal marketplaces and emerging as fraudulent accounts
Identity Theft

How Identity Thieves Actually Use Your Data

Identity thieves turn stolen data into cash through account takeovers, fraudulent credit, and synthetic identities. Here's the mechanism and what happens next.

11 min · Margot 'Magic' Thorne · May 11

Clock showing first 24 hours overlaid with checklist of identity theft response steps
Identity Theft

First 24 Hours After Identity Theft: What to Do Right Now

Identity theft demands immediate action. Here's the exact sequence of steps to take in the first 24 hours, what each one protects, and why timing matters.

12 min · Margot 'Magic' Thorne · May 7

Illustration of a stolen ID card being used to open fraudulent accounts
Identity Theft

What Is Identity Theft and How to Recover From It

Identity theft is when someone uses your personal information to commit fraud. Here's how it happens, what it looks like, and what to do if you're a victim.

18 min · Margot 'Magic' Thorne · May 1