BreachExpress

Cybersecurity, explained for the rest of us.

Identity Theft

How Identity Thieves Actually Use Your Data

Margot 'Magic' Thorne@magicthorneMay 11, 202611 min read
Abstract illustration showing fragmented personal data flowing into criminal marketplaces and emerging as fraudulent accounts

Your data gets stolen in a breach. Then what? The gap between "breach disclosed" and "fraud happens" is where most people lose the thread. You know your information is out there. You don't know what someone does with it.

I'm going to walk through the actual mechanisms. Not the vague threat of identity theft, but the specific ways criminals turn your name, Social Security number, and email into cash. This is the explainer for what happens after the breach, step by step.

The data sits in criminal marketplaces first

When a breach happens, the stolen data doesn't immediately get used. It gets sold. Sometimes multiple times.

The operators who pulled off the breach sell the data in bulk to brokers. Brokers resell it in smaller batches to people who specialize in specific types of fraud. The data moves through layers of criminal marketplaces, often on forums or encrypted messaging platforms, before it reaches someone who actually uses it.

This delay is why fraud from a breach can show up months or years later. The breach gets disclosed in January. Your tax return gets filed fraudulently in April of the following year. The connection feels distant, but the data is the same.

The Verizon Data Breach Investigations Report tracks this pattern across industries. Breaches happen. Data gets monetized. Fraud follows, but not always immediately.

Account takeover: breaking into what you already have

The first use case is account takeover. The thief uses your stolen credentials (email and password, usually from a breach where you reused that password) to log into an account you already control.

If the account is a bank, they drain it. If it's a retailer with stored payment methods, they buy things and ship them to a drop address. If it's an email account, they use it to reset passwords on other accounts, then take those over too.

Email is the skeleton key. Once someone controls your email, they can reset passwords on most of your other accounts. That's why email account takeovers cascade. One compromised account becomes five.

Two-factor authentication stops this, but only if you use it. A password alone, especially a reused one, is not enough. I've written about how two-factor authentication works if you need the full mechanism.

Account takeovers succeed because people reuse passwords and don't enable 2FA. The breach gives the thief the password. The lack of 2FA gives them the account. Simple as that.

New account fraud: opening credit in your name

The second use case is new account fraud. The thief uses your personal information (name, Social Security number, date of birth, address) to open entirely new accounts in your name.

This is the classic identity theft scenario. They apply for a credit card. The card gets approved because your credit is good. They max it out. You don't find out until the collections calls start, because the statements go to an address you don't control.

New account fraud works because credit applications don't verify identity the way you think they do. The application asks for your SSN, DOB, and address. If those match the credit bureau's records, the application moves forward. There's no biometric check. There's no video call. It's data matching data.

The Federal Trade Commission has documented this pattern for years. A credit freeze stops it cold, because a freeze blocks new credit inquiries entirely. But most people don't freeze their credit until after fraud happens.

The thief also uses your data to open bank accounts, apply for loans, rent apartments, or get utility service. Anything that requires a credit check or identity verification is a target. The common thread is that you don't know these accounts exist until something goes wrong.

Tax fraud: filing returns in your name

The third use case is tax fraud. The thief files a tax return in your name, claims a refund, and collects the money before you file your legitimate return.

This one is seasonal. Tax fraud spikes in January and February, right when refunds are largest and the IRS is processing millions of returns. The thief needs your SSN and basic demographic information. They don't need your actual income data. They just file early with fake numbers, claim a refund, and cash out.

You find out when you try to file your real return and the IRS tells you one has already been submitted. At that point, you're in a bureaucratic nightmare that can take months to resolve.

The IRS has improved detection over the last decade, but the fraud still happens. The agency's own reporting shows millions of dollars in fraudulent refunds paid out annually. The Identity Theft Resource Center tracks this as one of the most common forms of identity theft.

Medical identity theft: using your insurance

The fourth use case is medical identity theft. The thief uses your health insurance information to get medical care, prescriptions, or medical devices billed to your insurance.

This is less common than credit fraud, but the consequences are worse. The fraudulent medical records get mixed with your real ones. You might find out when your insurance denies a legitimate claim because you've already hit your coverage limit. Or when a collections agency contacts you about a bill for a procedure you never had.

Medical identity theft is harder to clean up than financial fraud because medical records are protected by different privacy laws. You can't just dispute a charge. You have to prove the records are fraudulent, which requires navigating HIPAA and dealing with multiple healthcare providers.

Synthetic identity fraud: combining real and fake data

The fifth use case is synthetic identity fraud. The thief combines your real SSN with a fake name, a different date of birth, and a new address. They use this synthetic identity to build credit over time, then cash out.

This is the most sophisticated form of identity theft because it doesn't show up on your credit report. The synthetic identity is tied to your SSN, but it's not in your name, so you don't see the accounts when you check your credit.

The thief applies for a secured credit card under the synthetic identity. They make payments on time. The credit score for that synthetic identity improves. Eventually, they apply for larger credit lines, max them out, and disappear. The creditors come after the SSN, which is yours.

Synthetic identity fraud is growing because it's harder to detect. The Federal Trade Commission has flagged it as an emerging threat, but most consumers don't know it exists.

Government benefits fraud: unemployment and Social Security

The sixth use case is government benefits fraud. The thief files for unemployment benefits in your name or tries to redirect your Social Security payments.

Unemployment fraud exploded during the pandemic. States were overwhelmed with legitimate claims, and the verification systems couldn't keep up. Criminals filed claims using stolen SSNs and names, collected benefits for months, and disappeared before anyone noticed.

You find out when you try to file your own unemployment claim and discover one already exists. Or when you get a 1099-G tax form for unemployment income you never received. Or when your employer contacts you about a claim filed in your name.

Social Security fraud is less common but more damaging. The thief tries to change your direct deposit information or mailing address to redirect your benefits. The Social Security Administration has fraud reporting mechanisms, but the process of proving your identity and reclaiming your benefits takes time.

The SIM swap: taking over your phone number

The seventh use case is the SIM swap. The thief convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they use it to bypass SMS-based two-factor authentication and take over your accounts.

This is the attack that defeats SMS 2FA. The thief calls your carrier, impersonates you, claims they lost their phone, and asks for the number to be transferred to a new SIM. If the carrier doesn't verify identity properly, the transfer goes through.

Once they control your number, they request password resets on your accounts. The reset codes go to your phone number, which they now control. They take over your email, your bank accounts, your social media. The entire chain falls.

SIM swaps are why security professionals recommend app-based 2FA over SMS. An app like Authy or Google Authenticator isn't tied to your phone number, so a SIM swap doesn't defeat it.

The mechanism: how stolen data becomes fraud

Here's the pattern across all of these use cases. The thief has your data. They use it to impersonate you in a system that verifies identity through data matching, not through actual identity verification.

Credit applications match your SSN and DOB against credit bureau records. Tax returns match your SSN against IRS records. Insurance claims match your member ID against insurer records. Government benefits match your SSN against agency records.

None of these systems ask you to prove you are who you say you are in a way that a thief with your data can't replicate. They ask for information. The thief has that information. The system approves the transaction.

This is why identity theft is so hard to prevent. The systems we use to verify identity are designed for convenience, not security. They assume that anyone with your SSN, DOB, and address is you. That assumption breaks down the moment your data gets stolen.

The cultural reference: Star Trek TNG and impersonation

In Star Trek: The Next Generation, there's an episode where an alien species communicates entirely through metaphor and cultural reference. The crew can't understand them because they don't share the same stories.

Identity theft works the same way. The systems we use to verify identity rely on shared knowledge (your SSN, your mother's maiden name, your address) as a proxy for actual identity. But once that knowledge gets stolen, the proxy breaks. The thief knows the same stories you do. The system can't tell the difference.

The solution isn't better questions. It's better verification. Biometrics, hardware tokens, app-based 2FA, anything that ties identity to something you have or something you are, not just something you know.

What you can actually do about it

The mechanisms I've described are structural. You can't fix the systems. But you can make yourself harder to defraud.

Freeze your credit with all three bureaus (Equifax, Experian, TransUnion). A freeze blocks new credit accounts from being opened in your name. It doesn't stop account takeovers or non-credit fraud, but it stops the most common form of identity theft. The FTC has step-by-step instructions.

Use a password manager and generate unique passwords for every account. Reused passwords turn one breach into a skeleton key. I've written about why password managers matter if you need the full argument.

Enable two-factor authentication on every account that supports it, and use an app-based method instead of SMS. SMS 2FA is better than nothing, but it's vulnerable to SIM swaps. App-based 2FA isn't.

Monitor your credit reports. You're entitled to one free report per year from each bureau through AnnualCreditReport.com. Check them. Look for accounts you didn't open. If you find something, dispute it immediately.

Consider an identity theft monitoring service like NordProtect, which scans for your data on the dark web and alerts you when it appears. Monitoring doesn't prevent theft, but it shortens the window between breach and detection.

File your tax return early. The earlier you file, the smaller the window for someone to file a fraudulent return in your name. If you're a regular target (healthcare workers, government employees, anyone whose SSN has been in multiple breaches), consider getting an Identity Protection PIN from the IRS. It's a six-digit code that must be included on your return. Without it, the return gets rejected.

Set up account alerts on your bank and credit card accounts. Most banks will text or email you for transactions over a certain amount, logins from new devices, or changes to account settings. Enable all of them. The alert might be the first sign that someone else is using your account.

If you're a victim of identity theft, report it immediately. File a report at IdentityTheft.gov, which is run by the FTC. The report creates a recovery plan and gives you legal documentation of the theft. You'll need that documentation to dispute fraudulent accounts and clear your name.

The gap between breach and fraud

The thing people misunderstand about identity theft is the timeline. A breach happens in 2024. Your data gets sold. It sits in a criminal marketplace. Someone buys it in 2025. They use it in 2026. You find out in 2027 when a collections agency calls about a debt you didn't incur.

The gap between breach and fraud is where the damage happens. The breach is the starting point. The fraud is the endpoint. Everything in between is criminals figuring out how to monetize your data.

You can't prevent breaches. You don't control whether a company you do business with gets hacked. But you can control what happens after. Freeze your credit. Use unique passwords. Enable 2FA. Monitor your accounts. File your taxes early.

Those actions don't make you invulnerable. They make you harder to defraud than the next person. And in a world where criminals are optimizing for volume, being harder to defraud is often enough.

Layered defense illustration showing credit freezes, monitoring alerts, and password managers protecting personal data
→ Filed under
identity theftfrauddata breachescredit fraudaccount takeoversynthetic identity
ShareXLinkedInFacebook

Frequently asked questions

They use it to open credit accounts, file fraudulent tax returns, apply for government benefits, or combine it with other data to create synthetic identities. The SSN is the anchor point for most identity theft.
Yes. Stolen data doesn't expire. Criminals often wait months or years before using breached information, making it harder to connect fraud back to the original breach.
They open credit cards and max them out, drain bank accounts through account takeovers, file fake tax returns for refunds, take out loans in your name, or sell your data to other criminals who do the same.
Account takeover is breaking into your existing accounts. New account fraud is opening entirely new accounts in your name. Both use stolen data, but new account fraud is harder to detect because you don't monitor accounts you don't know exist.
A credit freeze blocks new credit accounts from being opened in your name, which stops most new account fraud. It doesn't prevent account takeovers or non-credit fraud like tax filing or unemployment claims.

You might also like

Clock showing first 24 hours overlaid with checklist of identity theft response steps
Identity Theft

First 24 Hours After Identity Theft: What to Do Right Now

Identity theft demands immediate action. Here's the exact sequence of steps to take in the first 24 hours, what each one protects, and why timing matters.

12 min · Margot 'Magic' Thorne · May 7

Timeline visualization showing data flowing from breach to criminal marketplace to fraud attempt
Identity Theft

Identity theft: what actually happens after the hack

After a breach, your data moves through criminal markets, gets tested against accounts, and fuels fraud. Here's the timeline and mechanism.

11 min · Margot 'Magic' Thorne · May 3

Illustration of a stolen ID card being used to open fraudulent accounts
Identity Theft

What Is Identity Theft and How to Recover From It

Identity theft is when someone uses your personal information to commit fraud. Here's how it happens, what it looks like, and what to do if you're a victim.

18 min · Margot 'Magic' Thorne · May 1