How Data Breaches Actually Work

⏱ 6 min read · PasswordUtils

A data breach isn't a single event — it's a process. From the initial intrusion to the moment your password appears in a torrent file on a hacker forum, multiple steps occur over a timeline that's often months long. Understanding this process clarifies what's actually at risk and why certain defenses work when others don't.

Initial Access

The most common entry points into organizational systems are: SQL injection vulnerabilities in web applications (sending malicious SQL commands through user inputs to access the database), phishing attacks against employees (tricking individuals into revealing credentials), credential stuffing using previously leaked credentials (old passwords still work on poorly maintained systems), and unpatched software vulnerabilities (exploiting known security flaws before patches are applied).

Most breaches aren't dramatic zero-day exploits by sophisticated state actors. They're opportunistic attacks using well-known vulnerabilities against systems that haven't been maintained. The most common cause of breach is a trivially exploitable flaw that was known and unpatched.

Extraction and Sale

Once inside, attackers extract the credential database — typically a table of usernames, email addresses, and password hashes. This data is sold on dark web markets, with prices varying based on size, recency, and whether the passwords are cracked or hashed. Large consumer databases sell for relatively little per record because of the volume.

Cracking

Hash cracking is the offline process of recovering plaintext passwords from their hashes. Attackers with stolen hash databases run them against cracking rigs using GPUs. Common passwords are cracked almost instantly from rainbow tables. Complex but dictionary-derivable passwords are cracked with rule-based attacks. Unique random passwords and strong passphrases resist cracking entirely.

Credential Stuffing

The cracked credentials are then automated against major services — email, banking, social media, shopping — at scale. This is credential stuffing. The success rate is low per credential but the scale is enormous: a database of 10 million credentials, with even a 2% reuse rate, yields 200,000 successful compromises elsewhere.