You saw the headline, shook your head, scrolled past it, and moved on. Security researchers call this "breach fatigue".

In 2024, 1.7 billion breach notification letters went out to Americans. That's roughly six letters for every adult in the country. The average breach now costs companies $4.44 million globally. In the US that number is a little above $10 million.

Yet, 64% of Americans have never once checked if they were affected by a breach. We've stopped reading the mail.

On Christmas Day 2025, a hacker dumped 2.3 million WIRED subscriber records onto a hacking forum. The data included emails, names, and for over 100,000 people, their full home addresses.

The hacker, going by "Lovely", claims they tried responsible disclosure first. Condé Nast allegedly ignored them for a month. So they published everything and threatened to release 40 million more records from Vogue, Vanity Fair, and The New Yorker.

Here's something most people don't think about: your data from one breach might be worthless, but your data aggregated from multiple breaches is a goldmine.

If one breach leaks your email, another leaks your phone number, a third leaks your address, the fourth leaks your employer and a fifth leaks your purchase history…

Individually, its all kind of useless. But criminals don't work with individual breaches anymore. They aggregate.

There are criminal data brokers on the dark web who specialize in exactly this. They buy leaked datasets, match records by email address or phone number, and build comprehensive profiles. Your name, every address you've lived at for the past thirty years, your relatives' names, your employer, your medical history, your dating preferences, your political donations.

Security researchers who analyzed the National Public Data breach found they could identify not just individuals, but their parents, siblings, aunts, uncles, and cousins. They could trace family trees through the leaked data.

And all of this gets packaged up and sold to anyone willing to pay.

The payoff is targeted phishing. A criminal who buys the WIRED database leak can send you an email saying this: "We noticed an issue with your WIRED subscription at your Main Street address." See, thats not a generic spam email. That's a personalized attack referencing real information. Deepfake technology is creating voice clones that can impersonate family members or executives. There was a case where criminals used an AI-generated voice of a bank director to trick a bank manager into transferring $35 million.

And AI is getting better at writing. The old telltale signs of phishing, like bad grammar, weird phrasing, obvious spelling mistakes are disappearing. AI-generated phishing emails are grammatically perfect and stylistically appropriate.

Researchers found that phishing attacks that rely purely on social engineering are actually more successful than technical attacks. Why? Because anti-malware scanning catches malicious attachments, but there's no filter for an email that's just really, really convincing.

And the more data criminals have about you, the more convincing they can be.

Think of data breaches on a spectrum. On one end, you've got low-sensitivity leaks. On the other, high-sensitivity exposures that require immediate action. Let me walk you through how to think about this.

LOW CONCERN: The Big-Box Retail Leak

Let's say Walmart gets breached and your name shows up as a customer. Your name and email are out there. Is this ideal? No. Should you lose sleep? Probably not. Because being a Walmart customer tells criminals almost nothing useful. You bought stuff at a store that everyone shops at. There's no inference to be drawn. Your name and email are probably already floating around from a dozen other breaches anyway.

What to do: Maybe watch for phishing emails pretending to be from Walmart. But that's about it.

MEDIUM CONCERN: The Detailed Profile Leak

Now let's say a breach includes your name, email, phone number, home address, and purchase history, like the Ticketmaster breach. This is more serious. Because now someone can build a profile. They know what concerts you went to. They can craft a phishing email that references a specific show you attended. "Hey, there was a problem with your refund for the Taylor Swift concert." That's way more convincing than a generic "dear customer" scam.

What to do: Be extra skeptical of any communication referencing your purchases. Enable MFA everywhere. Consider a credit freeze.

HIGH CONCERN: The Full Identity Package

The worst-case scenario is a breach that exposes enough information to steal your identity wholesale. We're talking Social Security numbers, dates of birth, full addresses, financial account numbers. This is what happened with National Public Data. 170 million Americans with their complete identity profiles exposed.

What to do: Freeze your credit immediately. File an IRS Identity Protection PIN. Monitor your credit reports obsessively. Consider identity theft protection services with insurance.

Accept that your data is already out there, probably multiple times. You can't undo that, but you can limit the damage by being proactive.

Freeze your credit with Equifax, Experian, and TransUnion. This single action prevents anyone from opening accounts in your name, even with your SSN. Yes, it's a minor inconvenience when you need credit. It's nothing compared to recovering from identity theft.

Use a password manager with unique passwords for every account. When one service gets breached, it shouldn't unlock everything else.

Enable MFA everywhere, especially email, banking, and social media.

Check haveibeenpwned.com to see which breaches you're already in. Set up notifications for future ones.

Criminals are counting on your breach fatigue. They know you're overwhelmed by notifications. They know you've stopped paying attention.

That's exactly when they strike.

Not every breach requires panic, but some absolutely do. With this, I hope we helped you learn to tell the difference.

& dontgetgot.

Check if you've been breached: haveibeenpwned.com