Email Data Breaches: Bad for Users, Good for ID Verification

Every year sets a new record for the number of exposed records in email data breaches. In 2022, 15M records were lost due to leaks and breaches. Of course, this sounds like bad news for everyone involved – both companies and users whose records will be made public. But we can also use that information judiciously to protect them. Let’s see how it works in practice.

What is an Email Data Breach?

An email data breach is an event where private email addresses are made public. It is also known as an email data leak, because the addresses and associated data are likely to be leaked on online forums, the darknet, or other public spaces.

Email data breaches can be the result of cybercrime, phishing, internal sabotage, or fraud attacks. Criminals usually target email addresses and their associated login details, such as passwords, to infiltrate existing user accounts. This is why email data breaches are often synonymous with account takeover fraud, where fraudsters access someone else’s account in order to withdraw money, mine it for information, or use it as a phishing tool to target other victims.

The type of companies more likely to be targeted for email data breaches includes social media companies, neobanks, financial institutions, BNPLs, e-wallets, online stores, and iGaming accounts – among others. However, in recent years, email addresses have been leaked from any kind of company, including travel operators, car companies, healthcare, nonprofits, education, etc.

What Happens After an Email Data Breach?

The reason email data breaches happen in the first place is that criminals can resell the information on the dark web. That’s the first thing that will happen. You’ll come across huge data dumps, as they’re called, which are sold in bulk on shady internet forums. 

These account login details are used for account takeover (ATO attacks), or credential stuffing, where fraudsters attempt a combination of the email and password on numerous services. 

As a side note, this is why using slightly customized passwords for different services can backfire. If your Gmail password is passw0rd4Gmail, it’s easy enough to infer what it will be for LinkedIn.

If fraudsters do succeed in getting in, they will mine the accounts for personal details or, ideally, currency (crypto fiat and even bonus points).

Now, if we switch over to the side of the company that lost the data, it will probably have to inform its users. This is especially true for European companies since the GDPR forces companies to publicly acknowledge when they’ve lost customer records.

Once the user is made aware of the leak, they tend to change their passwords – but not their email address. This is where it becomes interesting from a fraud management perspective.

How to Check an Email Data Breach?  

It is important to learn if your personal information has been revealed due to an email data breach. With SEON, it’s included as part of our email API, which relies on data breaches to estimate how old an email address is. This is a key point to understand: when it comes to fraud prevention, learning that an email address has previously been leaked is actually positive: it helps confirm that the address wasn’t created recently by fraudsters.

You can also do check for email leaks manually, by looking at the latest news about email data breaches. There are a number of online services designed to let you verify if your address was made public or not.

There is also a step-by-step guide on how to improve your own security (usually including paid sponsorships by password managers).

It’s also worth noting that a growing number of companies, such as Firefox, allow you to check if your personal information has been compromised directly within their product. Google will also regularly send security emails if your details have appeared in online leaks.

How to Prevent an Email Data Breach

Preventing email data breaches takes effort from your security team, IT team, and every employee and executive. Training and education go a long way, and here are steps you can implement today:

• Educate employees about email security: That includes teaching everyone about how to securely open attachments, verify senders’ information, and scan for malware and viruses.
• Promote anti-phishing practices: Another example where prevention is better than the cure. If you can teach everyone how to detect phishing attempts and social engineering, you’re essentially blocking access to any potentially valuable data.
• Secure logins for everyone: A lot of data breaches happen after criminals log into your business using other people’s accounts. You can secure the login stage to prevent what is known as an account takeover attack.
• Boost your IT security: Last but not least, you should ensure you are ready to handle potential DDoS attacks, MitM attacks, Cross-Site Scripting attacks and other techniques that could leave your site at the mercy of cybercriminals.

As an online user, if your email address has been leaked in a data breach, you may want to consider the following steps:

• Find out what other info was compromised: you may need to check manually if your password or PII (personal identifying information), such as a social security number, was also leaked.
• Change your passwords: if your email address was leaked, chances are that an account password was leaked with it too. Whether you reused your passwords or not, it’s worth considering a quick update.
• Monitor your account for unusual activity: you may need to log into the account whose details were leaked. If the password has been changed, contact the company immediately.
• Be vigilant with your financial information: the worst-case scenario would be if your financial details were leaked. You may want to keep an eye on your credit card receipts, credit score reports, and even consider freezing your cards if needed.

Last but not least, remember that the company that lost your data is responsible for the leak. You may be contacted about a class-action lawsuit or compensated for your loss.

How to Verify Users with Email Data Breach Checks

The good news is that data breaches can be turned into a force for good. That is, in the context of fraud prevention, where you can check if data has appeared in a breach before. Here is how it works:

Email Checks at the Signup Stage

When users sign up for your service, chances are they must provide an email address. We’ve previously covered the merits of an email analysis tool in another post, but in the context of data breaches, here’s the key takeaway:

• An email address that appears on a data breach check is likely from a legitimate user. It means the address is mature, and you may even be able to infer its age.
• An email address that doesn’t appear on a data breach check should be considered riskier. It may be freshly created, or even a throwaway.

This is a tremendous advantage in modern credit scoring, where you need to calculate how risky a user is based on as little data as possible.

You can read more about how to reduce fraud with reverse email lookup here.

Email Checks at the Login Stage

Things get even more interesting at the login stage. One way to ensure only legitimate users get into their accounts would be to keep an eye out for the latest data breach news, and manually check if their login details have been leaked.

But there’s a smarter way to automate checks: using a combination of email analysis and device fingerprinting.

Put simply, here are examples of rules you could set up:

• If the email has recently appeared on a data breach check and the user seems to connect from a new device, you should increase the risk. This is highly likely pointing to an account takeover.
• If the email has recently appeared on a data breach check and the user is connecting from a trusted device, you could suggest a password change. It’s never a bad idea to educate users about the value of their accounts to prevent later damages.

You could even go into more sophisticated setups using velocity rules, for instance. If a user email appears on a data breach, logs into their account, and makes a password reset request within a short timeframe: does it mean they are legitimate users worried about their accounts? Or an opportunistic fraudster? 

Only a previously installed device fingerprinting solution will help complete the full picture to reduce customer insult rate and improve security.

Key Takeaways

In conclusion, you can see how checking for a data breach can be a boon for fraud managers. It may seem counterintuitive, but sometimes, the work of cybercriminals can actually be employed against them.

Of course, this is just one weapon in your email profiling arsenal. You’ll also need to complete the picture using every tool at your disposal, such as IP analysis, device fingerprinting, and, ideally, custom rules specific to your industry.

FAQ

Sources:

• Statista: Number of data records exposed worldwide from 1st quarter 2020 to 3rd quarter 2022

Further Reading

• Learn about Digital Footprint Fraud & Our API’s Role
• Learn About Email Profiling and What They Can Reveal About Your Users
• How to Find Social Media Accounts with E-mail
• How Email Risk Assessment Can Help Your Business Grow Safely