GranGuard - Scam Defense and Family Training
Data Breaches

How Criminals Get Your Personal Info

Your personal details are already out there. Here's how criminals find them, how they use them against you, and what you can do to protect yourself.

How Criminals Get Your Personal Info
GranGuard

GranGuard

Jan 8, 2026 · 8 min read

You get a phone call. The person on the other end knows your full name, your address, and which bank you're with. They mention a recent transaction that sounds familiar. They sound official, professional, concerned about your account.

How did they know all that?

It's a question most people never think to ask until they're in the middle of a scam, or recovering from one. The assumption is that criminals either got lucky or have some kind of sophisticated hacking operation.

The truth is simpler, and more unsettling: your information is already out there, scattered across dozens of databases, and it's surprisingly easy to gather.

The Breaches You Never Heard About

Over the past decade, billions of personal records have been exposed in data breaches. Not millions. Billions.

Some breaches make headlines. You probably remember hearing about attacks on companies like British Airways, TalkTalk, or Marriott. But for every breach that makes the news, dozens happen quietly. Small retailers, healthcare providers, local services, apps you signed up for once and forgot about. They get breached, your data leaks out, and you never hear a thing.

According to security researchers at Have I Been Pwned, the average email address appears in at least five known data breaches. Some appear in dozens.

What kind of information leaks? It varies, but typically includes some combination of:

  • Full name and email address
  • Phone numbers
  • Home address
  • Date of birth
  • Passwords (sometimes encrypted, sometimes not)
  • Partial payment card details
  • Security question answers

Each breach on its own might seem minor. But criminals don't use just one.

The Puzzle Comes Together

Here's what makes modern fraud so effective: criminals don't need to know everything about you from a single source. They piece together a profile from multiple breaches, cross-referencing data until they have enough to sound convincing.

Your email address from one breach. Your phone number from another. Your address from a third. Your bank from a transaction record that leaked somewhere else. Maybe your pet's name from an old forum account, which happens to be the answer to your banking security question.

Individually, these fragments seem harmless. Together, they form a detailed picture. Enough for a scammer to call you, sound legitimate, and make you second-guess your instincts.

Security researchers call this "data enrichment." Criminals call it Tuesday.

It's Not Just Breaches

Data breaches are the biggest source of leaked information, but they're not the only one.

Social media is a goldmine for anyone who knows how to look. Public profiles reveal birthdays, family relationships, workplaces, holidays, pets' names, and life events. Even if your own privacy settings are tight, tagged photos and posts from friends and family can fill in the gaps.

Data brokers are companies that collect, package, and sell personal information legally. They aggregate data from public records, loyalty programmes, surveys, and online activity, then sell it to marketers. But those databases sometimes leak, get hacked, or end up in the wrong hands.

Phishing isn't just an end goal for criminals. It's also a way to gather more information. A convincing email might trick you into confirming your address, your date of birth, or your account details, adding more pieces to the puzzle.

Public records contain more than you might expect. Electoral rolls, property records, company filings, and court documents are all accessible with a bit of effort.

Why This Matters for Scams

You might be wondering: so what? Why does it matter if someone knows my address or my phone number?

It matters because familiarity breeds trust.

A cold call from an unknown number asking for money is easy to dismiss. But a call from someone who knows your name, references your bank, mentions your recent transaction, and speaks with calm authority? That's much harder to ignore.

Criminals use your own information against you. The details make their story believable. And the more they know, the more convincing they can be.

This is why scams have become so personalised. It's not that criminals are smarter. It's that they have better data.

What You Can Do About It

You can't undo a breach that's already happened. But you can make yourself a harder target going forward.

Find out what's already exposed. The first step is knowing where you stand. Services like Have I Been Pwned let you check whether your email has appeared in known breaches. (GranGuard members get ongoing monitoring that alerts you when your details appear in new breaches, so you're not caught off guard.)

Tighten your digital footprint. Review what's publicly visible on your social media profiles. Consider removing your birthday, phone number, and address from public view. Be thoughtful about what you share and who can see it.

Use unique passwords. If the same password appears across multiple accounts, one breach can unlock them all. A password manager makes it easy to use strong, unique passwords everywhere.

Change breached passwords immediately. If you learn that a password has been exposed, change it right away, and change it anywhere else you've used it.

Enable two-factor authentication. This adds a second layer of protection even if your password is compromised. Use an authenticator app rather than SMS where possible.

Treat personal details as sensitive. If someone contacts you and already knows your information, that doesn't mean they're legitimate. Criminals have this data too. Verify independently before trusting anyone who reaches out to you.

Be selective with new accounts. Every service you sign up for is another place your data can leak from. Ask yourself whether you really need to create that account.

Knowledge Is Protection

There's something uncomfortable about realising how much of your information is already out there. But there's also something empowering about understanding how the system works.

When you know how criminals get your details, their tactics lose some of their power. The call that seems eerily well-informed becomes recognisable as a scam. The "personalised" email looks like what it is: a template filled in with stolen data.

You can't put the genie back in the bottle. But you can stop being surprised by it.

GranGuard helps you understand your exposure and stay protected. Our data breach monitoring alerts you when your information appears in new leaks, and our training helps you recognise when criminals are using your own details against you. Because once you understand the game, you're much harder to fool.


Sources and Further Reading