You get the email. "We're writing to inform you that your personal information may have been accessed in a recent security incident." There's a line about credit monitoring. There's an apology. And then — nothing. What happens next, exactly?

Here's the timeline that doesn't make it into the notice.

Hours after the breach: the data gets sorted

Large data breaches don't happen because someone sat down and manually copied your information. They happen because attackers gain access to databases and exfiltrate data in bulk — often gigabytes or terabytes at a time. After extraction, the data gets sorted and categorized: names and emails in one pile, Social Security numbers in another, health records in a third. Payment card data gets separated because it has the shortest usability window before cards get canceled.

Days to weeks: it hits the marketplace

Criminal marketplaces — most operating on the dark web — sell stolen data in bulk. Prices vary considerably by data type:

  • Email and password combinations: fractions of a cent each in bulk
  • Full identity packages (name, SSN, DOB, address): roughly $1–$10 depending on credit score
  • Health records: $10–$50 each, because they're harder to cancel than a credit card
  • Payment card data with CVV: $5–$20 per card, used quickly before cancellation
  • Login credentials for financial accounts: priced as a percentage of the account balance
Why health records cost more: You can cancel a credit card in five minutes. You can't cancel your medical history, insurance ID, or Medicare number. Health data enables insurance fraud that can take years to surface and untangle.

Weeks to months: the fraud attempts begin

The people who buy your data don't usually use it immediately. They're often running semi-automated operations that try combinations across hundreds of sites. This is why you might start getting phishing emails that use your actual name, or why a fraudulent credit card application shows up on your report six months after a breach you've already forgotten about.

Credential stuffing — using your username and password from one breach to try logging into your bank, email, and other accounts — is particularly common. If you reuse passwords, a breach of any single account is effectively a breach of all of them.

What credit monitoring actually does (and doesn't do)

Credit monitoring watches for new accounts opened in your name, hard inquiries, and changes to your credit report. It alerts you after the fact — it doesn't prevent fraud, it tells you it happened. For most data breaches, that's useful but incomplete.

What it doesn't cover: medical identity fraud (your insurance being billed for someone else's procedures), tax fraud (someone filing a return with your SSN before you do), or account takeover on existing accounts (which doesn't show up as a new credit inquiry).

The most effective thing you can do after a breach involving your SSN is freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It's free, it takes about 15 minutes total, and it prevents new accounts from being opened in your name regardless of what data someone has. You can temporarily lift it when you need to apply for credit.

The long tail

Breached data doesn't expire. Your Social Security number from a 2019 breach is just as useful to a fraudster in 2026 as it was the day it was stolen. This is why the aftermath of a major breach — the OPM breach, the Equifax breach, the National Public Data breach — continues to generate fraud years after the event.

The settlement check you receive covers a fraction of the potential long-term cost. Free credit monitoring for one or three years sounds substantial, but your data will still be out there long after the monitoring expires. This isn't an argument against filing — file. It's an argument for treating the monitoring as a starting point, not a solution.

The one thing actually worth doing today

Freeze your credit. Not a fraud alert — a freeze. A fraud alert asks lenders to verify your identity; a freeze stops them from accessing your report at all. If you haven't done it yet and you've ever been part of a data breach (and statistically, you have), go do it now. It's free. annualcreditreport.com links to all three bureaus.