PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

The Digital Black Market: How Your Data Is Bought, Sold, and Traded After a Breach

What happens to your info after a hack? Knowing this is essential for protecting yourself, so let's follow the trail.

Justyn Newman
 & Justyn Newman Senior Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: PCMag/Zain bin Awais/Weiquan Lin/via Getty Images)

Data breaches happen every day—and they're rarely random. Most stem from deliberate, targeted cyberattacks or the exploitation of overlooked security flaws, allowing criminals to infiltrate systems and steal sensitive information. This can include anything from email addresses and passwords to Social Security numbers, credit card details, medical records, or internal corporate documents.

It sounds alarming (and it is), but what really happens after your data is compromised? Where does it go once it’s been swept up in a breach? Understanding this process isn't just eye-opening—it's a critical step in knowing how to protect yourself in an increasingly data-driven world.

Where Does Your Data Go After a Breach?

Once your data is compromised in a breach, it turns into a commodity—something to be bought, sold, or traded. It might be sold on its own, but more often it's bundled with other stolen information as part of a larger dataset. The hackers or attackers responsible for the breach typically aren’t the ones who end up using your data. Think of it like a luxury jewelry store robbery: The thieves aren’t stealing the items to wear them—they’re after the profit they can make by selling them to others. Similarly, your data is just a valuable asset in an underground marketplace.

Information is only valuable so long as it is new and usable, so it is often sold off as quickly as possible. Where can you find it? Let's review the most likely destinations:

  1. The Dark Web: Many marketplaces for user data exist on the dark web since it isn’t regulated or moderated like the surface web. Attackers use non-indexed dark websites to turn data into profit without worrying about a web host or platform owner turning over their data to law enforcement. Credit cards, logins, Social Security numbers, passports, and any other kind of identifying information you can think of are bought, traded, and sold here. 
  2. Secure Messaging Apps: Encrypted messaging services such as Signal and Telegram are excellent tools for anonymity and privacy. While such apps are invaluable for journalists and help users control their information, some criminal groups use these platforms to make chats deal in user data. 
  3. Invite-Only Forums/Chats: The surface web has its fair share of forums, chat rooms, apps, and sites that publicly deal in stolen data. These resources are usually heavily moderated and kept under a strict invite-only system to limit the risk of being discovered by law enforcement. 
  4. Publicly: Some breaches are made public without any direct sale of data. Government or company whistleblowers have taken this approach to spread the information as far as possible. Similarly, certain hackers have moral or ethical reasons for attacks, such as the Ashley Madison breach in 2015, which released the identities of all users due to the site being a hub for adulterous relationships. 
  5. Privately: The most careful hackers deal internally with other malicious groups and secure private clients for user data, company secrets, and other leaked information. 

Much like a regular marketplace for goods and services, prices shift based on supply and demand. If you are interested in the rough price that information sells for in various marketplaces, PrivacyAffairs conducts a detailed analysis every three years of how much user data is going for on the dark web.

What Information Do Cybercriminals Buy and Sell?

Dark web markets are as varied as a weekend farmer’s market. There are sites and hubs for, essentially, all forms of identifying information. From email accounts to social security numbers, a little bit of everything is available for the right price. Below are the three most common categories of sold data with short rundowns detailing how each kind is used: 

Recommended by Our Editors

Warning: These World Cup 2026 Scams Could Drain Your Bank Account Overnight
Warning: These World Cup 2026 Scams Could Drain Your Bank Account Overnight
Thousands of Scam FIFA Sites Emerge To Target World Cup Fans
Thousands of Scam FIFA Sites Emerge To Target World Cup Fans
From Pentagon Concerns to Street-Level Phone Theft: Digital Tracking Is Everyone's Problem Now
From Pentagon Concerns to Street-Level Phone Theft: Digital Tracking Is Everyone's Problem Now
  1. Payment Cards: Also known as “carding,” criminals will buy up bundles of leaked card details in the hopes of making fraudulent purchases. 
  2. Site Credentials: Social media accounts and email profiles can be the subject of an attack to post defamatory content. More often, hackers steal these accounts to conduct further social engineering or phishing attacks on unsuspecting individuals. 
  3. Personal Documents: Passports, social security numbers, and birth certificates are just a few of the more sensitive documents that criminals pay for with the aim of identity theft. 

Other categories include crypto wallets, streaming service logins, verified PayPal accounts, and medical information.

What Can You Do to Protect Your Data? 

It is difficult, if not impossible, to remove every trace of your personal information online. However, there are steps you can take that will make you far less vulnerable to attacks. A good password manager is an easy first step that will ensure you are protected in the event of a breach. A VPN can lock down your traffic and prevent your internet service provider (ISP) or any third-party advertisers from building a profile on you. 

Adjust your privacy settings on social media accounts to prevent unrecognized accounts from scouring your pages. It is also worth removing identifying information from your posts and account, such as your place of work, address, and relationship status. Simply limiting what you share can make it much more difficult for a hacker to target you or get up-to-date information that can be used against you. 

Similarly, be aware of what information you are giving a website when you sign up for an account or make a purchase. When in doubt, it is worth using one-time payment methods, burner emails, and a P.O. Box to keep your true identity confidential. 

If you are subject to a data breach, make sure to monitor related accounts. If a site you’ve made a purchase from has had payment data leaked, then it may be necessary to lock down your payment cards and to notify your bank. In the event of stolen sensitive information, you might need to freeze your credit. Monitoring news stories and keeping track of events isn’t always feasible. Data removal services can do the hard work for you while also monitoring the dark web for leaks with your information in them. 

Regardless of which tools you use, take a proactive approach to privacy. Otherwise, you may find yourself doing damage control while a cybercriminal wreaks havoc with your stolen data.

About Our Expert

Justyn Newman

Justyn Newman

Senior Writer, Security

My Experience

My writing journey started in 2012 and has taken me through various niches, but my main focus has always been on tech. I contributed to several growing PC hardware and software sites, focusing on gaming, peripherals, and privacy.

As the amount of information we put out on the internet has grown, so have the threats and the tools we use to combat them. With VPNs gaining traction in the late 2010s as a tool for the public instead of just an option for business security, I found myself reviewing countless options in this continuously changing landscape.

This led to my role before PCMag over at WizCase, where I honed my knowledge of VPNs and privacy tools and eventually oversaw all of the content produced. I led a talented team of fellow writers and editors to evaluate VPNs, password managers, antivirus, and parental controls.

The Technology I Use

I love small-form-factor PCs. My current ITX build uses an ASRock B650i motherboard, 32GB of RAM, a Ryzen 5 7600X, and an EVGA 3060 Ti, all nestled within the beautiful LZX-8 case by Lazer3D.

I have that connected to an MSI 34-inch ultrawide as my primary monitor. My second monitor is an older Acer 24-inch that only houses Discord and YouTube Music. Since I spend most of my time writing, I value a good keyboard. I use a Neo65 with Gazzew U4T Silent Bobas. My mouse is a Logitech MX Master 3S. For audio, I have a set of Edifier R1280Ts, or I’ll wear my trusty Sennheiser HD 6XXs. 

For work, I use a Lenovo P14s connected to everything mentioned above. If I'm taking personal work or studying on the go, I use a sticker-bombed Framework 13 powered by a Ryzen 5 7640U. Specifically for drafting fiction, I built a writing ‘cyberdeck’ that connects to my Neo 65 for a Raspbian-powered writing setup with minimal distractions. Regarding mobile devices, I’ve been on the Pixel train since the first one launched, and I am currently using a Pixel 9 Pro.

Outside of computing, I always carry a few key pieces of tech on my person. I have a Kindle Scribe that I use for note-taking and reading the latest speculative fiction. For music, I carry a Walkman NW-A55 with a pair of Rose Technics QuietSea IEMs. I do some light gaming on my re-shelled PSP 3000 running Infinity 2.0 CFW. When I'm not at the computer, you’ll usually find me lugging around my Pentax K1000 with a couple of rolls of Ektar 100 on standby.

Read the latest from Justyn Newman

Read full bio