We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

Updated: 9 Jul 2020

Billions of account details sold online: five tips to protect yourself and your data

From creating unique passwords to spotting scam calls, Which? explains how to protect yourself when your data has been breached

More than 15 billion stolen usernames and passwords are being sold to criminals on the dark web, new research from cyber security firm Digital Shadows has revealed.

The stolen data includes account details for internet services, bank accounts, video and music streaming websites.

Account details are sold at an average price of around £12, while bank and financial service accounts are on sale for an average of £56.

The number of stolen credentials has quadrupled since 2018, following more than 100,000 data breaches, the research says.

Digital Shadows has warned there are many online tools that can be used to target accounts, available to buy for less than £3.50, with little technical expertise required to use them.

If you're worried about your information or have experienced any suspicious activity lately, here are our top tips for protecting yourself and your data.

Join the conversation:Have you been the victim of a data breach?

1. Create a strong password

If your data has been leaked, or you notice suspicious activity, it's well worth changing your passwords.

Follow our tips to ensure yours is as secure as possible.

  1. Avoid using your pet's name or your favourite football team. It might be an easy password to remember, but using information that can easily be traced back to you also makes it an easy password for fraudsters to crack.
  2. A passphrase is better than a password. It might be a combination of random characters, or it could be a few unrelated words strung together. Pick something random and not based on any personal information.
  3. Don't replace letters of the alphabet with special characters that look similar. Using pA$w0rd instead of password won't fool hackers - they already know this trick. If a website insists that you use special characters, it's better to insert them randomly into the password.
  4. Create different passwords for different websites. If you use the same password across multiple websites, you could have a number of your accounts hacked if your data is compromised. Make sure to create a different password for every account.
  5. Use a password manager. Most browsers will offer to store your passwords for you, but malware can sneak on to your computer and steal them. If remembering a different password for every proves too tricky a task, you might want to use a password manager instead.
  6. Don't change your password for the sake of it. The National Cyber Security Centre advises against changing your password without good reason, as people often tend to recycle old passwords, which could make your account vulnerable. It's much better to stick with one strong password you haven't used anywhere else.

Biometric authentication (using a fingerprint or a face scan) is also a secure and fast way to log into your phone and other devices.

It's also important to remember no legitimate company will ever ask you for your full password, only for certain characters. Be wary of any email or phone call that asks you to disclose your password in full.

2. Be vigilant against scams

If you receive a phone call asking you for personal details (eg a password for your bank account), make sure to check their true identity.

You might ask them for details the company should know about you, like the type of subscription you're on, or how much you pay each month.

Be aware that scammers might have access to more of your personal information than seems normal if your data has been breached.

If you have any suspicions, hang up and contact the company they're claiming to be calling on behalf of.

3. Look out for identity fraud

Data breaches can lead to identity fraud if your data falls into the hands of criminals online.

This is where your identity is stolen to obtain goods or services, such as bank accounts, mobile phone contracts ordriving licences.

It's worth keeping a close eye on your bank account and credit score following a data breach, and contact your bank immediately if there's anything unusual.

You might also learn of ID fraud if you get a bill for something you haven't ordered or if you receive letters from debt collectors.

Concerned people at laptop

How to protect yourself against identity fraud

Here's how to best safeguard your personal information online and offline:

  • Never reveal your full password, login details or account numbers, and be wary of unexpected calls or emails.
  • Always install all official software updates to your phone, laptops and other devices.
  • Don't leave things like bills lying around for others to see.
  • Shred any documents with your name, address or financial details on them before throwing them out.
  • Tell your bank or card company if a statement doesn't arrive.
  • Don't post any pictures showing your car number plate - fraudsters can use this to obtain your address from DVLA records.
  • Be careful when using public wi-fi networks - never use them to access sensitive apps or sites, such as mobile banking.

Read more:how to choose the best antivirus software

4. Use two-factor authentication

Two-factor authentication adds an extra layer of security to your online accounts.

It's commonly offered by services such as Google Mail and it uses two ways to check the real account holder is logging into their account.

After you try to log in on your web browser, you might be sent a SMS with a unique code that you're asked to type in on your browser. Or it might send a push notification asking you to confirm you're trying to log in.

A hacker, of course, won't have access to your mobile phone, and so won't be able to log in.

5. Report any suspicious activity

If you've noticed any unusual account activity, you should contact your bank, credit card company and the local police on the non-emergency phone number, 101, as soon as possible.

You can also report the fraud via Action Fraud, the police's fraud-reporting service.

Cifas also offers a protective registration service, which places a flag alongside your name in its secure National Fraud Database.

Companies and organisations who are signed up will see you're at risk and take extra steps to protect you.

You can complain and claim compensation

If your data is lost and it causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that lost it.

You'll want to first complain to the organisation that lost your data, outlining the distress or damages suffered.

The next step is complaining to the Information Commissioner's Office (ICO) , who can't award compensation, but can give advice on the level of compensation that should be due.

Its opinion can be influential in making your claim against the organisation that has compromised your data.

And if you can't agree on compensation with the company, you can make a claim via the small claims court.

A good piece of evidence to take to court is if the ICO agreed with you that the GDPR was indeed breached.

You can use our advice on how to make a claim in the small claims court.