More than 15 billion stolen usernames and passwords are being sold to criminals on the dark web, new research from cyber security firm Digital Shadows has revealed.
The stolen data includes account details for internet services, bank accounts, video and music streaming websites.
Account details are sold at an average price of around £12, while bank and financial service accounts are on sale for an average of £56.
The number of stolen credentials has quadrupled since 2018, following more than 100,000 data breaches, the research says.
Digital Shadows has warned there are many online tools that can be used to target accounts, available to buy for less than £3.50, with little technical expertise required to use them.
If you're worried about your information or have experienced any suspicious activity lately, here are our top tips for protecting yourself and your data.
If your data has been leaked, or you notice suspicious activity, it's well worth changing your passwords.
Follow our tips to ensure yours is as secure as possible.
Biometric authentication (using a fingerprint or a face scan) is also a secure and fast way to log into your phone and other devices.
It's also important to remember no legitimate company will ever ask you for your full password, only for certain characters. Be wary of any email or phone call that asks you to disclose your password in full.
If you receive a phone call asking you for personal details (eg a password for your bank account), make sure to check their true identity.
You might ask them for details the company should know about you, like the type of subscription you're on, or how much you pay each month.
Be aware that scammers might have access to more of your personal information than seems normal if your data has been breached.
If you have any suspicions, hang up and contact the company they're claiming to be calling on behalf of.
Data breaches can lead to identity fraud if your data falls into the hands of criminals online.
This is where your identity is stolen to obtain goods or services, such as bank accounts, mobile phone contracts ordriving licences.
It's worth keeping a close eye on your bank account and credit score following a data breach, and contact your bank immediately if there's anything unusual.
You might also learn of ID fraud if you get a bill for something you haven't ordered or if you receive letters from debt collectors.
Here's how to best safeguard your personal information online and offline:
Two-factor authentication adds an extra layer of security to your online accounts.
It's commonly offered by services such as Google Mail and it uses two ways to check the real account holder is logging into their account.
After you try to log in on your web browser, you might be sent a SMS with a unique code that you're asked to type in on your browser. Or it might send a push notification asking you to confirm you're trying to log in.
A hacker, of course, won't have access to your mobile phone, and so won't be able to log in.
If you've noticed any unusual account activity, you should contact your bank, credit card company and the local police on the non-emergency phone number, 101, as soon as possible.
Companies and organisations who are signed up will see you're at risk and take extra steps to protect you.
If your data is lost and it causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that lost it.
You'll want to first complain to the organisation that lost your data, outlining the distress or damages suffered.
The next step is complaining to the Information Commissioner's Office (ICO) , who can't award compensation, but can give advice on the level of compensation that should be due.
Its opinion can be influential in making your claim against the organisation that has compromised your data.
And if you can't agree on compensation with the company, you can make a claim via the small claims court.
A good piece of evidence to take to court is if the ICO agreed with you that the GDPR was indeed breached.