Identity theft: how data gets stolen and how to lock it down

Identity theft is less a single event than a chain reaction. A piece of your information leaks, a criminal uses it to open or take over an account, and that access is used to reach further into your life. The aim of this guide is to break the chain early, with habits that are simple to adopt and hard to defeat.

Where stolen identities come from

Most identity theft does not start with a master hacker. It starts with data that is already loose in the world. Large company breaches spill email addresses, passwords, and personal details onto criminal markets. Phishing messages trick people into typing credentials into fake pages. Public oversharing on social media fills in the gaps: a birthday here, a pet's name there, the very details used as security answers.

Once a criminal has enough, they try those details everywhere, because people reuse passwords. One leaked password from a forum you forgot about can open your email, and your email can reset almost everything else.

What it looks like when it happens

Account takeover often announces itself quietly: a login alert from an unfamiliar place, a password-reset email you did not request, a sudden lockout. More serious cases show up as charges you did not make, a new account or loan in your name, or letters about a service you never signed up for. Fake government and tax services are a frequent route in, sending official-looking messages that harvest your ID details under the guise of a refund or a fine. If a message like that arrives, you can sanity-check the situation with our scam test before you respond to anything.

The defences that actually work

A few measures do most of the heavy lifting. In rough order of impact:

• A unique password for every account. This is the single most valuable change you can make. A tool like Dashlane generates and stores strong, different passwords so a breach of one site cannot unlock the others.
• Two-factor authentication on email, banking, and anything important. Even a stolen password is far less useful without your second factor.
• A protected primary email. Your email is the master key to password resets, so guard it most carefully.
• Caution with security questions. Treat them as extra passwords, not as honest answers a stranger could guess from your profile.

Shrinking your exposure

You can also reduce how much of you is out there to steal. Data brokers quietly compile and sell profiles built from public records, app trackers, and old sign-ups, and that aggregated data feeds both scams and impersonation. A removal service such as Incogni requests deletion of your data from these brokers on your behalf, which lowers your long-term risk. Reviewing app permissions and old accounts you no longer use helps too.

If your identity is already compromised

Act methodically rather than in panic.

1. Change the password on the affected account first, then on any account that shared that password, from a device you trust.
2. Turn on two-factor authentication everywhere it is offered.
3. Contact your bank for any financial accounts involved, and watch your statements.
4. Report the theft to a fraud service such as Action Fraud, and keep a record of what happened.

Identity theft often travels alongside phishing, which is how credentials get harvested in the first place, and it can feed into banking scams once a criminal can convincingly pose as you. The reassuring part is that the same handful of habits protect against all of them: unique passwords, second factors, a guarded inbox, and a smaller data footprint. Set them up once, and they keep working quietly in the background.