Scammers hacked her phone and stole thousands - so how did they get her details?

She was a victim of what's known as a Sim swap attack - where scammers trick a network operator into thinking they're the account holder to get a new Sim card for a mobile device.

They used it to take over almost all her online accounts through her phone. She said the experience was "horrible".

"The scammers took over my Gmail account and then locked me out of my bank accounts because they failed security checks," she said.

Sue also had a credit card opened in her name and the criminals purchased more than £3,000 in vouchers.

It took several trips to the branches of her bank and mobile phone provider to get her accounts back.

And the thieves weren't done.

"The criminals also did a sinister thing after breaking into my WhatsApp," she said. "They sent messages to horse riding groups I am in warning there were people on their way to stab the horses."

We searched hacker databases using online tools like haveibeenpwned.com and Constella Intelligence to see if Sue's details were previously compromised.

Her phone number, email address, date of birth and physical address were all exposed in data breaches at gambling platform PaddyPower in 2010 and email validation tool Verifications.io in 2019. Other compilations of hacked records also included her details.

Hannah Baumgaertner, from cyber firm Silobreaker, said attackers likely used the personal data leaked in previous breaches to conduct the Sim swap attack.

"Once they had access to Sue's phone number they were were able to intercept any security codes sent to verify her identity for her Gmail account," she said.

Scammers often combine stolen private information with public information.

Leah, who didn't want to give her real name, runs a small business using Facebook adverts and was recently targeted in a long running scam apparently originating from Vietnam.

"I got a phishing email from '[email protected]' saying that I was due a refund. I clicked on the link and entered my details on the fake Meta page and the scammers were able to take over my business account even though I had 2 factor authentication.

"They then posted child sexual abuse videos under my name which got me blocked. I was even barred from using Messenger to complain to Meta."

In the three days it took Leah to get back her business account back the scammers had run hundreds of pounds of adverts paid for by her. She eventually got the money back.

Alberto Casares from Constella Intelligence searched hacker databases and found Leah's email address and other details were taken in data breaches at Gravatar (2020) and this year's Qantas (third-party breach).

"It looks like the attackers used a common technique of linking up Leah's private stolen email address with her publicly listed business number to launch a targeted phishing attack against the email account."

They could have done this themselves or used a data broker to pay for a number of potential targets he said.

Mass data breaches are fuelling scams and secondary hacks around the world, with several high profile attacks coming in 2025 alone.

According to Proton Mail's Data Breach Observatory, there have been 794 verified breaches from identifiable sources discovered so far in 2025 with more than 300 million individual records exposed.

"Criminals pay premium prices for stolen data because it consistently generates profit through fraud, extortion, and cyberattacks," said Eamonn Maguire from the firm.

Aside from notifying customers and regulators about breaches, there are no hard and fast rules on what companies should do for victims.

Offering free credit monitoring, for example, used to be common.

Last year, Ticketmaster (which saw 500m people affected by a breach) offered this to some people.

But this year fewer firms are doing this. Marks and Spencer and Qantas, for example, have not offered these services to customers.

Co-op chose to give victims a £10 voucher - if they spent £40 in its shops.

Some are trying to seek compensation in the courts, with a growing trend of class action lawsuits - though these are notoriously hard to win because it is difficult to prove how individuals have been impacted.

But some have been successful.

T-Mobile has begun paying customers affected by a major data breach in 2021 which affected 76m customers.

The firm agreed to pay $350m - with payments reportedly ranging from $50 to $300.

Get our flagship newsletter with all the headlines you need to start the day. Sign up here.