What actually happens when a website gets hacked

When a company announces a data breach, the statement usually reads like this: “We recently became aware of unauthorised access to systems containing customer information. We take security seriously and have taken steps to address the issue.” Then a list of data types affected. Then a recommendation to change your password.

What that statement doesn’t tell you is what attackers actually do, how fast it happens, and why changing your password on that one site often isn’t enough. Understanding the real sequence of events changes how you think about your own security.

How most breaches start

The movies show hackers typing furiously into dark terminals. Real breaches are more mundane. The most common entry points are:

• Phishing. An employee clicks a convincing fake email and hands over their credentials. From there, the attacker has a foothold inside the company network.
• Unpatched software. A known vulnerability in a web framework, database, or server software that the company hadn’t updated. Attackers scan the internet for these continuously.
• Credential stuffing. Using leaked username/password combinations from other breaches to log into internal systems. This works because employees reuse passwords too.
• SQL injection. A badly written web form that lets an attacker run arbitrary database commands by typing carefully crafted input. Old technique, still devastatingly common.

What attackers do once they’re in

Here’s where it gets important to understand. Attackers who break into a company generally don’t immediately grab data and leave. They move quietly. The average time between an attacker gaining access and a company detecting the breach is measured in months — sometimes over a year.

During that time, they map the network, escalate privileges, identify where the valuable data lives, and set up persistent access so they can return even if the original entry point is closed. When they finally exfiltrate data, they take everything they can reach.

What happens to your data after the breach

The stolen database doesn’t sit on one attacker’s hard drive. It moves quickly through an underground economy:

1. Initial exploitation. The attacker or their clients use the freshest credentials immediately, before any notifications go out. This is the window where the most damage happens — while the company doesn’t even know they’ve been breached.
2. Sale on dark web markets. The database gets listed for sale, typically priced by size and the quality of data included. A database with plaintext passwords or financial data commands a premium.
3. Credential stuffing campaigns. Buyers run the email/password combinations against major services — email providers, banks, streaming services, e-commerce sites — using automated tools that can test millions of combinations per hour.
4. Aggregation into “combo lists.” Multiple breach databases get combined and deduplicated into massive lists. These circulate freely and get used years after the original breach.

Why the notification often comes too late

Companies are required in many jurisdictions to notify affected users within a certain timeframe after discovering a breach. The key word is discovering. Many breaches are discovered not by the company itself, but by security researchers who find the stolen data being traded online — sometimes years later.

By the time you receive a breach notification email, there’s a reasonable chance that your credentials have already been tested against dozens of other services. The notification is not a warning that something bad might happen. It’s often a confirmation that something bad probably already did.

What to actually do about it

The generic advice “change your password” is correct but incomplete. Here’s what matters:

• Change the password on the breached site. Obviously. But use a generated, unique password — not something you’ve used anywhere else.
• Change it everywhere you used the same password. This is the part people skip. If you reused that password on other sites, those sites are also compromised.
• Change your email password if it matches. Your email is the recovery method for everything else. Treat it as the highest-priority change.
• Enable two-factor authentication on email and financial accounts. Even if an attacker has your password, 2FA prevents them from logging in without physical access to your device.
• Monitor your other accounts for unusual activity. Unexpected login notifications, password reset emails you didn’t request, or transactions you don’t recognise.

The systemic problem

Individual actions matter, but breaches keep happening because security is treated as a cost rather than a product requirement. Companies collect vast amounts of user data they don’t strictly need. They store it longer than necessary. They invest in features rather than hardening existing systems.

Until that calculus changes — through regulation, liability, or customer pressure — breaches will remain a routine fact of internet life. The best individual defence is assuming that any site you’ve ever given a password to may be compromised, and designing your security model around that assumption. Unique passwords, a password manager, and 2FA on your most important accounts covers most of the practical risk.