If someone broke into your home, what would they take? Jewellery. Cash. Your laptop. Maybe the spare key hanging by the front door.
You can picture it because it is obvious. The things worth stealing are the things you can see.
Online, the theft works differently. There is nothing to carry away. No broken window, no missing TV.
But the theft is happening anyway, constantly, to millions of people who have no idea it is happening to them right now.
In 2025 alone, identity fraud cost Americans $27.3 billion and affected 18 million victims, according to Javelin Strategy & Research. That is not a typo. That is roughly the population of the Netherlands, each losing money because someone, somewhere, got hold of a piece of information about them.
So what are they actually after? Not your TV. Not your laptop, not really. They want four things: your identity, your access, your money, and your location. Every scam, every breach, every weird login alert traces back to one of these four.
This guide walks through each one. Not to scare you, but so you know exactly what is at stake and what to do about it.
What These Four Things Have in Common
Your identity, your account access, your money, and your location might feel like separate categories. They are not.
They are connected, and criminals know it better than most people do.
Here is the chain. A data breach exposes your email and a password. That password gets tried on your bank login (because most people reuse passwords). If it works, your money is gone within hours.
Or it goes another way. Your location data, sold by an app you forgot you installed, ends up in the hands of someone who should not have it. Now a digital problem has become a physical safety problem.
This is why “what hackers want from you” is not really four separate questions. It is one question with four entry points. Get into any one of them, and the others often follow.
The good news is the reverse is also true. Protect one of these well, and you make all of them harder to reach. A strong, unique password protects your access. Knowing where your data lives helps you control your identity. Watching your accounts protects your money. Limiting app permissions protects your location.
None of this requires becoming a technical expert. It requires knowing what is actually being targeted, which is exactly what the next four sections cover.
Your Identity: The Raw Material for Almost Everything
Your name, phone number, email, date of birth, and national ID number do not feel valuable. You give them out constantly, to shops, apps, forms, websites.
But to a criminal, these details are raw material. Combined, they can be used to open accounts in your name, file fraudulent tax returns, or build an entirely fake identity using fragments of real people’s information, a practice known as synthetic identity fraud.
The scale of this is hard to grasp until you see one number. In January 2025, UnitedHealth confirmed that the Change Healthcare breach had affected 190 million people, the largest healthcare data breach ever recorded. That is more than half the population of the United States, in a single breach.
More than 60% of identity fraud cases involve personal data that was stolen and sold on the dark web, according to Snappt’s 2026 identity fraud research. In plain terms, most identity theft does not start with a clever hack of you specifically. It starts with your details sitting in a database that already leaked.
The full picture, including how synthetic identity fraud works and what makes you identifiable in the first place, is covered in the guide below.
Read the full guide: Your Personal Information Is Worth Real Money, Here’s Who Wants It
Your Passwords: The Single Point of Failure
If your identity is the raw material, your passwords are the lock on the door. And for most people, that lock is weaker than they think, and reused on every door in the house.
In early 2025, several Australian superannuation funds were hit by coordinated credential stuffing attacks. Criminals did not break any encryption. They simply took email and password combinations leaked from older, unrelated breaches and tried them on retirement account logins. Some worked.
That is the domino effect in action. One leaked password from a forum you signed up for years ago can end up unlocking your bank, your email, and your retirement savings, if you used the same one everywhere.
The numbers back this up. A study of 19 billion leaked credentials found that 94% of passwords had been reused across multiple accounts, according to analysis cited in the Verizon 2025 Data Breach Investigations Report. Out of every 100 passwords, 94 were doing double or triple duty, each reuse another door that single password could open.
This is also where two-factor authentication earns its place. It is not perfect, but it turns a stolen password from “game over” into “one more step the attacker probably cannot take.”
One tool worth bookmarking right now: Have I Been Pwned lets you check whether your email has appeared in a known data breach, for free, in seconds. For ongoing alerts whenever your details show up in a new breach, Mozilla Monitor does the same job as a standing watch rather than a one-time check.
The full breakdown of how passwords get cracked, why reuse is so dangerous, and what actually makes two-factor authentication worth setting up is in the guide below.
Read the full guide: Why One Weak Password Can Cost You Everything
Your Money: Mapped, Not Random
Take a second and count how many ways someone could access your money right now. Bank account. Debit card. Credit card. A payment app on your phone. Maybe a digital wallet, maybe a small crypto holding.
Criminals have made the same list. The difference is they have a plan for each item on it.
In August 2025, New York Attorney General Letitia James filed a lawsuit against Zelle’s parent company, alleging that scammers had stolen more than $1 billion from users through social engineering and bank impersonation calls. The money did not vanish through some technical exploit. People were talked into sending it themselves, by someone pretending to be their bank.
This pattern repeats across financial crime generally. Investment fraud was the single costliest category of online crime in 2025, totalling $8.6 billion in reported losses, according to the FBI’s 2025 Internet Crime Report. For comparison, that is more than the entire reported losses from romance scams and tech support scams combined.
The FTC’s consumer resources at consumer.ftc.gov are a useful, plain-language place to understand your rights around unauthorised transactions, chargebacks, and what your bank is and is not obligated to do if you are scammed.
How each of these access points, accounts, cards, wallets, and crypto, gets targeted differently, and what reduces your exposure on each one, is covered fully in the guide below.
Read the full guide: How Criminals Target Your Bank Accounts and Digital Wallets
Your Location: When Digital Becomes Physical
This is the one most people do not think about until it is too late.
Your phone has tracked your location all day today. It knows where you slept, where you work, the route you took this morning, and roughly how long you spent there. Most of that data gets shared with companies you have never heard of, as part of the ordinary business of apps and advertising.
Usually, that is just unsettling. Sometimes, it is dangerous.
Globally, the number of people affected by stalkerware and location tracking spyware increased by 228% between 2020 and 2024, according to the Coalition Against Stalkerware. That is more than double in four years, and the increase has documented links to escalating violence in domestic abuse situations.
Roughly 1 in 10 people has experienced some form of tech-enabled stalking, most often from a former partner, per Coalition Against Stalkerware research from 2025. Out of every group of ten people you know, statistically one has lived through this.
There is also a less obvious version of this risk: SIM swaps, where a criminal takes over your phone number entirely, which can be used to intercept calls and texts meant to locate or verify you.
The full picture, including how to audit which apps know your location and why “always on” is rarely necessary, is in the guide below.
Read the full guide: Your Phone Knows Where You Are, And So Does Someone Else
What to Do With All of This
You do not need to fix everything today. You need to do one thing today, and let it lead to the next thing naturally.
Go to Have I Been Pwned right now and type in your email address. It takes about ten seconds, and it tells you whether your information has already been part of a breach you never heard about.
If it has, that is not a reason to panic. It is information you can act on: change that reused password, turn on two-factor authentication where you can, and check your bank statements a little more closely this month.
The Identity Theft Resource Center is also worth knowing about before you need it. If anything in this guide ever does happen to you, this is where the practical, step-by-step support lives.
Frequently Asked Questions
What actually happens to my data after a breach?
It usually gets sold, often in bulk, on forums and marketplaces that specialise in exactly this. From there it gets combined with data from other breaches to build a more complete profile of you, which is then used for things like account takeovers, fake accounts in your name, or convincing scam messages that already know your real address or recent purchases.
My information is already out there. Is there any point doing anything now?
Yes, absolutely. Knowing your data is out there is actually useful, because it tells you exactly which passwords to change first and which accounts to watch most closely. Start with Have I Been Pwned or Mozilla Monitor to see what is exposed, then work through changing reused passwords on your most important accounts (email and banking first). If you suspect your identity itself has been used fraudulently, not just a password leaked, the Identity Theft Resource Center can walk you through next steps.
The Bottom Line
Your personal information is the raw material for almost every digital crime that exists. Identity, access, money, and location are not random targets. They are the four things that, together, make up “you” in a way criminals can profit from.
Understanding what attackers actually want is not about becoming paranoid. It is about knowing where the doors are, so you can decide which ones to lock first.
Start with the one action that applies to everyone: check Have I Been Pwned today.
If this was useful, share it with someone who needs to know.
