BeenVerified Study: Hacks Affect More Than Half of Email Accounts—and Most of Us Don’t Know It

BeenVerified Study: Hacks Affect More Than Half of Email Accounts—and Most of Us Don’t Know It
Graphic: Claire Merchlinsky

BeenVerified Team
Updated May 27, 2020

As people hunker down during the coronavirus pandemic, internet security has never been more important as work and play move online—and fraudsters move in to try to take advantage of worried, homebound Americans.

A BeenVerified study of more than 100,000 email users nationwide found nearly six in 10 had their email addresses compromised in a data breach. Their email account information and passwords are quite possibly now freely available on the Dark Web, the lawless section of the internet where online scammers trade information and tools to find new victims.

Despite this widespread problem, consumer awareness appears low. In a separate survey, we found that 88% of users were previously unaware their email accounts were compromised.

Top takeaway

Most users are hit by multiple data breaches. BeenVerified found 59% of users had email addresses exposed in at least one data breach. On average, a user’s email address had been compromised in 4.59 breaches.

Other key findings

  • Washington, D.C., and Delaware email users had the highest average number of compromised addresses. Maryland, New Jersey, Maine and Massachusetts round out the states that had the highest average number of incidents where their email information was released in a data breach. States where email users had the fewest number of incidents include Montana, Idaho, New Mexico, North Dakota and Wyoming.
  • AOL and MSN email users have the highest rate of compromised accounts. Gmail, iCloud and Outlook were the email providers with the fewest breached users and number of breaches, according to our study. Still, no email domain is immune from breaches: 51% of Gmail users were victims of at least one data breach.
  • Breach awareness is low. A separate survey of 1,225 dark web scan users found only 12% who had a breach knew about some or all the breaches before using the BeenVerified Dark Web Scan tool.

Data breach awareness survey

That lack of awareness is a concern, as people often reuse the same password: A 2018 study by Panda Security of 26 million users found that 52% reuse passwords for different secure accounts.

“The first and best line of defense after your email account information has been breached is to change your account-related passwords,” said Justin Lavelle, spokesman for BeenVerified. “That’s what makes this last point so worrisome—if you aren’t aware you’ve been hit by a data breach, you probably haven’t taken appropriate next steps to secure your accounts.”

Data breaches: How states compare

Email addresses are often unveiled in numerous breaches. States where users had the highest number of incidents were Delaware (email addresses revealed in an average of 5.18 data breaches), followed by Maryland (5.0), New Jersey (4.81), Maine (4.81) and Massachusetts (4.8). But the area with the highest incidence is the nation’s capital, the District of Columbia, where email addresses were released on average in 5.28 data breaches.

States with the lowest incidence were Montana (3.79), Idaho (3.83), New Mexico (3.88), North Dakota (3.98) and Wyoming (4.08).

Data breach awareness state-by-state comparison

States with most data breaches

States with fewest data breaches

Data breaches by email providers

More than 58,200 of the users we studied had Gmail accounts, and 51% of those emails were found to be compromised in at least one breach—the third-lowest percentage in our study. On average, Gmail accounts were involved in 3.88 incidents, lower than the overall average.

Meanwhile, AOL and MSN email accounts had the highest percentage of compromised accounts: 84% and 91%, respectively. AOL and MSN email addresses, which made up 5,600 users in our study, were also the only ones that on average were part of more than six breaches.

Email providers with largest data breaches

What’s a Dark Web Scan?

A Dark Web Scan scours the internet to try and see if any of your email addresses may have been compromised and wound up on the dark web, which is not easily searchable and where many criminals operate. But if your personal information was compromised in a hack, it could end up on the dark web and in the hands of those criminals—making it easier to become a victim of crimes such as fraud and identity theft.

“Dark web criminals may take your password information and attempt to crack open your online bank accounts, make fraudulent purchases on e-commerce sites or open new accounts in your name,” Lavelle said.

Protect yourself from email data breaches

These days, it seems major data breaches happen regularly, whether it’s the 540 million Facebook accounts that were compromised in 2019, or the 3 billion Yahoo accounts exposed in 2013 and 2014.

Here are some key steps to try and better protect yourself from data theft:

  • Regularly change passwords. Make sure those passwords are strong, with a mix of numbers, symbols and upper- and lowercase letters.
  • Consider using a password manager. To help keep track of tricky combinations, use a password manager. (And yes, those managers are, for the most part, secure.)
  • Set up multi-factor authentication whenever possible. This extra step further restrains the ability of criminals to access your account, even if they know your password.
  • Be wary of phishing attempts: Never open emails or attachments from accounts that you don’t recognize. As a precaution, you can try and look up suspicious addresses using an email search tool.
  • Use antivirus software. Besides keeping software, such as browsers and operating systems, up to date, consider using antivirus software to regularly scan for malware.

“Unfortunately, it appears data breaches are a fact of life today,” Lavelle said. “But just because your account has been revealed in a leak doesn’t mean there aren’t steps you can take to ensure you can continue to safely use your email.”

Methodology: We analyzed 104,750 users of the BeenVerified Dark Web Scan tool from Nov. 4, 2019 through Dec. 12, 2019. Users were from all 50 states and the District of Columbia. A separate online survey asked 1,225 Dark Web Scan users, “Did you know these accounts were breached prior to seeing them here?” during the same time frame. BeenVerified’s Dark Web Scan allows users to check if their email address may have been compromised in a data breach.

For more information or press inquiries, please contact Justin Lavelle (justin@beenverified.com).

About BeenVerified: BeenVerified’s mission is to help people discover, understand and use public data in their everyday lives. BeenVerified and our associated websites curate dozens of public data sources and proprietary data sets to give people easy and affordable access to billions of public records.

Disclaimer: The above is solely intended for informational purposes and in no way constitutes legal advice or specific recommendations.