If you have ever checked a breach database and found that your email appeared in a breach from 2014 or 2017, your first instinct was probably to move on. That was years ago. You changed your password. It does not matter anymore.
That assumption is wrong, and understanding why is one of the most useful things you can do for your security.
Passwords expire. Everything else does not.
When people hear “data breach,” they think passwords. And it is true that a password from a 2015 breach is unlikely to still work on most accounts — most people have changed them, and most services have forced resets since then.
But a breach rarely exposes only passwords. Most breaches also take your email address, username, name, phone number, date of birth, and sometimes your home address. None of those change when you update a password. Your date of birth from a 2014 breach is still your date of birth today. Your home address from a 2018 breach is probably still accurate. Your email address has not changed.
That data is still in circulation. It is still being bought, sold, and used.
Old data gets more dangerous over time, not less.
Each new breach adds another layer to what attackers know about you. A breach from 2015 gave them your email and username. A breach from 2019 added your phone number. A breach from 2022 added your home address. Individually, each piece is limited. Combined across multiple breaches, the picture becomes detailed enough to impersonate you, pass identity verification, and open accounts in your name.
This compounding effect is why identity theft does not always happen immediately after a breach. Attackers build profiles over time, waiting until they have enough data to act or until a more valuable opportunity appears.
Breach databases are actively maintained and resold.
Data from old breaches does not sit in one place and decay. It gets compiled into larger databases, traded on forums, and resold repeatedly. A breach from 2016 may have been combined with a breach from 2020 and packaged as a single searchable dataset. Attackers purchasing this data today have no idea or interest in when the individual records came from — they only care whether the information is accurate and useful.
Why changing your password is not enough.
Changing your password after a breach is the right move, but it addresses only the password threat. It does nothing to remove your email address, phone number, name, or date of birth from the databases that already have them. It does not prevent those data types from being used in phishing attacks, SIM swapping attempts, or identity fraud.
The more useful response to an old breach is to know exactly what was taken and whether the non-password data — the permanent data — has been combined with information from more recent breaches. That is the actual ongoing risk.
What to do about it.
The first step is a breach scan. Find out which breach databases contain your email and what specific data types were exposed in each one. Pay attention not just to whether your password was taken, but to whether your phone number, physical address, or date of birth was included. Those are the data types that create lasting exposure regardless of how long ago the breach occurred.
If your phone number has been in multiple breaches, consider whether your accounts rely on SMS two-factor authentication and whether stronger alternatives are available. If your home address appears in breach databases, be aware of the mail fraud and physical fraud risks that creates.
Knowing what is out there is the starting point for knowing what to protect.
See exactly what data of yours is in breach databases
Free scan covering 1,000+ known breaches. Takes 10 seconds, no account required.
Check My Email Now →