After a data breach: How quickly will hackers strike?

When a data breach hits the headlines, many organisations assume they have days or weeks to prepare.

In reality, criminals can weaponise stolen data within minutes, targeting staff, customers and supply chains before the first internal email has even been sent.

Understanding this timeline, and putting early warning systems in place, can dramatically reduce exposure.

What happens after a breach?

Research from CrowdStrike and Mandiant shows just how quickly attackers act.

Minutes to hours

As soon as data is stolen, attackers begin testing usernames and passwords in automated credential stuffing attacks.

If they still have access to systems, they may escalate privileges and move around inside the network. CrowdStrike has reported average breakout times measured in minutes, showing how quickly a single compromised machine can become a wider network compromise.

Hours to days

Within a day or two, targeted phishing emails may be aimed at staff, customers or suppliers.

These messages are often personalised using leaked names, job titles and contact details. Attackers may create cloned login pages, fake Microsoft 365 portals or lookalike websites to harvest credentials.

Days to weeks

As the data spreads, criminals may sell it on dark web forums, launch wider phishing campaigns or attempt fraud using stolen information.

This can include identity theft, payroll redirection and invoice fraud.

Even if the original breach has been contained, this secondary wave can continue for weeks.

Weeks to months

Longer-term impersonation attacks may follow, including cloned websites, fake social media accounts and phishing campaigns using your brand identity.

Stolen credentials may also be reused across other services, putting staff and customers at risk long after the breach is considered closed.

How to stay one step ahead

You cannot stop criminals stealing data from elsewhere, but you can reduce the chance of that data being used successfully against your workforce, customers or suppliers.

Strengthen authentication and containment

Enforce two-step verification on all critical accounts.
Reset credentials quickly if a breach affects staff or suppliers.
Block known breached passwords using appropriate tools or identity provider controls.
Regularly review access permissions to limit lateral movement.

Monitor for brand cloning and impersonation

Use brand monitoring tools to scan for fake domains, social accounts and copied branding.
Set up domain monitoring and typosquatting alerts.
Implement DMARC, SPF and DKIM to reduce email spoofing.
Consider registering defensive domains for common misspellings or variations.

Educate and alert your workforce

Make sure staff know what to do if they receive a suspicious email.
Provide regular cyber awareness and refresher training.
Warn staff quickly if a supplier or partner has suffered a breach.
Create a simple internal reporting route, such as a report phishing button or dedicated inbox.

Responding with the right messaging

Once a breach happens, time is not the only critical factor.

What you say, and how quickly you say it, can make the difference between containing the fallout and fuelling confusion.

Attackers may launch phishing and impersonation campaigns within 24 to 72 hours, so staff, customers and suppliers need clear guidance quickly.

Internal staff messaging

The aim is to reduce phishing risk, credential theft and confusion.

Your message should:

Confirm what is known without speculation.
Warn about possible phishing or impersonation attempts.
Remind staff not to approve unexpected MFA prompts.
Give a clear reporting route.
Explain where updates will come from.

Example:

We have been made aware of a security event affecting our organisation. While the investigation continues, there is a heightened risk of phishing and impersonation attempts targeting staff.
Be alert for unexpected emails, login prompts or password reset requests. Do not enter credentials or approve MFA prompts unless you initiated them.
If you receive anything suspicious, use the agreed reporting route immediately.

Customer messaging

The aim is to preserve trust and reduce the risk of fraud using your brand.

Your message should:

Acknowledge the incident and investigation.
Warn about possible phishing or fake websites.
Explain what you will never ask customers to do.
Provide a way to verify genuine communications.
Give contact details for support and reporting.

Example:

We are aware of a security event currently under investigation. While we continue to assess any potential impact, we want customers to be aware of the increased risk of phishing emails or fraudulent websites impersonating our brand.
We will never ask you to provide passwords or payment details by email or text.
If you receive a suspicious message, do not click links or provide personal information. Contact us directly using our official channels.

Supplier and partner messaging

The aim is to prevent supply chain compromise and impersonation.

Your message should:

Notify partners quickly.
Warn that attackers may impersonate staff or systems.
Ask them to verify unusual requests, especially involving payments or data.
Provide a clear contact route for verification and reporting.

Example:

We are investigating a security event involving our organisation.
There is a possibility that attackers may attempt to impersonate our staff or systems in emails or calls. Please take extra care verifying any unusual requests, especially those involving payments or data sharing.
If you receive unexpected communications appearing to be from us, please verify them through your usual trusted contact route before taking action.

Final thought

The hours and days immediately after a breach are critical.

Attackers exploit stolen data quickly, often before an organisation has confirmed the full details.

By preparing messages in advance, monitoring for impersonation and training staff to respond quickly, organisations can turn a potential crisis into a more manageable risk.