Why do Hackers Steal? 5 Motives Behind Data Breaches

Gad Rosenthal, Product Management at Eureka Security
Gad Rosenthal, Product Management at Eureka Security

According to 451 Research, 45% of businesses have experienced a cloud-based data breach over the past year. From hacktivism to monetization and fraudulent activities, one thing is clear: customer data is valuable and hackers want it. Knowledge is power and data is a commodity. So, what are the primary drivers behind data breaches? In this article, we break down the top five motives for hackers to steal data and what your company can do today to reduce your attack surface.

Vigilantism & Hacktivism

Some bad actors use hacking as a form of protest, retrieving sensitive information for political or social purposes as vigilantes. These specific types of hackers are intent on maximizing their crusade's media exposure and drawing attention to organizations they believe cause harm. Common motivations include revenge, political or social incentives, ideology, protest, a desire to embarrass certain organizations or individuals within those organizations, company rivalry, or vandalism.

Hackers often blend existing physical devastation with escalating digital warfare. This is best illustrated by the Russia-Ukraine conflict. Last February, Russian vigilante hackers escalated tensions between the countries by targeting critical infrastructure and bringing chaos to Ukraine's government ministries and bank websites. The latter was achieved by denying access to their services and releasing highly sensitive data stolen from them to cause psychological harm and diminish confidence in Ukraine's institutions.

Anonymous, is another well-known, decentralized hacktivist group. They recently retaliated on Ukraine’s behalf after officially joining the cyber war against the Russian government.” GNG, a group affiliated with Anonymous, gained access to the Sberbank database and leaked hundreds of data files, including names, addresses, and bank details,to attack Russia's biggest lender and wreak their own brand of havoc on the Russian psyche.

Monetary Gain & Reputation

Motivated by creating a profit or gaining a reputation, these types of hackers are interested in their own personal cause. Many are looking to show off their advanced technical knowledge and ability to navigate the security landscape by exfiltrating valuable data. They go out of their way to find vulnerabilities and misconfigurations, whether premeditated or as a “drive-by”, which they then exploit for financial gain or fame. There are four common motivations/methodologies for this type of hacker.

Monetization Support System to Liquefy Stolen Assets into Money

Hackers use various support systems to convert assets into money. These systems often involve a network of intermediaries who help the hackers launder the stolen assets and make them untraceable. For example, hackers may use online marketplaces or forums to sell stolen data or credentials to other criminals who are willing to pay for them.

Recently, Privacy Affairs released research outlining the average price of various PII from the Dark Web marketplace. For example, PII like a stolen credit card with an account balance of up to 5,000 costs a mere $120. These buyers can then use the stolen assets for a variety of illegal activities, such as fraud or identity theft. The intermediaries who facilitate the transactions may also take a cut of the profits or charge a fee for their services. 

In March, hackers stole funds from players of the online game “Axie Infinity”. They targeted the Ronin Network, a software bridge developed by Sky Mavis that allows “Axie Infinity'' players to transfer assets earned in the game. Successfully stealing assets, blockchain analysts and amateur digital sleuths watched as the hackers moved through crypto exchanges blending different cryptocurrencies to help obscure the theft. As a result, the game maker company had to raise $150 million from its investors to reimburse the victims.

Direct Fraudulent Activities

This type of hacker seeks to steal an individual's identity, online account, or financial benefits through unauthorized access. They use various techniques to obtain sensitive information such as US driver’s licenses, SSNs, login credentials, or financial account details. They may then use this information to gain access to the victim's accounts and make unauthorized purchases or transfers. This type of hacking causes significant financial damage to the victim, who may be held responsible for the unauthorized transactions. Therefore, it is important for businesses to protect the sensitive data of their customers from this type of hacking activity.

Last December, four bad actors were arrested on suspicion of hacking into US company networks to steal employee data for identity theft and the filing of fraudulent US tax returns. They were alleged to have breached several servers and stolen the PII of residents. To gain access, the Department of Justice says the suspects’ purchased stolen credentials from cybercrime marketplaces like the ones discussed above.

Advanced Attack

Many times the first step in an advanced attack is the initial data breach where hackers gain access via stolen credentials (identity theft).  In other cases, the data breach may indicate an easy entry point, like a publicly exposed unpatched resource that gives excessive permissions to gain control via the data store. It may also indicate an existing bad actor already inside the company boundaries who is exfiltrating data. This can happen through a variety of means, such as exploiting a cloud vulnerability to publicly exposed assets or tricking a user into giving away their credentials. Once the attacker has gained access to the system, they can begin to explore the network and look for sensitive information to steal or manipulate. 

The average time to detect an advanced attack is 280 days. Making an advanced attack extremely harmful for several reasons. First and foremost, it can result in the theft or loss of sensitive information leading to significant financial losses, damage to a company's reputation, and loss of trust from customers and stakeholders. It can also disrupt critical business operations, as the attacker may delete or alter important data, or even hold the data for ransom. Businesses can face several serious compliance and legal issues, including large government fines, litigation and eDiscovery costs, legal fees, costs of notification, shareholder equity issues, and–in extreme circumstances–jail time, as some of the consequences of not protecting PII adequately. 

Recently, LastPass disclosed its second security breach, with the bad actor gaining access to customer data stored on a third-party cloud service. According to CEO Karim Toubba, attackers used information stolen from the previous breach to gain access to the cloud space that the company shared with its affiliate GoTo. In a more comprehensive attack, the company’s development environment was compromised for four days using a developer account. The hacker gained access to source code and some proprietary technical information and used the information obtained in the previous incident to facilitate the second data breach.

Reputation Building

Attackers often build their reputation by publicly claiming responsibility for high-profile cyber attacks and by releasing or publishing the data that they have exfiltrated from their targets. This can be done through various channels, such as social media, forums, the darknet, and other online platforms. By claiming responsibility for a successful attack and releasing the stolen data, attackers can establish themselves as a credible threat and gain a reputation as skilled hackers. This can be a valuable asset for attackers, as it can help them attract potential clients or affiliates, and can also make them a target for law enforcement or other cybersecurity organizations.

For example, in October, a credit card marketplace on the dark web where users trade stolen credit card details released the details of 1.2 million credit cards for free. The organization, BidenCash, leaked the details of thousands of credit cards as a way to promote the site and attract potential customers.

Cyber Insurance Fraud

Cyber insurance policies are designed to cover the costs of security incidents and breaches. Motivated by the prospect of financial gain, a dishonest insider and a bad actor may team up to create a real data breach that cannot be traced back to the insider. This data breach triggers the insurance company to pay out the policy with the insider and bad actor profiting. The scenario is similar to a restaurant owner who burns down their own establishment to collect insurance money. The end result is the same: the insider’s insurance company is defrauded, and the insider and the hacker potentially profit from the scheme.

In its 2023 US cyber market outlook, Risk Placement Services (RPS) says cyber insurance fraud, like social engineering attacks, has outpaced ransomware in 2022. RPS’ data found that fraudulent payments and social engineering fraud among small to medium-sized enterprises made up more than 50% of claims between January and August.

Concealed Intent

The bad actor uses the data compromise to conceal its real intent. This means that the attackers may have motivations beyond what is immediately apparent. For example, an attacker may target a company with a data exfiltration or ransomware campaign that appears to be aimed at stealing sensitive data, but their true intention may be to gather intelligence for a competitor. Concealed intent can make it difficult for companies to defend themselves, as they may not be aware of the full extent of the threat they are facing.

One way in which an attacker might try to hide their true intentions is by creating a distraction, similar to setting off a fire alarm or triggering a fire sprinkler system. This can cause confusion and chaos, diverting the attention of the security team away from an APT attack. While the security team is busy dealing with the fire, the attacker can continue to operate undetected.


A hacker may target the wrong company if they are not careful. This can happen if the bad actor is using outdated or incorrect information, or if they are not thoroughly verifying the identity of their intended target.

MSSPs, which provide security services like monitoring and analysis, are common targets for hackers. A hacker may target one tenant but mistakenly gain access to another due to utilizing the wrong tenant ID, having phished access to the wrong operator (who has access to tenant B and not A), or a mix between credentials.

A data breach can also occur through the use of dangling DNS records. This happens when a DNS record for a domain is no longer associated with the correct IP address, and instead points to a server controlled by the attacker aimed for company A via the DNS A.com but instead, A.com is now pointing to another entity like B.com (while still registered to A). In this case, the attacker will actually breach B.com

There are no known public examples as hackers may not admit to spending time and resources looking for something else, but they will take any opportunity to obtain data, even if it was not their original target.

Steps to Improve Your Data Security Posture Today

At the end of the day, a data breach hurts companies no matter what the motivation behind them may be. Best practices can help by enabling you to achieve the following:

Identify Publicly Accessible Data Stores

Start by scanning your cloud account for open database instances or object storage. In other words, eliminate low-hanging fruit. There are many ways to scan your cloud account for open databases. Here are a few examples to help you, depending on your tech stack.

Cross clouds scanners, such a s Shodan and GrayHatWarfare, are recommended to find exposed resources, such as exposed Object Storages or as demonstrated in this article list of easy to use Shodan queries to identify exposed DBs, including: 

  • "MongoDB Server Information" port:27017 -authentication
  • "Set-Cookie: mongo-express=" "200 OK"
  • mysql port:"3306"
  • port:"9200" all:"elastic indices"
  • port:5432 PostgreSQL

There are useful techniques for identifying publicly accessible AWS resources, such as RDS which can be found in the following link by TrendMicro.

Take Inventory and Assign Owners

Next, you’ll want to manage your inventory and maintain a list of all the resources you own. Once inventoried, you’ll want to ask the data store owner (once you find out who that is) for justification as to why the DBs and object storage are configured as they are, answering, “Who has permission to access each sensitive data store?” and “Why is this type of data being stored/kept?”. Next, you’ll want to continuously monitor your data to ensure your organization is at Least Privilege, monitoring your complete list of resources and their owners.

Implement Quarterly Access Reviews

This should be a best practice. Start by asking each data store owner to share accountability and ack/nack the access list and permission levels, then create a process to repeat every 90 days. If not reviewed periodically, data access rights and the users who have access permissions could fall out of policy and potentially be misused by bad actors. A thorough policy can help save an organization time and money while mitigating risks and protecting sensitive information.

Define Lifecycle Policies

Once you’ve implemented the quarterly audit and classified the data, your company will want to define business lifecycle policies for data retention and flag any records, files, or objects that precede those policies. With established lifecycle policies, you can ensure they comply with regulatory requirements mandating the retention of various types of data or reduce your data footprint by removing data that you no longer need to retain.

Categorize Data

Create and implement an advanced mode of data categorization, which is the classification of sensitive data (e.g. PII, PCI, PHI). By doing so, you can expedite the triage phase should your company suspect a potential data breach, allowing you to have, at hand, a risk definition, mitigation plan, and assumed business impact.


As John Chambers famously said, “There are only two types of organizations: those that have been hacked and those that don’t know it yet.” You can’t see the future and know if and when your business will be breached (or by who), but you can take steps to improve your data security posture to help. 

Knowing where your company stands when it comes to security risk is the first step toward creating a strong security posture. With DSPM practices, you can easily identify potential risks and reduce your attack surface. 

EDITOR'S NOTE: By using the power of storytelling, we hope to shed light on this important issue in a way that's engaging and thought-provoking. We invite you to check out the comic strip, From Zero to Anti-Hero, and reflect on the different hacker motivations.

Eureka Security- Cloud data security- Crown logo

Subscribe for updates

For our latest feature releases and updates
Thank you for signing up!
Oops! Something went wrong while submitting the form.
Eureka security Solution brief

Download Eureka solution brief

Learn more about how Eureka can help you
Get it now

Drive secure & compliant data growth

Get a Free Risk Assesment