Most people treat their email address like a business card. You give it out freely, post it on LinkedIn, use it to sign up for everything from gym memberships to flight alerts. It’s just an email address, right? What could someone really do with it?
The answer is unsettling. As Mika Aalto, CEO of cybersecurity firm Hoxhunt, put it bluntly: “Every breach begins with a malicious email.” Your email address is not just a communication tool — it’s a gateway to your identity, your accounts, and your financial life.
Here’s exactly what criminals do with it.
1. Target You With Highly Personalised Phishing
This is the most immediate risk, and it’s gotten dramatically more dangerous in 2026. Once a criminal has your email address, they search for everything associated with it — your name, where you work, what services you use, what you’ve bought online. Armed with that, they can craft a phishing email that isn’t generic spam but a targeted message that references your bank, your employer, or a recent purchase.
AI tools now generate these messages fluently and at scale. The FBI received over 190,000 phishing complaints in 2024. Phishing attacks now account for 94% of all cyberattacks, and the messages arriving in inboxes in 2026 are dramatically harder to distinguish from legitimate communications than they were even two years ago.
2. Reset Passwords and Take Over Your Accounts
This is the one most people don’t think about. Password reset links go to your email. If a criminal can get into your inbox — through a phished password, a data breach, or a compromised device — they don’t need to know your banking password, your Amazon password, or your work login. They just click “forgot my password” and the reset link arrives directly in the account they already control.
Over two-thirds of people reuse passwords across multiple accounts. If a hacker finds your email and password combination in a breached database — and there are billions of these records floating around — they test it across every major platform automatically. One successful match can cascade across your entire digital life.
3. Steal Your Identity
Your email inbox is an archive of your life. Bank statements, tax forms, insurance documents, delivery notifications with your home address, receipts showing what you own — it’s all in there. A criminal who gains access to your inbox can gather enough personally identifiable information to apply for credit cards, file fraudulent tax returns, or open accounts in your name.
Even without password access, knowing your email address is enough to start building a profile. Reverse email search tools are freely available online. They can surface your full name, employer, location, phone number, and linked social media accounts from nothing more than your address.
4. Spoof Your Email and Deceive Your Contacts
Email spoofing involves sending messages that appear to come from your address. The technique doesn’t require your password — it exploits gaps in how email authentication works to make forged messages look legitimate.
Your contacts receive what looks like an email from you — asking for money, requesting sensitive information, or delivering a malicious link. Because it appears to come from a trusted person, it bypasses both spam filters and human scepticism far more effectively than a cold approach. This is how business email compromise attacks — which cost companies $2.9 billion in 2023 according to FBI data — typically work.
5. Sell Your Data on the Dark Web
Email addresses with associated personal information are a commodity on dark web marketplaces. Prices vary based on what else is bundled with them — a basic email and name combination might sell for $1 to $10, while a package including banking credentials or medical records commands far more.
Once your data is on these markets, it doesn’t disappear. It gets purchased, re-sold, and used in waves of attacks for years. The 2013–2016 Yahoo breach that exposed 3 billion accounts was still being exploited by criminals nearly a decade later. Data doesn’t expire.
6. Use You as a Launchpad to Attack Others
If criminals gain access to your inbox, your contacts become their next targets. They can read your previous conversations — understanding your relationships, your tone, your ongoing projects — and use that context to craft highly convincing requests to people who trust you.
This is particularly devastating in professional contexts. A hacked corporate email account can be used to redirect payments, request wire transfers, or deliver malware to colleagues who have no reason to be suspicious of an email from a known colleague.
What You Should Do Right Now
Visit haveibeenpwned.com and enter your email address. It’s free, it’s run by a respected security researcher, and it shows you every known data breach your email has appeared in. If you find your address in multiple breaches — which most people do — your passwords from that era are almost certainly circulating on dark web markets.
Change passwords on any account where you reused the same combination. Enable multi-factor authentication on your email first, then your bank and social media. Consider using email aliases — separate addresses for different purposes — so that if one is compromised, it doesn’t expose everything else.
Your email address is the master key to your digital life. Treat it like one.
