What Happens to Stolen Credit Card Numbers?

Card information obtained from a data breach can be sold and resold multiple times before someone tries to use it.

Anisha SekarAugust 18, 2020
On a similar note...
On a similar note...

Many or all of the products featured here are from our partners who compensate us. This may influence which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own.

News stories about credit card data breaches have struck fear in the hearts of millions of shoppers. Over the past couple of decades, hackers have invaded the computer systems of major retailers and made off with tens of millions of payment card numbers.

You may be familiar with the scramble to check your credit card accounts and credit reports for suspicious activity in the wake of such incidents. But many people aren't clear on what happens with the credit card numbers stolen in a data breach.

When your physical credit card is stolen, the thief will usually just try to use it. When hackers steal information on 20 million cards, it’s a different story.

Buying in bulk

A stolen credit card number isn’t worth much on its own. The credit bureau Experian reported in 2017 that a credit card number could fetch maybe $5 if it came with the CVV number (the security code printed on the card). And tech website GigaOm has reported that a batch of a thousand numbers might sell for just $6.

That sounds low, especially considering the amount of hassle that goes into canceling your card and getting a new one. But you can’t do too much with a credit card number unless you also have the associated name and address of the cardholder. Even with that information, thieves may not get much. A package containing one person’s credit card number, address, date of birth, and Social Security number can sell for up to $30, Experian said.

So to make the effort worthwhile, information merchants buy and sell in bulk. They collect thousands or millions of numbers and head to the black market. At some websites, they can buy and sell the data using untraceable virtual currencies like Bitcoin. At these exchanges, the people who are good at stealing numbers hand them off to people who know what to do with them.

5 biggest retailer data breaches

The Identity Theft Resource Center has recorded more than 10,000 data breaches since 2005. These are the data breaches from retailers that the organization says had the biggest impact on consumers:

Retailer

Year

Details

Target

2013

Malware planted in the company's computer system during the holiday shopping season allowed hackers to steal the card information of 40 million people and personal information about 70 million people.

TJX Companies

2007

Hackers gained access to systems that stored purchase information at TJX, whose brands include T.J. Maxx, Marshalls and HomeGoods. Payment card information and other data about 94 million customers was compromised.

Home Depot

2014

Card information for 40 million customers and the emails of 54 million customers were stolen from the retailer's payment processing system.

Hudson Bay

2018

The parent company of Saks Fifth Avenue and Lord & Taylor reported a breach affecting the payment card information of about 5 million people who had shopped at brick-and-mortar stores in New York and New Jersey.

Hannaford Bros.

2008

Malware planted in the payment systems of this supermarket operator gave hackers access to the card information of 4 million customers.

Spending like there’s no tomorrow

A credit card number can be sold and resold multiple times before someone actually tries to use it. Once the final buyer has the information in hand, he or she will use it to try to make purchases while evading your (or your bank’s) notice. Sometimes, criminals will print up plastic cards with the new number and use them at physical stores, but it's more likely they’ll make purchases online. It’s a race to charge as much to the card as possible before the bank freezes the account.

EMV chips don't solve the problem. EMV technology is great for preventing fraud using a physical credit card, but it doesn't prevent the online transactions that cybercriminals thrive on. That's why having the CVV is important — it makes the card easier to use online.

What determines the value of a card number?

The value of a stolen credit card number depends on many variables. If the number is packaged along with other identifying information that facilitates identity theft, like the victim’s name, address, Social Security number or mother’s maiden name, it’s worth much more.

High-limit premium credit card numbers are worth more, as are European numbers and numbers that are more recently stolen (and thus more likely to be valid). And if the thief can provide purchasing information that will help evade detection, he or she can charge extra. For example, if you make frequent trips to Las Vegas or shop regularly at Macy's, your card information could be used in those places to avoid triggering fraud-detection systems.

How can I protect myself?

Don't rely only on your bank to protect you from identity theft. Learn what you can do to prevent identity theft from occurring or to limit the damage from it. Keep an eye on your credit card statements for suspicious transactions and your credit report for accounts you don't recognize. Consider freezing your credit to prevent new accounts from being opened. And know your rights about your maximum liability in the cause of fraud.

We want to hear from you and encourage a lively discussion among our users. Please help us keep our site clean and safe by following our posting guidelines, and avoid disclosing personal or sensitive information such as bank account or phone numbers. Any comments posted under NerdWallet’s official account are not reviewed or endorsed by representatives of financial institutions affiliated with the reviewed products, unless explicitly stated otherwise.