Alberto Méndez

Where do spam callers get my data? The truth behind massive data theft

Dec 15, 2025

Where do spammers get my data from?

If you’re one of those people receiving calls from unknown numbers offering products you don’t want, dozens of spam emails daily, or promotional text messages you never signed up for, you’ve probably asked yourself more than once: where the hell did they get my data from?

This is one of the most common questions people ask, and the answer is, I’m afraid, more concerning than you might imagine. It’s not just about annoying messages in your inbox—it’s a structural problem affecting your privacy, digital identity, and even your security. Personal data is the oil of the 21st century, and there’s an entire underground industry dedicated to extracting, trading, and exploiting it without your consent.

In this article, we’ll explore the main sources from which your personal data originates when it falls into the hands of spammers and cybercriminals. We’ll see why negligent management of this information represents an enormous risk not only for individuals but for society as a whole. And most importantly: I’ll give you practical recommendations to minimize your exposure and protect yourself, along with a critical reflection on the responsibility of our public institutions in this mess.

The multi-million dollar business behind your data

Before diving into specific sources, it’s important to understand the magnitude of the problem. Your personal data has real commercial value in both legal and clandestine markets. Your email, phone number, address, date of birth, consumer preferences, medical history, or financial information are constantly bought and sold in databases that change hands between companies, intermediaries, and eventually, cybercriminals.

What started as “legitimate” direct marketing has evolved into a complex ecosystem where the boundaries between legal and illegal are increasingly blurred. And in the middle of all this, there’s you: the product, not the customer.

The main sources of your personal data

1. Stolen databases: the primary source

If there’s a short answer to the title question, it’s this: stolen or leaked databases. This is, by far, the most common and dangerous source of personal information for spammers and cybercriminals.

Every year, thousands of security breaches occur in companies, organizations, and digital platforms. Some are public and make headlines, but most go unnoticed. When attackers compromise a company’s systems, they’re not usually looking for money directly (though sometimes they do), but something much more valuable in the long term: complete databases with information on millions of users.

These databases can contain:

  • Full names and email addresses
  • Phone numbers and physical addresses
  • Dates of birth and identification numbers
  • Passwords (sometimes encrypted, sometimes in plain text)
  • Financial and credit card information
  • Purchase history and preferences
  • Medical or legal data in more serious cases

Once stolen, these databases are sold on clandestine forums on the dark web or openly shared in cybercriminal communities. Prices vary depending on data quality and freshness: from a few dollars for thousands of generic records to many thousands of dollars for highly specific and verified information.

Notable examples of massive breaches:

  • Facebook (2021): More than 533 million users from 106 countries had their data exposed, including phone numbers, full names, locations, dates of birth, and email addresses.
  • Yahoo (2013-2014): All three billion Yahoo accounts were compromised, one of the largest breaches in history.

These aren’t exceptions—they’re the norm. Sites like Have I Been Pwned allow you to check if your email or phone appears in any of the over 600 publicly documented breaches, but there are thousands more that go unreported.

2. Public administration leaks: the problem nobody wants to admit

This is where things get especially concerning, and it’s rarely discussed with the seriousness it deserves. Governments and public administrations handle massive amounts of sensitive citizen data: from electoral rolls to medical records, tax returns, property registers, court files, and more.

The problem is that many public administrations have cybersecurity systems decades behind the private sector. Limited budgets, obsolete infrastructure, lack of qualified personnel, and an organizational culture that doesn’t prioritize digital security create the perfect breeding ground for massive leaks.

Real cases of government data breaches in Spain

Trusting your data to public administration doesn’t guarantee its safety. In fact, in many cases, administrations are the weakest link in the chain, as they’re a very attractive target for cybercriminals given the sensitivity of the data they handle. And here’s the most frustrating paradox: these same institutions legally force you to provide your data for procedures, services, and tax obligations, but then don’t allocate sufficient resources to protect it adequately.

3. Web scraping and automated collection

Not all personal data comes from spectacular thefts. A significant amount is obtained simply by collecting information you yourself make public on the internet, but in a massive and automated way through web scraping techniques. Generally, you won’t have published your phone number online, but this type of data about you allows for a more complete profile to be created and used later to target you.

Web scraping involves using bots and automated scripts to extract information from websites, social media profiles, professional directories, forums, and any platform where you publish data about yourself. Although much of this information is technically public, most users aren’t aware of how easily it can be collected, cross-referenced, and used against us.

Common scraping sources:

  • Social media: Facebook, LinkedIn, Instagram, and Twitter profiles are gold mines of personal information. Your name, photo, city, workplace, family members, interests, and hobbies are all there, ready to be collected.
  • Professional directories: LinkedIn is especially vulnerable. Even if you have your profile set to private, certain basic information is usually accessible, and services exist that collect this data en masse.
  • Yellow pages and online directories: Services listing businesses, independent professionals, or even residential phone numbers are constantly scraped.
  • Forms and public comments: Every time you leave a comment on a blog, forum, or review site using your real name and email, that information becomes exposed.

Once collected, this data is collated and consolidated into databases sold to marketing companies, data brokers, and eventually ends up in spammers’ hands.

There’s an entire legal (or at least legal gray area) industry of data brokers that collect, aggregate, and sell personal information. These companies obtain data from public sources, surveys, online forms, loyalty programs, apps, etc., and share or sell them to third parties.

When you sign up for a “free” app, accept a coupon site, participate in an online survey, or download a flashlight app for your phone that requests excessive permissions, you’re very likely feeding this industry.

The terms and conditions that nobody reads usually include clauses allowing these companies to share your information with “business partners”—a euphemism for saying they’ll sell your data to the highest bidder. Although you’ve technically “consented,” the reality is that most users aren’t aware of the magnitude of what we’re giving away.

5. Leaks due to negligence and poor practices

Not all data exposures result from sophisticated attacks. A surprising amount of personal information leaks simply through negligence, incompetence, or poor security practices:

  • Unprotected databases: Companies leaving MongoDB servers, Elasticsearch, or Amazon S3 buckets completely open without authentication. Security researchers regularly find databases with millions of publicly accessible records on the internet.
  • Mass emails with visible recipients: When a company sends a promotional email putting all recipients in the “To” or “CC” field instead of “BCC,” it’s exposing the complete email list to all recipients.
  • Lost or mismanaged documents: Lost storage devices, physical documents disposed of without destruction, or files accidentally shared with public permissions.
  • Disgruntled employees: Workers with database access who, upon leaving the company, take copies of sensitive information to sell or use in future businesses.

6. Online shopping and insecure digital services

Every time you make an online purchase, sign up for a digital service, or download an app, you’re trusting your data to a company whose security practices you probably know nothing about.

Many small online stores and startups don’t have the resources or experience to implement robust security measures. They use insecure payment systems, store passwords without encryption, or don’t update their platforms, leaving them vulnerable to known attacks.

Free mobile apps are especially problematic. Many collect excessive information (contacts, location, call history, photos) that they don’t need to function, and then sell or leak that information.

7. Social media and apps with excessive permissions

Social media platforms aren’t just vulnerable to scraping—they actively collect, analyze, and monetize your information. Every “like,” every search, every message, every location you share contributes to a detailed profile of you that’s sold to advertisers.

But the problem goes further. Many apps request permissions they don’t need. A recipe app doesn’t need access to your contacts, microphone, and GPS location, but many request it anyway. And if you accept, that information can end up in anyone’s hands.

Why this is a huge problem (beyond annoying spam)

Receiving unwanted communications is annoying, but the consequences of your personal data circulating freely go far beyond a full inbox.

Threats to your financial security

With enough personal information, cybercriminals can:

  • Steal your identity: Open bank accounts, apply for loans, or credit cards in your name
  • Access your accounts: Use breach information to reset passwords or answer security questions
  • Conduct targeted fraud: With your purchase history and preferences, they can create highly personalized and convincing phishing scams

Loss of privacy and profiling

It’s increasingly difficult to keep aspects of your life private when multiple leaked databases can be cross-referenced and correlated to build an extremely detailed profile of you:

  • Where you live and work
  • Your approximate income
  • Your family situation
  • Your health issues
  • Your political or religious beliefs
  • Your consumption habits

This information can be used to manipulate you, discriminate against you in job selection processes, increase prices based on your ability to pay, or even blackmail you.

Physical security

Leaked information can compromise your physical security. Knowing your address, routines, when you’re traveling (social media posts), or your economic situation can make you vulnerable to theft, harassment, or worse threats.

Erosion of digital trust

When you constantly experience negative consequences from sharing information online (spam, unwanted calls, scam attempts), trust in the digital ecosystem erodes, limiting your ability to take advantage of legitimate and useful services.

Practical recommendations to protect yourself

Now that you understand where your data comes from when it falls into the wrong hands, let’s talk about what you can do to minimize the damage.

1. The random information strategy

A fairly common recommendation that turns out to be surprisingly effective, though not foolproof, is: use fictitious information in non-critical contexts.

The idea is simple: not all internet services deserve your real data. If you’re signing up for a site you’ll only use once, a small online store of dubious reputation, or an app that asks for unnecessary information, consider providing false or partially false data:

  • Name: There’s nothing wrong with making up whatever name you like for services you’ll use for leisure—matching data later will be more complicated for criminals.
  • Disposable email: Use temporary email services for registrations that don’t require continuous verification
  • Email alias: Create secondary email addresses specific to online registrations, so you know exactly which service leaked your information when you start receiving spam
  • Secondary phone number: Consider using a second number (there are apps offering virtual numbers) for non-essential registrations
  • False date of birth: Unless it’s a legal or banking procedure, there’s no reason to give your real date of birth.
  • Partial address: In many cases, you can put your correct city and zip code but an invented street

Important warning: This strategy only works if you don’t already have all your real data scattered across the internet. If you’ve been using your real information on hundreds of services for years, the damage is done. But for new registrations, creating a layer of false information makes it harder for cybercriminals to identify which information is truly yours when cross-referencing databases.

It’s also essential to never use false information in legal, banking, medical, or government contexts where doing so could constitute fraud.

2. Basic digital hygiene

These are practices you should always apply:

  • Review app permissions: Regularly review what permissions your mobile apps have and revoke unnecessary ones
  • Limit what you share publicly: Review your social media privacy settings. Does everyone really need to know where you live, work, or that you’re on vacation?

3. Be selective with your data

Always ask yourself: do I really need to register here? Does this service truly require my phone number, date of birth, or address? Many times we can access content or features without creating an account—we just find it more convenient to register.

4. Use privacy tools

  • Tracker blockers: Extensions and alternative browsers reduce online tracking
  • Privacy-focused browsers: Consider using Firefox with enhanced privacy settings or Brave, though more advanced alternatives like LibreWolf exist
  • VPN: A reliable VPN masks your IP address and encrypts your traffic, especially useful on public Wi-Fi networks

The problem of digitalization without security

There’s a global trend toward digitalization of public services. In theory, this should make our lives easier: online procedures, telemedicine appointments, 24/7 service access, less physical bureaucracy. And in many ways, it does.

But digitalization without proportional investment in cybersecurity is a ticking time bomb. We’re centralizing massive amounts of sensitive information from millions of citizens in systems that:

  • Run on decades-old obsolete infrastructure
  • Use outdated software due to limited budgets
  • Are managed by personnel with insufficient cybersecurity training
  • Don’t have adequate incident response protocols
  • Don’t conduct regular security audits

When one of these systems is compromised, as we’ve seen in the examples above, the consequences affect entire populations. And the worst part: there are rarely clear consequences for those responsible for these security deficiencies.

Take control of your information

The question “where do spammers get my data from?” has many uncomfortable answers: from massive security breaches to automated scraping, from data brokers to government negligence. But they all point to a fundamental reality: your personal data circulates on the internet in quantities you probably never imagined, and the consequences go far beyond annoying emails.

The good news is that you’re not completely defenseless. Adopting digital hygiene practices, being selective about what information you share and where, using privacy tools, and applying strategies like fake information in non-critical contexts can significantly reduce your exposure.

But it’s also essential to understand that the complete solution can’t depend solely on individual actions. We need to collectively demand that the institutions forcing us to hand over our data assume real responsibility for protecting it with investment, transparency, and clear consequences for negligence.

The digital age has brought us enormous benefits, but also unprecedented risks to our privacy and security. Taking control of your personal information isn’t paranoia—it’s common sense in 2025.

The next time you receive that spam email or that unwanted promotional call, you’ll know exactly where your information came from. And more importantly, you’ll know what to do about it.

Happy Hacking!

Alberto Méndez

Need help?

At BetaZetaDev, we transform ideas into real digital solutions. Over 10 years building mobile apps, web platforms, automation systems, and custom software that impact thousands of users. From concept to deployment, we craft technology that solves your business-specific challenges with clean code, scalable architectures, and proven expertise.

Let's talk about your project

Related posts

That may interest you

Our work

Concept to value

Professional-quality photo results in seconds with Artificial Intelligence Editasteic
Create amazing stories with every roll, your imagination is your only guide! Spark
Keep track of the hours dedicated to your job and/or projects. Own your time WorkIO