Why am I suddenly getting so much spam?

A sudden increase in spam is almost always caused by your email address being included in a data breach or sold by a data broker. When a company is hacked, its user database — including email addresses — circulates on dark web marketplaces and is sold to spammers. Check haveibeenpwned.com to see which breaches have exposed your address. Each breach your address appears in represents another group of spammers who now have it.

Can I stop spam that started because of a data breach?

You cannot undo a breach — once your address is in a spam database, it circulates indefinitely. What you can do: ensure your spam filter is properly trained (mark everything as spam rather than deleting), consider creating a new email address for high-value contacts, and use disposable email for all new sign-ups going forward so your new address isn't similarly exposed in future breaches.

Privacy

Why You're Getting Spam: The Data Breach Connection

Updated 8 June 2026 · 7 min read · InboxDrop

If your spam volume has suddenly increased, it usually isn't random. Spam epidemics in individual inboxes have a specific cause: your email address was included in a data breach or purchased from a data broker, and the database it was in has been circulating among spammers. Understanding this chain of events explains both why spam spikes happen and what you can actually do about them.

How a data breach becomes spam in your inbox

The journey from a company being hacked to your inbox filling with unwanted email takes a predictable path:

A company is breached. Hackers exfiltrate the user database, which includes email addresses, usernames, and often password hashes. Major UK breaches have included companies across retail, financial services, telecoms, and entertainment.
The database is sold. Stolen databases appear on dark web marketplaces within days, sometimes hours. They're priced by quality — fresh breaches with associated names and demographic data command premium prices. Spammers buy them in bulk.
Your address is added to spam lists. The buyers append your address to their existing mailing lists. Each buyer may sell to others. Within weeks, your address is in dozens of independent spam databases.
Campaigns begin. Marketing platforms, phishing operations, and scam outfits begin sending to the new addresses. Your spam volume spikes.

The delay between a breach and the resulting spam varies — sometimes weeks, sometimes months as databases are processed and resold. You may experience spam increases long after the breach that caused it.

How to check if your address has been breached

Have I Been Pwned (haveibeenpwned.com) is the definitive free tool for this. Enter your email address and it shows you every known data breach your address has appeared in. The service is run by Troy Hunt, an Australian security researcher trusted by governments and major organisations worldwide.

What to do with the results:

If your address appears in password breach data, change the password immediately on any service where you used the same password
Enable two-factor authentication on affected accounts
Set up free monitoring alerts so you're notified of future breaches as they're detected

UK breach notification: Under UK GDPR, organisations must report breaches affecting personal data to the ICO within 72 hours and notify affected individuals "without undue delay" when there is a high risk to their rights and freedoms. If you've been notified of a breach, take it seriously — the email address (and possibly more) is now compromised.

Why you can't fully stop breach-sourced spam

Once your email address is in a breach database that has been sold and distributed, it's effectively permanent. You cannot contact every spam operation that purchased it and demand removal. Unsubscribing from breach-sourced spam is dangerous (it confirms the address is active and may increase volume). Your spam filter is your best defence at that point.

To make your spam filter most effective:

Mark spam as spam (not just delete it) — this trains your provider's filter and improves detection for everyone
Do not click any links in emails from unknown senders, including unsubscribe links
Let the filter accumulate learning over weeks — it gets progressively more accurate

Prevention going forward: the disposable email approach

You cannot un-expose an already-breached address. But you can prevent future sign-ups from adding to the exposure. The mechanism is straightforward:

Use a disposable email address for every sign-up to sites you don't fully trust
If that site is subsequently breached, the leaked address is a temporary throwaway — it cannot be traced back to you, and it has already expired
Your real address remains clean regardless of how many sites you sign up to

This is the proactive version of breach protection. Rather than reacting to each breach notification, you ensure that most sign-ups use an address that can't create lasting exposure.

When to consider a new email address

If your current address has appeared in many breaches and your spam volume is overwhelming your filter, it may be worth creating a fresh primary email address and migrating important accounts. This is a significant effort but may be the right call if your inbox has become essentially unusable. When setting up the new address, use disposable email and aliases for all new sign-ups from day one.

Protect future sign-ups from the breach pipeline — use a disposable email so breaches can't trace back to you.

Get a Free Disposable Email

Why You're Getting Spam: The Data Breach Connection

How a data breach becomes spam in your inbox

How to check if your address has been breached

Why you can't fully stop breach-sourced spam

Prevention going forward: the disposable email approach

When to consider a new email address

Related reading