Depends on the breach. With an email address, they can determine that you are the same John Smith who was in another data breach, so now they know you have accounts on both sites X and Y. If one of those sites was, say, a dating or cheating web site, they may try to extort you. Failure to pay the random might result in your “secret” being leaked on the other site.

If they can trace down your contacts, they can try to pretend to be you claiming to be in trouble, plz send money. You might have heard of this scheme. Very easy to do if you can get into someone’s email account and see their messages, but any service breached that can help identify you and your friends/family could be sufficient as well.

Otherwise they could just try to be intimidating in general, hoping for a reaction. I get spam pretty much weekly telling me I’ve been recorded on my own PC by my own webcam doing dirty things and I need to pay their ransom. Some people are just gullible, and even a 1 in a million success is still a financial win.

With how many breaches have happened and how many millions (billions?) of accounts leaked, the risk to any one specific person is fairly low unless you’re being targeted. I agree, you’re *probably* fine, but think of what collateral damage could happen.

You are laughably naive as to the massive amount of data out there. You would be incredibly lucky if a data breach was only email address, username, password, first and last name. Add in mundane things like phone number and physical address. And in the data breaches that matter, they will get your credit card info or banking info, social security number, date of birth, security question answers, etc. With all of that info, there is a wealth of financial fraud they can and will commit in your name.

You’ve probably already been in one, it’s a sad part about participating in the world we live in now but it’s almost inevitable. How bad it is obviously depends on what was leaked, but also how you protect yourself.

What’s more important than being involved in a breach is taking care of the stuff within your control. Like you mention, avoid password sharing across services, avoid posting information about yourself unnecessarily. Freeze all your credit reports. Regularly check your bills/financial statements for anything fishy. Protect things on your home network (segment any IOT devices/TVs/printers etc. away from the your computers and devices with data.

I start spraying that information out using automated tools and then start refining lists based on low hanging fruit. Maybe you’re one of them. I’ll keep a database interesting targets, and check to see if your hashed password matches something easy in a rainbow table making me think you use weak security elsewhere.

Maybe I’ve already targeted you in some way and will use the breach to gather more information about you. Or maybe you’ll get rich in 5 years, not increase your security, and I’ll check for old data reaches to begin social engineering my attack.

Skilled criminals have a lot to gain from folks thinking data breaches aren’t a big deal. I understand no one taught you the real dangers of having an online presence and the security risks that come with it. Just know that the easier target you are, the dumber the criminal can be to fuck your world up.