Primarily, information such as passport number, social security, date of birth or address are the riskiest.
Many organizations with loose security policies and controls still use such information for authentication (e.g. via phone or chat support)
This list of course is not exhaustive unfortunately.
Platforms that use secret question/answer style for password recovery ask questions that an attacker could figure out by social engineering techniques.
It is also possible for attackers to combine multiple data including subtle ones to achieve a similar outcome.
They often also use the dark web to identify their target (entities with exposed or leaked sensitive data) by capitalizing leaked data they could find.
Types of identity theft:
- Financial fraud
- Account takeover
- Synthetic identity (full-scale impersonation)
It all boils down to how loose the security is in the institutions where your information could be used for unlawful activities.
Note: All scenarios I’m mentioning apply when you don’t need to be either physically present and/or present a biometric document.