Your Data Was Breached — Now What

You receive an email from a company: "We regret to inform you that your personal information may have been compromised." Or perhaps you found your email on Have I Been Pwned or received a credit monitoring alert. Either way, your data is now in the hands of unknown third parties.

Don't panic, but act quickly. The window between a data breach and the exploitation of stolen data can be hours, days, or weeks. Attackers often sell stolen data in bulk, and it takes time before specific accounts are targeted. This delay is your advantage — use it.

The severity of a breach depends on what data was exposed. A leaked email address is far less urgent than a leaked Social Security number with date of birth and home address. Your response should be proportional to the risk, but err on the side of caution. It's far better to over-respond than to discover six months later that someone opened a credit card in your name.

This guide provides a prioritized, time-based response plan so you know exactly what to do and when.

The First 24 Hours

These actions are the highest priority and should be completed as soon as possible:

1. Change the compromised password immediately.

If the breached service involved a username/password, change it right now. Use a strong, unique password — at least 16 characters with mixed character types. If you use a password manager, generate a new random password. If you don't use a password manager, this is the time to start.

2. Change that same password everywhere you reused it.

This is critical and often overlooked. If you used the same password on the breached site and your email, banking, or social media accounts, change all of them immediately. Attackers know that most people reuse passwords, and the first thing they do is try stolen credentials on high-value sites. Use our password strength checker to verify your new passwords are strong.

3. Enable two-factor authentication (2FA).

If the compromised account supports 2FA and you haven't enabled it, do so now. Prefer authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) or hardware security keys (YubiKey, Titan) over SMS-based 2FA. Even if attackers have your password, 2FA prevents them from accessing your account.

4. Check for unauthorized account activity.

Log into the breached account and review:

• Recent login history and active sessions — log out all unrecognized sessions
• Linked accounts or connected apps — revoke any you don't recognize
• Recovery email and phone number — verify they haven't been changed
• Email forwarding rules — attackers sometimes set up forwarding to intercept messages
• Recent transactions or account changes

5. Secure your email account first.

Your email is the master key to your digital life — password resets for virtually every service go through email. If there's any chance your email password was compromised, change it immediately and enable 2FA. This is arguably the most critical step.

Within the First Week

Once the immediate crisis is addressed, take these additional steps:

6. Freeze your credit (if financial data was exposed).

A credit freeze prevents anyone from opening new credit in your name. It's free and doesn't affect your credit score. Contact each credit bureau:

• Equifax: equifax.com/personal/credit-report-services or 800-685-1111
• Experian: experian.com/freeze or 888-397-3742
• TransUnion: transunion.com/credit-freeze or 888-909-8872

You'll receive a PIN or password for each bureau to temporarily lift the freeze when you need to apply for credit. A freeze is more effective than a fraud alert — fraud alerts ask creditors to verify identity, but they're not legally required to do so. A freeze blocks the credit inquiry entirely.

7. Place a fraud alert (complementary to freeze).

You only need to contact one bureau — they're required to notify the other two. A fraud alert lasts one year (or seven years if you're a confirmed identity theft victim) and requires businesses to verify your identity before issuing credit. Do this in addition to a credit freeze for maximum protection.

8. Review your financial statements.

Carefully review bank statements, credit card statements, and any financial accounts for unauthorized transactions. Report any suspicious activity to your bank immediately. Most banks have a limited time window for disputing fraudulent transactions (typically 60 days).

9. Check if the breach involved your medical or insurance information.

Medical identity theft is harder to detect and more damaging than financial fraud. Review your medical records, insurance claims (Explanation of Benefits statements), and contact your insurance provider to flag potential fraud.

10. Document everything.

Keep records of:

• The breach notification (screenshot or save the email)
• Actions you've taken and when
• Communications with companies, banks, and credit bureaus
• Any financial losses or unauthorized transactions

This documentation is essential if you need to file police reports, insurance claims, or dispute fraudulent accounts later.

Ongoing Monitoring

Post-breach monitoring should continue for at least 12-24 months:

Monitor your credit reports. You're entitled to free weekly credit reports from all three bureaus through AnnualCreditReport.com. Review them for accounts, inquiries, or addresses you don't recognize. Set a calendar reminder to check monthly.

Use identity monitoring services. Many breach notifications include free credit monitoring — accept it. Additional options include:

• Have I Been Pwned (haveibeenpwned.com) — Free email breach monitoring
• Credit Karma — Free credit monitoring from TransUnion and Equifax
• Paid services like LifeLock or Aura provide more comprehensive monitoring including dark web scanning

Watch for unusual mail. Bills, collection notices, or credit cards you didn't apply for are signs of identity theft. Missing expected mail can also be a red flag — criminals sometimes redirect mail to intercept financial statements.

Monitor your tax account. File your taxes early to prevent someone else from filing in your name. Create an IRS online account (irs.gov) if you haven't already and set up an Identity Protection PIN.

Keep an eye on your medical records. Request your medical records periodically and review for treatments, prescriptions, or visits you don't recognize.

Response Based on What Was Exposed

Different types of exposed data require different responses:

Email address only:

• Low urgency, but expect increased phishing and spam
• Verify your email password is strong and unique
• Enable 2FA on your email account
• Be extra cautious about emails claiming to be from the breached company — attackers may send phishing emails impersonating the breach notification

Passwords (even hashed):

• Change the password immediately on the breached site AND everywhere it was reused
• Assume the password is compromised — hashed passwords can often be cracked, especially weak ones
• Audit all your accounts for password reuse

Phone number:

• Expect increased spam calls and phishing texts (smishing)
• Be cautious of calls claiming to be from banks, government agencies, or the breached company
• Consider adding a PIN to your mobile carrier account to prevent SIM swapping

Date of birth + name + address:

• Moderate risk — this combination enables identity verification bypass
• Freeze your credit proactively
• Monitor credit reports closely

Social Security Number:

• High risk. This is the most dangerous single piece of exposed data
• Freeze credit at all three bureaus immediately
• File an Identity Theft Report with the FTC (IdentityTheft.gov)
• Consider filing a police report
• Set up an IRS Identity Protection PIN
• Monitor credit reports weekly for at least two years
• Consider an extended fraud alert (seven years)

Financial account numbers:

• Contact your bank or card issuer immediately to report potential compromise
• Request new account numbers/card numbers
• Enable account alerts for all transactions
• Review statements daily for the next 30 days

Medical records or insurance information:

• Contact your insurance provider
• Request and review your medical records
• Place a fraud alert with healthcare providers
• Monitor Explanation of Benefits statements for treatments you didn't receive

Preventing Future Damage

Use this breach as a catalyst to improve your overall security posture:

Adopt a password manager. If this breach caught you reusing passwords, a password manager solves that problem permanently. Every account gets a unique, random password. If one site is breached, no other account is affected. Popular options include Bitwarden (free/open-source), 1Password, and Dashlane.

Enable 2FA everywhere possible. Prioritize: email, banking, social media, cloud storage, then everything else. Use authenticator apps or hardware keys rather than SMS.

Minimize your data footprint. Every account is a potential breach surface. Delete accounts you no longer use. Use throwaway email addresses for low-value services. Provide minimal personal information during sign-ups — leave optional fields empty.

Use unique email addresses. Services like Apple's Hide My Email, SimpleLogin, or Firefox Relay create unique email aliases for each service. If one is breached, you know exactly which service leaked your data, and you can delete the alias without affecting your primary email.

Review permissions and connected apps. Regularly audit what apps have access to your Google, Facebook, Apple, and Microsoft accounts. Revoke access for anything you don't actively use.

Common Scams After a Breach

After a publicized data breach, scammers exploit the situation with targeted attacks:

Fake breach notification emails. Attackers send phishing emails that look like official breach notifications, complete with the company's branding. They include links to "verify your identity" or "reset your password" that lead to phishing sites. Always navigate directly to the company's website instead of clicking links in emails.

Phone calls from "the company" or "your bank." Scammers call pretending to help you secure your account, then ask for passwords, PINs, or Social Security numbers. Legitimate companies will never ask for your password over the phone. Hang up and call the company directly using the number on their official website.

Fake credit monitoring offers. Scammers offer "free credit monitoring" with links to malicious sites that harvest more personal data. Only use credit monitoring services directly through the breach notification from the actual company, or established services like Credit Karma.

Social engineering using breached data. If an attacker knows your name, address, and past purchases (from the breached company), they may use that information to craft convincing scam attempts. Be skeptical of any unsolicited contact, even if the caller or emailer knows personal details about you.

Complete Response Checklist

Use this checklist to ensure you've covered all critical steps:

Immediate (Day 1):

• Change the compromised password with a strong, unique password
• Change the same password on any other site where it was reused
• Enable 2FA on the affected account
• Enable 2FA on your primary email account
• Review account for unauthorized activity
• Log out all unrecognized sessions

Within one week:

• Freeze credit at all three bureaus (if financial/identity data exposed)
• Place a fraud alert
• Review bank and credit card statements
• File an FTC Identity Theft Report (if SSN exposed)
• Contact insurance providers (if medical data exposed)
• Document all actions taken

Ongoing (12-24 months):

• Monitor credit reports monthly
• Watch for suspicious mail, calls, and emails
• File taxes early
• Set up identity monitoring alerts
• Review medical records and insurance statements

Long-term improvements:

• Adopt a password manager with unique passwords for every account
• Enable 2FA on all important accounts
• Minimize personal data shared online
• Delete unused accounts
• Use email aliases for new services

---

A data breach is alarming, but your response determines the outcome. Most breach victims who act quickly and follow a systematic response plan experience minimal real damage. The key is speed, thoroughness, and follow-through — treat it like an emergency with a well-rehearsed plan, not a crisis driven by panic.