Data Breach Guide: What To Do If Your Data Is Breached

Act fast. The first 24-48 hours after a breach are the most critical. Follow this checklist step by step.

Immediate Action Checklist

1 Change your password immediately Update the password for the breached account right away. Use a unique, strong password at least 12 characters long.
2 Change passwords on linked accounts If you reused the same password elsewhere (email, banking, social media), change those too. Attackers try stolen credentials on all major sites.
3 Enable two-factor authentication (2FA) Turn on 2FA for all important accounts. This stops attackers even if they have your password.
4 Check your email for suspicious activity Look for password reset emails you did not request, new sign-in notifications, or unusual login locations.
5 Monitor your bank and credit card accounts Check for unauthorized transactions. Report any suspicious charges to your bank immediately.
6 Freeze your credit (if financial data was exposed) Contact the major credit bureaus (Equifax, Experian, TransUnion) to place a free credit freeze, preventing new accounts from being opened in your name.
7 Watch for phishing attempts Attackers who obtain your email address will often follow up with targeted phishing emails. Be skeptical of any unexpected messages asking for personal info.
8 Check if your email appears in known breaches Visit HaveIBeenPwned.com to see if your email is in any known breach database.
9 Start using a password manager A password manager generates and stores unique passwords for every site, so a breach of one account never compromises others.
10 Report identity theft if it occurs In the US, file a report at identitytheft.gov. In other countries, contact your national consumer protection agency.

Pro Tip: Use a unique email alias per service (e.g. via SimpleLogin or Apple's Hide My Email). If one gets breached, you'll know exactly which service was responsible.

What Types of Data Are Most Dangerous?

Passwords: Change immediately if exposed, even if hashed
Social Security Number / National ID: File a fraud alert with credit bureaus
Credit/Debit card numbers: Request a new card from your bank immediately
Date of birth + full name: Used to answer security questions or create fake IDs
Home address: Enables physical mail fraud and targeted scams
Email address alone: Lower risk, but watch for phishing spam

Long-Term Protection Habits

Use a unique, strong password for every account (use a password manager)
Enable 2FA on every service that supports it, preferably using an authenticator app
Regularly review which apps and services have access to your accounts
Keep your devices and software updated to patch security vulnerabilities
Use a VPN on public Wi-Fi to protect your data in transit
Be cautious about what personal information you share online

Generate a strong new password: Password Generator