What To Do If Your Data Has Been Breached

What Should You Do If You’re Part of a Data Breach?   

As soon as you realize your data has been leaked, you should freeze your credit files, update compromised passwords, and look for signs of fraud or hacking. 

A data breach is a severe threat — even if you don’t think your sensitive information has been leaked. 

Fraudsters scour leaked and publicly available information to create in-depth profiles of their victims. With enough of your personally identifiable information (PII), they can quickly ruin your credit score and steal your life savings — leaving you with months or years of hardship trying to unravel the damage. 

While the exact steps you take after a data breach depend on what information was leaked, you can secure yourself against the majority of attacks and scams by taking protective measures. 

10 Steps To Take Immediately After a Data Breach

No industry is immune to the threat of hacking. In recent years, fraudsters have targeted — and successfully breached — virtually every major type of organization, from banks to cell phone providers, airports to government bodies.

For example, in October 2024, the Federal Trade Commission (FTC) took action against the Marriott International and Starwood hotel companies after three large security breaches impacted over 344 million customers worldwide [*]. 

As soon as you receive a Dark Web or data breach notification, you should take action to protect your accounts and minimize the damage that scammers can do.

1. Contact your banks and credit card companies

If a data breach included your financial information — including bank account numbers or credit card or debit card details — there’s a chance identity thieves could raid your savings or ruin your credit score. Any breach of a company that may hold your financial details, such as an e-commerce profile or password manager, should be regarded as an immediate threat to your bank accounts.  

• Freeze your debit cards and credit cards in your mobile app. You can do this instantly if you think your financial accounts are at risk. This quick action will stop anyone from using your stolen credit card numbers for online purchases or wire transfers. 
• Contact your banks and card issuers to report the breach. By letting financial institutions know that you’ve been compromised, they can cancel your accounts and cards to limit the fallout. This can also help kickstart an investigation to help limit your liability for misused funds. 

💡 Related: Credit Card Fraud Detection: How To Spot & Avoid Fraud →

2. Freeze your credit with all of the major bureaus

Once your immediate cash accounts are secure, you should lock down your credit files next. When you place a credit freeze, it prevents thieves and scammers from using your leaked personal data to open new accounts or take out loans in your name. 

A credit freeze is a better option than a fraud alert — as it prevents other people from accessing your credit file, whereas a fraud alert just suggests to companies that they confirm your details before giving you new credit. 

Contact each of the three major credit reporting agencies individually to place the freeze:

Pro tip: While freezing your credit with the three major credit bureaus may be enough, you should also consider freezing it with smaller consumer credit agencies that fraudsters use to take out payday loans, like ChexSystems and LexisNexis. You can also contact subprime credit reporting agencies, such as Teletrack, Factor Trust, and DataX.

3. Update compromised (or reused) passwords

After a data breach, hackers often package and sell stolen login credentials on the Dark Web. If your data has been breached, you need to change your passwords immediately to protect your personal and financial details. 

When you’re creating strong passwords, be sure to make them:

• Unique: Use a different password for every account to prevent a single breach from compromising multiple accounts. Also, avoid close variations of the same password (such as adding “123” to the end).
• Complex: Instead of obvious keyboard patterns or passwords based on publicly available information (like your pet’s name), create a passphrase by using a combination of uppercase and lowercase letters, numbers, and symbols.
• Long: Aim for at least 10 characters to protect against brute force attacks.

Insider tip: Every Identity Guard plan includes a robust password manager to help you create and store strong, unique passwords for each account. Once complex passwords are saved in Identity Guard, you can access them easily by using a single master password. Try Identity Guard today.

4. Enable two-factor authentication — with an authenticator app

Data breaches can leak passwords or enough sensitive information for scammers to access your online accounts. Two-factor or multifactor authentication (2FA/MFA) offers a second layer of security that requires a special one-time-use code, biometric data (fingerprint, facial scan, etc.), or other verifying factor before granting access to your account.

2FA can prevent hackers from accessing your account after a password breach — however, not all forms of 2FA are as secure. While most people opt for a special code sent to their phones, these can actually be intercepted by scammers who use SIM swap scams to steal your phone number. Instead, use a secure method like an authenticator app or hardware security key.

5. Catalog what data was breached, and make a game plan

Breached personal data isn’t always used right away. After taking some initial security measures, find out what data has been stolen and how you can help prevent scammers from using it against you. 

If you’re curious about what data has been leaked in the past, try using Identity Guard’s free Dark Web scanner:

You can take the following steps to go further and see what specific data has been leaked: 

• Look out for data breach notifications. Breached companies are required to send notifications to impacted customers. Don’t ignore these notifications as they will tell you what happened, what data has been leaked, and offer advice on how to secure your accounts. 
• Sign up for a Dark Web monitoring service. Identity Guard monitors your most sensitive information — including your passport number, Social Security Number (SSN), and other critical data — on the Dark Web, in public records, and more. With this service, you can find out what accounts or pieces of your identity have been leaked.

🤔 Do you think you could be at risk of identity theft? Follow these steps to stay safe →

6. Review statements and credit files for signs of fraud

With protective measures in place, you should look for further damage or signs of fraud. Most scammers are financially motivated, and your credit file often is one of the best places to look for signs that you’ve been targeted. 

While credit monitoring services can check your credit files automatically and notify you of changes or potential fraud, you can also access free credit reports yourself online by visiting AnnualCreditReport.com. Look for unauthorized changes to your profile, new accounts opened in your name, and other suspicious activity. 

You should also take this time to examine your financial accounts — such as credit card statements, online banking apps, or cryptocurrency exchanges. 

7. Beware of suspicious emails, texts, and calls

After data breaches, scammers can use stolen data to target you with phishing attacks. The more personal information that has been leaked, the more convincing these attacks become. 

• Look out for warning signs of phishing attacks. Red flags can include texts, emails, or social media messages containing suspicious links or attachments sent from unknown people. If a message has an urgent tone, consider this an additional giveaway. No legitimate government agency or business will pressure you into making major financial decisions. 
• Don’t interact directly with suspicious communications. Never click on links in emails or text messages from unknown senders, as this could trigger a malware download or direct you to an unsecured website. If you want to verify the authenticity of any communication, contact the person or company directly via details listed on their official website. 
• Enable Safe Browsing tools. Identity Guard can send you warnings about potential phishing or look-alike websites before you enter your personal information. 

💡 Related: Clicked on a Phishing Link? How To Make Sure You're Safe →

8. Remove your personal information from data broker lists, sites, and search results

Data brokers and people search sites scrape public records and online sources for your private information. While companies like Whitepages, Spokeo, and Radaris help advertisers offer personalized marketing, many unscrupulous data brokers sell your information to just about anyone, including telemarketers and scammers. Any available information can be added to your “profile” and sold to hackers. 

Here are some quick ways to help improve your online privacy: 

• Submit a personal content removal request to Google. You can request that Google remove any of your personal information or contact details from search results. The full guidance from Google is here.
• Opt out manually from all data brokers. Privacy Rights maintains a database of U.S. data brokers with details on how to opt out of data collection. Be aware that this list does not include all of the brokers in the country. Plus, many data brokers re-add your information, which means you need to constantly monitor and lodge more opt-out requests.
• Use an automatic data broker opt-out service. You can save time and avoid hassles by using Identity Guard’s automated data broker removal service that scans known data broker databases and sends removal requests on your behalf. This method will help you reduce your digital footprint quickly. 

9. Preemptively sign up for sensitive online accounts (SSA, IRS, etc.) 

Scammers may try to use your identity to obtain government benefits, employment, or file fake tax returns. If you already have registered these accounts under your name, criminals won’t be able to open new ones by using your leaked information.  

• Request an Identity Protection PIN. The Internal Revenue Service (IRS) can assign you a secret six-digit number for you to verify your identity when filing your taxes. You can request an IP PIN by visiting the IRS.gov website.
• Claim your “My Social Security” account. You can use this profile to apply for benefits and receive notifications if there is unauthorized use of your SSN. Create an account by visiting the My Social Security website.
• Lock your SSN. The Department of Homeland Security (DHS) allows citizens to freeze their Social Security Numbers to combat the threat of fraud. This preventive measure protects you from employment-related fraud. You can create an account on the myE-Verify website. 

💡 Related: How To Know If Someone Is Using Your Social Security Number (SSN) → 

10. Regularly monitor your accounts and personal information

Leaked personal data can stay on the Dark Web forever. Even if you don’t see red flags immediately after a data breach, this doesn’t mean scammers won’t target you later.

It’s important to adopt a proactive attitude to monitoring your online accounts, including your financial,  credit, and investment accounts. 

Warning: Companies that suffer a data breach may offer free (but often limited) credit or identity monitoring or some other form of cybersecurity support. Make sure you read the terms and conditions carefully, as accepting this support may prevent you from taking legal action against the company later.

Do You Think Scammers Are Using Your Leaked Data? Do This!

The rise in leaked data puts almost everyone at risk of falling victim to fraud. With a few protective steps and the support of a reputable identity theft protection service, you can make yourself a much less vulnerable target. 

However, even if you do everything right, there’s still a chance that your personal information might be used by a scammer. 

If you see signs of identity theft or hacking, you should: 

• File a report with the FTC. When you submit a report, you’ll receive an official identity theft affidavit and a personalized recovery plan to help recover from the impact of fraud. You can make your report at IdentityTheft.gov. 
• Close compromised bank accounts as well as debit and credit cards. If you confirm you’re a victim of fraud, it’s best to cancel your cards. Ask your bank or lender to issue new cards and PINs to a trusted address.
• Dispute fraudulent transitions. After reviewing your financial statements, you can notify banks and vendors about the fraud. Provide your FTC affidavit as proof that you are a victim of identity theft, and ask for the charges to be reversed. 
• Contact your insurance provider to get help. It can take several months to discover, resolve, and recover from the effects of identity theft [*]. With identity theft insurance, you have more financial protection and support to help you get back on your feet. If you haven’t taken out a personal insurance policy, check to see if you have coverage with your home insurer and/or your employer. 

Identity Guard is a powerful partner in your fight against online scammers. Its award-winning identity and credit protection platform includes 24/7 Dark Web and data breach monitoring and alerts, Safe Browsing tools, U.S.-based support, and up to $1 million in identity theft insurance. 

Identity Guard protects your data, identity, and finances — save up to 50% today!