Data Breaches Are Common — Your Response Matters

Billions of records are exposed in data breaches every year. When your information is caught up in one, the speed and decisiveness of your response determines how much harm you actually experience. Here's exactly what to do, in order of priority.

Step 1: Confirm the Breach Is Real

Before taking any action, verify the breach is legitimate. Scammers often send fake "breach notification" emails to trick you into clicking malicious links. To confirm:

  • Check Have I Been Pwned (haveibeenpwned.com) — a free, reputable service that tracks known breach databases.
  • Look for official communications from the company on their actual website (not links in any email).
  • Search for news coverage of the breach from established cybersecurity outlets.

Step 2: Change Your Password for the Breached Service

Do this immediately using a strong, unique password you haven't used anywhere else. If you've been reusing the same password across multiple sites (a very common but risky habit), change it everywhere it was used — this is called credential stuffing and attackers rely on it.

This is also a good moment to set up a password manager if you don't have one, so you never have to reuse passwords again.

Step 3: Enable Two-Factor Authentication

If the breached service supports 2FA and you haven't enabled it, do so now. Even if an attacker has your password, they won't be able to log in without your second factor. Where possible, use an authenticator app rather than SMS.

Step 4: Identify What Data Was Exposed

The type of data exposed determines your next actions. Common categories include:

  • Email and password only: Change passwords and enable 2FA.
  • Financial data (card numbers, bank info): Contact your bank or card issuer immediately, monitor for unauthorized transactions, and consider requesting a new card number.
  • Social Security number or national ID: Place a credit freeze with the major credit bureaus (Equifax, Experian, TransUnion in the US). This is free and very effective at preventing new accounts from being opened in your name.
  • Home address or phone number: Be alert for targeted phishing calls or mail scams.
  • Date of birth combined with other data: Heightened identity theft risk — consider a credit freeze regardless.

Step 5: Watch for Phishing Attempts

After a breach, attackers often use the exposed information to craft highly convincing phishing emails or calls. They may reference details from your account to appear legitimate. Be especially skeptical of:

  • Unsolicited emails asking you to "verify" or "secure" your account.
  • Phone calls claiming to be from your bank or the breached company.
  • Text messages with links — go directly to a website rather than clicking.

Step 6: Monitor Your Credit and Financial Accounts

Set up account alerts with your bank so you're notified of any transactions. Review your credit reports periodically — in many countries you're entitled to free annual reports from major bureaus. Look for accounts or inquiries you don't recognize.

Step 7: Consider a Credit Freeze

A credit freeze (also called a security freeze) is one of the most powerful tools available if sensitive financial or identity data was exposed. It prevents new credit from being opened in your name without your explicit approval. It's free to place and lift in most jurisdictions, and it doesn't affect your existing credit.

Longer-Term Habits to Build

A breach is a useful reminder to strengthen your overall security posture:

  • Use unique passwords for every account (password manager).
  • Regularly check Have I Been Pwned for new exposures.
  • Minimize the personal data you share with services you don't fully trust.
  • Delete accounts for services you no longer use — fewer accounts means fewer breach risks.

No one can completely prevent their data from being caught in a breach, but a fast, informed response dramatically limits the real-world impact.