You've Been in a Data Breach. Now What? (Do These Things in Order)

You've Been in a Data Breach. Now What?

You got the email. Your bank, your gym, your email provider, or some random app you signed up for in 2019 just told you they had a "security incident." Your data is out there. You don't know what to do, you're not sure how serious it is, and the email itself was carefully worded to make you not panic.

You should not panic. But you should act — and you should act in a specific order, because skipping steps or doing them out of order leaves doors open that scammers will walk right through.

This is the playbook. Print it. Share it. Use it the next time you get one of those emails.

Step 1: Find Out What Was Actually Leaked

Different breaches expose different data, and the difference matters a lot. Read the breach notification carefully and figure out what was exposed. Here's the danger ranking:

Most dangerous:

• Social Security number — enables identity theft, fraudulent tax returns, new credit accounts in your name
• Financial account numbers + routing numbers — direct access to your money
• Driver's license + full name + address — enough to impersonate you for many services
• Medical records — used for medical identity theft and insurance fraud

Moderately dangerous:

• Passwords (especially unhashed or weakly hashed) — gateway to every account where you reused that password
• Date of birth + full name + address — used as verification answers and for phishing personalization
• Credit card numbers — fraud is common but card networks usually limit your liability

Lower danger but still important:

• Email address alone — sells you to spam lists, used for targeted phishing
• Phone number alone — opens you up to smishing and vishing
• Security question answers (mother's maiden name, first pet) — used to bypass account recovery

Figuring out what was exposed determines how aggressive your response needs to be.

Step 2: Change Your Password On the Breached Site First

Most people get this backward. They change passwords everywhere except the actual breached site. Wrong order. Start at the source.

Go directly to the breached site (type the URL yourself — never click the link in the breach email, those get spoofed) and change your password to something strong, unique, and never used anywhere else.

If they offer to invalidate all active sessions and force you to re-login on every device, do that too.

Step 3: Change Your Password Anywhere You Reused It

This is the step almost everyone skips, and it's the step scammers count on you skipping. Here's why it matters:

When scammers get your email and password from a breach, the first thing they do is try that exact combination on every other site they can think of. Gmail, Amazon, PayPal, Netflix, your bank, every social platform. This is called credential stuffing, and it's automated. They run your password through thousands of sites in minutes.

If you reused that password anywhere — and most people do — those accounts are now compromised too.

So: think about which accounts share that password. Change every single one. Use a unique password for each, generated by a password manager if possible. The whole point is that one breach can never compromise more than one account.

Step 4: Enable Two-Factor Authentication (2FA) Everywhere That Matters

This is the most important step on this list, full stop. 2FA means even if a scammer has your password, they can't get into your account without a second factor — usually a code from your phone.

Turn it on for:

• Email accounts (especially the one tied to password resets — this is the master key to everything)
• Banking and financial accounts
• Cryptocurrency exchanges
• Cloud storage (Google Drive, iCloud, Dropbox)
• Major shopping accounts (Amazon, anywhere your credit card is saved)
• Social media
• Password manager (the master account, with the strongest 2FA available)

Use an authenticator app (Google Authenticator, Authy, your password manager's built-in option) instead of SMS when you can. SMS 2FA is better than nothing, but it can be intercepted via SIM swap attacks. Authenticator apps are far more secure.

Step 5: Watch for Targeted Phishing for the Next 60 Days

This is the part most people don't expect: scammers don't usually use your stolen data to log into your accounts directly. They use it to phish you with personalized messages that feel legitimate.

If they have your name, address, partial card number, and the company you do business with — they can send you an email or text that includes all of those details, making it feel completely real. "Hi [Your Name], we noticed unusual activity on the card ending in [last 4]. Verify your account at [malicious link]."

Watch for:

• Phishing emails that reference details from the breach (the company that got breached, accurate personal info)
• Phone calls from "fraud departments" that already know your account number
• Text messages from "the breached company" with links to "secure" your account
• Emails about invoices, delivery notifications, or password resets you didn't request

Treat anything unexpected with extra suspicion for at least 60 days. Do not click. Verify through official channels.

Step 6: Freeze Your Credit If Financial Info Was Exposed

If your SSN, driver's license, or financial information was leaked, freeze your credit at all three bureaus. It's free, it takes 10 minutes, and it prevents anyone from opening new credit accounts in your name.

• Equifax: equifax.com/personal/credit-report-services or 1-800-685-1111
• Experian: experian.com/freeze or 1-888-397-3742
• TransUnion: transunion.com/credit-freeze or 1-888-909-8872

A credit freeze does not affect your existing accounts or your credit score. You can temporarily lift it (also free) when you actually need to apply for credit. Set it and forget it.

While you're at it, place fraud alerts. They last one year, are free, and add an extra verification step for new credit applications.

Step 7: Monitor For Identity Theft Signs

For the next 90 days, watch for:

• Unexpected bills, statements, or collection notices
• Mail going missing (a sign someone forwarded your address)
• New accounts on your credit report that you didn't open
• Tax return rejection because someone already filed using your SSN
• Calls from debt collectors about debts you don't recognize
• Insurance claims you didn't make

If any of these happen, file an identity theft report at identitytheft.gov. It's a free federal service that creates an official record and generates a personalized recovery plan.

The One Mistake Everyone Makes

The single biggest mistake people make after a breach: they change their password on the breached site, feel safe, and stop there. They don't change reused passwords. They don't enable 2FA. They don't freeze their credit. Three months later, scammers credential-stuff their way into a different account and the real damage starts.

Don't be that person. Walk through every step on this list. The whole thing takes 30-60 minutes once. It saves you from cleanup that takes weeks or months.

Two Things to Do Right Now

First — find out what breaches your email is already in.

Most people are in dozens of breaches without knowing it. The data is already out there, scammers already have it, and you can't undo that. But you can patch the gaps before they get exploited.

Check your email at scamsecuritycheck.com

Then — set up ongoing breach monitoring.

New breaches happen every week. Manually checking is a losing game. Get notified the moment your email shows up in a new leak so you can act in hours instead of months.

Create a free account at scamsecuritycheck.com for ongoing breach monitoring and detailed reports.

The internet is full of leaked data and there's nothing you can do about that. What you can do is make sure that data is useless to anyone trying to attack your accounts. Strong unique passwords, 2FA on everything important, and a frozen credit file. That's the playbook. Run it once and you're ahead of 95% of people.