What to Do After a Data Breach

Follow these steps to secure your personal information

person using cell phone and laptop iStock-1212757122

Data breaches are often in the news, but your personal information can be compromised even if you haven't heard about an incident. In 2020, more than 150 million people had sensitive information exposed, including passwords, phone numbers, home addresses, financial data, and other sensitive information.

In the aftermath, criminals may try to log into the breached account with your email address and password, and they may also try to log into many other accounts using the same email address and password—an attack known as credential stuffing.

More on Digital Security

If you’ve been involved in a data breach, there are steps you can take to regain control of your accounts and protect your personal information. And you can take many of the same steps proactively, to keep your data safe before there's a security failure.

“The main thing is looking at what data was breached and where you might have used that data,” says Katie Moussouris, founder and CEO of Luta Security, a security firm that helps businesses and governments work with hackers to better defend themselves from digital attacks. “Take a look at which pieces of information were compromised, and start looking at any places where you reuse that information.”

Find Out What Was Breached

The first step in responding to a data breach is to figure out exactly what information was exposed.

Sometimes, companies will contact you to let you know whether your information was found in a data breach. You can also search across multiple data breaches to check to see whether your email address or phone number have been compromised on the website Have I Been Pwned.

Change Any Exposed Passwords

If your password was compromised, you have to change it not only on the breached service but also everywhere else you’ve used that password.

The quickest way to do this is by using a password manager, which allows you to store unique, complex passwords for each account. Although it’s important to have a different password for each account, it’s best to start with by changing passwords you know were a part of a data breach.

Switch From Text-Based MFA to an Authentication App

If your name and phone number were part of a data breach, attackers can use it to try to log into your account. When you turn on multifactor authentication (MFA), which is available for financial sites, social media sites, and many others, you’ll need a second factor in addition to your password to log in. That way, if an attacker gets your password, they still won’t be able to access your account.

Experts recommend using MFA, but some methods are better than others. If you’re using text messages, it’s best to switch to an authentication app such as Google Authenticator or Authy. Or you can use a hardware security key such as a Yubikey.

To remember all the services you want to switch, you can start by scrolling through your text messages to see which services have sent you security codes to log into your account. Then look for those accounts in this directory, to see whether you can use a software token for multifactor authentication. If you can, follow the steps listed. You’ll need to download an authenticator app if you don’t have one already, and scan the QR code from the website for the service you have an account with. That way you’ll be able to log into your account with your password and a temporary code on your authenticator app.

Some accounts don’t allow you to use authenticator apps or hardware keys for MFA. In those cases, Moussouris recommends getting a Google Voice number for any account that requires you to use a phone number as a second layer of authentication.

Remove Your Home Address

If your home address was compromised in a data breach and you learn that it’s been posted on another site, you can report it and see whether it can be removed.

If your address is showing up in web searches, you can report it to Google and Bing. Both of those search engines can help you remove your address from their results.

  • On Twitter, file a report stating that private information was posted.
  • On Facebook, click on the three dots above the post and select “find support or report post” and select the most appropriate option.
  • On Reddit, click on the “report” icon next to the post.

Although it’s not always possible to scrub your home address from the web entirely, because it’s often linked to voter roles, real estate listings, and other public records, you can limit how easy it is to use your information by removing it from certain sites online through paid services like Kanary and DeleteMe, or through the time-consuming process of opting out yourself.

Freeze Your Credit

If your Social Security number or financial information was part of a data breach, freezing your credit will restrict access to it, which makes it challenging for identity thieves to open new accounts in your name.

To do this, contact each of the three major credit bureaus: Equifax, Experian, and TransUnion. These credit bureaus will offer free weekly credit reports through April 20, 2022, due to the ongoing COVID-19 crisis. Before the pandemic, they each offered a single free report annually and charged $20 for additional reports. You’ll have to temporarily lift the freeze in certain circumstances, for example, when you’re applying for a credit card or car loan, or want to rent an apartment.

Delete Accounts You’re Not Using

Having too many digital accounts increases the risk of your data being misused or stolen. The first step to getting rid of accounts for defunct platforms or ones you haven’t used in years is to find them. Type your usernames, old and new, into a search engine, or look for combinations of your name and email address. You can also look for phrases such as “welcome to” or “new account” in your inbox, or look for saved logins in your search engine. Or just head back to Have I Been Pwned and remove accounts from apps you no longer use where your information has been compromised in the past.

Once you’ve taken these steps, be sure to keep an eye on all of your active accounts, including those with your banks, lenders, and retailers.

Headshot of Electronics freelance writer, Yael Grauer

Yael Grauer

I am an investigative tech reporter covering digital privacy and security. I'm the lead content creator of CR Security Planner, a free, easy-to-use guide to staying safer online. Prior to Consumer Reports, I covered surveillance, online privacy and security, data brokers, dark patterns, clandestine trackers, security vulnerabilities, VPNs, hacking, and digital freedom for Wired, Vice, The Intercept, Slate, Ars Technica, OneZero, Wirecutter, Business Insider, Popular Science, and other publications. Follow me on Twitter (@yaelwrites)