What to Do After a Data Breach

First: do not panic, but do act today

The instinct after a breach notice is to doomscroll the news, close the browser, and deal with it later. That is the worst move. The first hours matter more than anything else because the data is freshest, stolen credentials are being probed at scale by automated tooling, and any freeze or rotation you do today eliminates a whole class of downstream fraud.

This guide is divided into three time horizons: the first hour, the first day, and the first month. Work through them in order. You do not need to do everything at once, but do not skip ahead either.

Before we start, a quick framing note: not every breach is equally dangerous. A marketing-list leak with just your email is annoying. A breach involving full name, date of birth, Social Security or national ID number, and driver's licence information is a serious identity-theft risk. The severity of the response scales with what was exposed.

Step 0: figure out what was actually exposed

Find the original breach notice. Read it end to end. Look for the phrase “the following data elements may have been involved.” That list is the one that determines what you have to do next.

Common data categories and what they unlock for attackers:

The priority rating tells you how urgent the rest of this page is. Most breach notices will be missing at least one detail; assume the worst of the plausible options until you can confirm otherwise.

The first hour

If you have 60 minutes, do these in order:

1. Change the password on the breached service. Use your password manager to generate a fresh, random one.
2. Change the password anywhere else you reused it. If you do not know, search your password manager's reuse report. Anything flagged with the same old password, rotate.
3. Enable multi-factor authentication on that account. Authenticator app or hardware key, not SMS where possible.
4. If a credit or debit card number was exposed, call the issuer to request a replacement card. Most banks have this in the app. Same-day reissue is common.
5. If a password alone was in the breach, also change your email account password. Your email is the master recovery channel for everything else.
6. If the breach notice says to sign up for free credit monitoring, enrol. It is not sufficient on its own, but it is free and it is a useful alert channel.

Sixty minutes, most of the immediate credential risk addressed. Now do the harder stuff.

The first day

These are the actions that take longer than an hour but still need to happen the same day.

1. Freeze your credit at all three US bureaus (Equifax, Experian, TransUnion) if Social Security, date of birth, or ID numbers were exposed. This is free, reversible, and takes 15 minutes. A freeze prevents new credit from being opened in your name. In the UK, request a CIFAS Protective Registration. In other jurisdictions, check the equivalent registry.
2. Sign up for Have I Been Pwned notifications at haveibeenpwned.com using every email you use. Future breaches will reach you automatically.
3. Review bank and credit card statements for the last 60 days. Flag anything you do not recognise. Small test charges ($0.99 or a foreign currency equivalent) are how fraud often starts before the bigger charges arrive.
4. Change passwords on your five most critical accounts. Email, banking, identity provider, password manager, and any service that stores a government ID on your behalf.
5. Turn on login notifications everywhere they are offered. Email alerts on new logins are free early warning.
6. Rotate any authenticator app seeds that were shared with the breached service. Rare but happens with SSO integrations.
7. Set a fraud alert with one US bureau if you cannot freeze. One bureau notifies the others. Lasts one year.
8. If tax IDs or health IDs were exposed, request an IRS Identity Protection PIN (US) or the equivalent tax-fraud marker in your country.
9. File a report at identitytheft.gov (US) if you see actual fraud. This creates an official record and generates a recovery plan.
10. Document everything. A simple timestamped note of every call, every rotation, every confirmation email. This matters later if you need to dispute charges or prove due diligence.

The first month

Breach response does not end at 24 hours. The next four weeks are when attackers stress-test what they stole, which means that is when downstream fraud attempts show up.

1. Re-pull your credit reports at day 7, day 14, and day 30. In the US, AnnualCreditReport.com provides free weekly reports from all three bureaus. Look for new accounts, new hard inquiries, or changed addresses you do not recognise.
2. Watch your email for address-change, phone-change, and password-reset notices on services you did not initiate. These are often the first sign of an active account-takeover attempt.
3. Audit your online identity. Search your own name, email, and phone number. If a breach has put information online, data brokers will pick it up within weeks. Opt-out requests at major brokers (Spokeo, Whitepages, BeenVerified, PeopleFinder) take time.
4. Rotate secondary passwords. Utility providers, streaming accounts, loyalty programmes. Attackers use these as stepping stones to higher-value accounts.
5. Check your phone carrier's SIM-swap protections. Add a port-out PIN or equivalent. If your phone number was exposed, SIM-swap attacks are a realistic threat.
6. Refresh your second-factor setup. Move critical accounts from SMS to TOTP or hardware keys if they are not already.
7. Audit your password manager's security dashboard. Rotate anything still flagged as reused, weak, or known-compromised.
8. Review recent tax filings and health insurance explanations of benefits. Tax-fraud and medical-insurance fraud are both slow-burn categories that show up in statements.
9. Evaluate whether to extend credit monitoring. The 12-month free year that typically comes with a breach notice should not be the end of monitoring, especially if ID numbers were exposed.

What to do if actual fraud occurs

Fraud escalates quickly. If you see a charge you do not recognise, a new account you did not open, or a tax return filed in your name that you did not file, do this:

1. For unauthorised card transactions: call the number on the back of the card immediately. Request a dispute and a replacement card. In the US, file the dispute within 60 days of the statement to preserve all consumer protections.
2. For bank ACH fraud: contact the bank in writing within 60 days (US Regulation E). The unauthorised transfer must be reversed unless the bank can prove gross negligence on your part.
3. For new accounts opened in your name: call the lender, report the account as fraudulent, and ask them to close it. Then file an identity theft report at identitytheft.gov (US) or the equivalent, and dispute the account with the credit bureaus.
4. For tax fraud: in the US, file IRS Form 14039 (Identity Theft Affidavit). Paper-file your real return and include a copy. In other jurisdictions, contact the tax authority directly.
5. For medical fraud: request corrected records from every provider involved. Medical identity fraud contaminates your health record, which has care-safety implications.
6. File a police report when new-account fraud, wire fraud, or criminal identity theft (someone using your name with law enforcement) is involved. Creditors and insurers often require it.
7. Keep a log of every call, every letter, every reference number. Six months from now you will need it.

When an identity theft protection service is worth it

Paid identity-theft protection services have a legitimate role but are over-sold. Here is when they actually pay off and when they do not.

Worth paying for if:

• Your Social Security, national ID, or other government credential was exposed.
• You do not have time or attention to pull credit reports regularly.
• You want a recovery specialist to handle the paperwork if identity theft happens.
• You have minor children whose ID data was in the breach. Child identity theft is often invisible for years.

Not necessary if:

• Only your email address was exposed.
• You already have credit freezes in place at all three bureaus.
• You already use a password manager with breach monitoring and are active about rotation.
• Your bank offers identity-theft services as part of your existing account.

The free tools (credit freezes, Have I Been Pwned, credit-report access) cover most of what paid services do. Paid services add convenience, monitoring breadth, and insurance. Not magic, just convenience.

Quick reference: the post-breach checklist

Copy this and work through it. It is the same material as above, compressed.

• ☐ Read the breach notice. List exposed data categories.
• ☐ Change the breached account's password. Rotate anywhere reused.
• ☐ Enable MFA, preferably not SMS.
• ☐ Replace the card if card data was exposed.
• ☐ Change your email password.
• ☐ Sign up for Have I Been Pwned.
• ☐ Freeze credit at all three bureaus if ID data was exposed.
• ☐ Review statements for 60 days of activity.
• ☐ Rotate passwords on your five critical accounts.
• ☐ Turn on login notifications.
• ☐ Enrol in the offered credit monitoring.
• ☐ Pull credit reports at week 1, 2, and 4.
• ☐ Add SIM-swap protection at your carrier.
• ☐ Document everything as you go.
• ☐ If fraud occurs, file reports promptly.

The bottom line

Breaches happen to almost everyone eventually. What separates a minor inconvenience from identity theft is mostly response time: how fast you rotate credentials, how fast you freeze credit, and how closely you watch for downstream fraud in the first month. The steps are cheap and mostly free. The cost of skipping them is not.

Store this checklist somewhere you can find it the next time a breach notice lands in your inbox. It is less stressful when you already know what to do.

Related reading: Are password managers safe? · Passkeys vs password managers · VPN logging policies explained.

Frequently Asked Questions