🔒Privacy

My Data Was in a Breach — What Should I Actually Do?

Personal data exposed in a data breach

6 min readUpdated Feb 2026

You got the email. "We regret to inform you that your personal information may have been involved in a data breach." Maybe it was a company you barely remember signing up for. Maybe it was your health insurer or a retailer you used once in 2019. Either way, your data is out there now.

Before you panic: not all breaches are equal. The difference between a leaked email address and a leaked Social Security number is enormous. What you need to do next depends entirely on what type of data was exposed — and most breach notifications are frustratingly vague about that.1

⚠️

Breach notifications are often delayed

Companies are sometimes required by law to notify you within 60-90 days of discovering a breach — but the breach itself may have happened months or years earlier. The data could have already been sold or used. Don't assume you're safe just because nothing has happened yet.

The Three Tiers of Breach Severity

Not all exposed data carries the same risk. Here's how to assess what you're dealing with:

Tier 1: Email & Password Exposure

Risk level: Moderate. Your email and hashed (or sometimes plaintext) password from one service is now in a database that criminals share and sell. The primary risk is credential stuffing — automated attacks that try your leaked email/password combo on hundreds of other sites. If you reuse passwords, this is more dangerous than it sounds. One leaked password from a forgotten forum can unlock your bank account.

Tier 2: Personal Identity Data (Name, DOB, Address, Phone)

Risk level: Elevated. This data is used for social engineering, SIM swapping, and building more complete identity profiles. On its own, it won't empty your bank account — but combined with other leaked data, it gives criminals enough to impersonate you convincingly to customer service reps and phone carriers.

Tier 3: SSN, Financial Data, Medical Records

Risk level: Critical. This is identity theft territory. Exposed Social Security numbers, bank account details, or medical records can be used for financial fraud, tax fraud, and medical identity theft. This tier requires immediate, aggressive action.2

↑3,205

Data breaches reported in the US in 2023

73%

Of people reuse passwords across accounts

11 months

Average time to detect a data breach

Immediate Actions: Password & Email Breach

If your email and/or password was exposed

Change the password on the breached service immediately

Use a strong, unique password — at least 16 characters, random, generated by a password manager.

Change that password everywhere else you used it

Be honest — if you used this password on other sites, change it there too. Every single one. This is the most important step.

Enable two-factor authentication (2FA)

Turn on 2FA on every account that supports it, especially email, banking, and social media. Use an authenticator app — not SMS, which is vulnerable to SIM swapping.

Start using a password manager

1Password, Bitwarden, or Apple's built-in Keychain. The goal: every account gets a unique random password you never have to remember.

Check for unauthorized access

Review recent login activity on your major accounts. Most services show recent sign-ins with location and device info. Revoke any sessions you don't recognize.

Immediate Actions: SSN & Financial Breach

If your SSN, financial, or medical data was exposed

Freeze your credit at all three bureaus

Equifax, Experian, and TransUnion. A credit freeze is free, takes about 10 minutes per bureau, and blocks anyone from opening new credit in your name.

File an FTC Identity Theft Report

Go to IdentityTheft.gov and file a report. This creates an official affidavit you'll need if fraudulent accounts are opened.

Set up fraud alerts with your bank

Call your bank's fraud department. Request alerts on all transactions, new account openings, and changes to your account information.

Pull your credit reports

Go to AnnualCreditReport.com and review reports from all three bureaus. Look for accounts you didn't open, inquiries you didn't authorize, and addresses you don't recognize.

Request an IRS Identity Protection PIN

Apply at irs.gov/ippin to prevent someone from filing a fraudulent tax return using your SSN.

Credit Freeze vs. Credit Lock vs. Fraud Alert

Credit Freeze: Legally regulated under federal law. Completely blocks access to your credit report for new applications. Free to place and lift. This is what you want.

Credit Lock: A product offered by credit bureaus (often paid). Functionally similar but governed by a service agreement, not federal law. Don't pay for what you can get free with a freeze.

Fraud Alert: A note on your credit file asking creditors to verify your identity. Lasts 1 year. Creditors are supposed to honor it but are not strictly required to. Significantly weaker than a freeze.3

💡

Use a freeze, not a lock

Credit bureaus aggressively market their paid lock products because they make money from them. A credit freeze provides the same protection for free, with stronger legal backing.

Check if You've Been Breached: Have I Been Pwned

Have I Been Pwned (haveibeenpwned.com) is a free service run by security researcher Troy Hunt. Enter your email address and it shows you every known breach that included that email. Most people appear in 5-10 breaches. HIBP also lets you check if specific passwords have been exposed using a clever partial-hash system.4

ℹ️

HIBP lets you register your email for free notifications when it appears in a future breach. Do this for every email address you use.

The "Free Credit Monitoring" They Offer

After a breach, the responsible company almost always offers 12-24 months of free credit monitoring. Take it. But understand what it is. Credit monitoring alerts you AFTER the damage is done. It's a smoke detector, not a fire extinguisher. A credit freeze prevents the fire in the first place. Also: the "free" monitoring often auto-enrolls you in a paid subscription. Set a calendar reminder to cancel.

Dealing with breach fallout is overwhelming. We handle data broker removal and set up [ongoing monitoring](/shield/monitoring) so your exposed information doesn't keep circulating.

Get Breach Response Help →

Long-Term Vigilance

Ongoing protection after a breach

Review credit reports quarterly

Free weekly reports are available at AnnualCreditReport.com. Check at least every three months for the first two years.

Monitor bank and credit card statements

Criminals sometimes start with small test charges ($1-5) before making larger purchases. Report anything you don't recognize immediately.

Watch for phishing attempts

After a breach, expect targeted phishing emails that reference the breach itself. Go directly to company websites — never click links in emails.

Keep your credit frozen by default

Only lift it temporarily when you need to apply for credit, then immediately re-freeze. There is zero downside to a permanent freeze.

ℹ️

Identity theft can surface years later

Stolen data doesn't expire. Criminal databases circulate for years, and your information may be used long after the original breach. Maintain vigilance indefinitely.

Frequently Asked Questions

Free Resource

Data Breach Response Checklist

Tier-by-tier action plan based on what data was exposed, with direct links to credit freeze pages, HIBP, FTC reporting, and monitoring setup.

Get the Free Checklist

Sources & Citations

1
Identity Theft Resource Center: 2023 Annual Data Breach Report — 3,205 breaches reported in the US, a 78% increase over 2022. Identity Theft Resource Center ↗
2
FTC: What To Do If Your Social Security Number Was Compromised in a Data Breach — official federal guidance on identity theft response. Federal Trade Commission ↗
3
Consumer Financial Protection Bureau: Credit Freezes vs. Fraud Alerts — understanding the differences and your rights under federal law. CFPB ↗
4
Have I Been Pwned: Largest free data breach notification service, cataloging billions of breached records across thousands of incidents. Have I Been Pwned ↗