Best Identity Protection After a Data Breach
The day a breach notice lands, the instinct is to buy something. A monitoring plan, a subscription, anything that feels like taking control of a situation a stranger just took out of your hands. I understand that impulse. For years I sat on the side that benefited from it, and I watched companies time their offers to that exact moment of anxiety.
Whether buying anything makes sense depends on one thing the letter usually buries: what was actually exposed. A breach that leaked a reused password is a different problem than a breach that leaked your Social Security number, and they call for different responses. One of those problems is worth paying to fix. The other usually isn’t.
So before you enter a credit card to feel safer, figure out what you actually lost. That sounds obvious. The reason it isn’t is that the letter in your hand wasn’t written to tell you.
The letter was written for the company, not for you
A breach notification is a compliance document first and a threat assessment a distant second. Many national notices follow the structure California’s breach law set, with standardized headings like “What Happened,” “What Information Was Involved,” and “What You Can Do.” That format is fine as far as it goes. It also explains why these letters read like they were run past a legal team, because they were.
The Identity Theft Resource Center tracked this in its 2025 breach report, and the numbers are worth knowing. Seventy percent of the notices it reviewed gave no detail about how the attack happened. Three out of four people surveyed said they wanted a specific list of what data of theirs was taken, and most didn’t get one. And 88 percent of people who received a notice went on to experience at least one negative consequence, usually more phishing, more spam and robocalls, or attempts to break into accounts they already had.
“No evidence of misuse” is a sentence about the company’s liability, not about your risk.
The information is out. Whether someone has gotten around to using it yet is a different question than whether they can.
Here’s a useful tell hiding in the law itself. California treats a login-credential breach differently from an SSN breach. If the only thing exposed is an account username or email plus a password, the company can satisfy the law by simply telling you to change that password and change it anywhere else you reused it. The statute already understands that a password leak and an identity leak are not the same problem. Your wallet should understand it too.
The rule that cuts through most of the noise
There’s one distinction that sorts almost every post-breach decision, and the industry rarely leads with it because it doesn’t sell subscriptions.
Free steps tend to do the prevention. Paid services tend to do the detection and the cleanup after the fact.
The Consumer Financial Protection Bureau says it plainly: most credit-monitoring services alert you after your information has already been stolen, while a credit freeze can stop new credit from being opened in your name before any harm happens. A freeze is the lock on the door. Monitoring is the camera that tells you someone walked through it. Both have a place. They are not the same purchase, and you generally want the lock before you want the camera.
Keep that in mind as you read the rest of this, because it’s the reason the answer changes so much depending on what leaked.
| What the notice says leaked | The real risk | Free steps that matter most | Does paying help? | What to buy if you do |
|---|---|---|---|---|
| Username or password only | Account takeover, especially if you reused the password | Change the password and every reused copy, turn on two-factor | Sometimes | A password manager with breach alerts |
| Payment card only | Unauthorized charges | Lock or replace the card, watch the statement, dispute fast | Usually no | Nothing beyond your bank’s own alerts |
| Social Security number | New-account fraud, tax fraud, benefits misuse | Freeze all three bureaus, get an IRS IP PIN, lock your SSA account | Sometimes | Three-bureau monitoring with real restoration |
| Full personal information | Fraud across credit, banking, utilities, government, and medical | All of the SSN steps, plus specialty-report freezes | Yes, strongest case | Broad identity protection with restoration specialists |
If the breach exposed a password
If the notice points to a username, email, or password, the danger isn’t someone taking out a mortgage tomorrow. It’s account takeover today, and it gets a lot worse if you reused that password somewhere else.
The mechanism is called credential stuffing. Attackers take the email-and-password pairs from one breach and feed them into hundreds of other sites, betting that plenty of people used the same combination on their bank, their email, and their shopping accounts. They’re usually right.
The free response is the whole response here. Change the breached password. Change it everywhere you reused it, and be honest with yourself about how many places that is. Turn on two-factor authentication on the accounts that matter, starting with your email, because email is the master key that resets everything else.
This is one of the few breach types where a paid product genuinely changes your security, and it isn’t an identity-monitoring plan. It’s a password manager. A good one generates a unique password for every account so a single leak can’t cascade, and the better ones now flag passwords that have turned up in known breaches. 1Password’s Watchtower and Bitwarden’s Exposed Passwords report both do this. Those features attack the actual downstream risk from a credential breach, which is reused and already-leaked passwords.
A generic identity-monitoring subscription does almost nothing for this scenario. If your breached password was already unique, you changed it, and you use two-factor, you’re done. You don’t need to buy anything. If you know you reuse passwords across dozens of accounts, the password manager is the rational buy, and not because of this one breach. It’s because it fixes the habit that makes the next breach worse.
If the breach exposed a payment card
When the exposure is limited to a card number, the urge to buy identity protection is almost always misplaced. The card system already has fraud rails built into it, and they work.
The right response is faster and free. Lock or replace the card, watch the statement, and dispute anything you didn’t authorize. The protections behind you are stronger than most people realize. With a credit card, if you report it lost or stolen before it’s used, you owe nothing. If it’s used first, federal law caps your liability at 50 dollars, and most issuers waive even that. If a thief grabbed only the number and not the physical card, you generally have zero liability. Visa and Mastercard both layer their own zero-liability policies on top of that.
Debit cards are where timing actually matters, so treat a debit exposure with more urgency. Report it within two business days and your liability is capped at 50 dollars. Wait longer and it can climb to 500, and after 60 days from the statement it can get worse than that. Banks usually have to investigate an unauthorized electronic transfer within about ten business days and may have to credit the money back while they do.
So for a true card-only breach, a paid identity service rarely adds anything your issuer doesn’t already provide. The one exception is when it wasn’t really card-only. If the breach also caught the security code paired with a PIN, an online-banking login, or other credentials that open the account itself, you’ve crossed into bank-account territory, and you should treat it like the bigger exposures below.
If the breach exposed your Social Security number
This is where the conversation changes, because an SSN is a permanent identifier. You can replace a card in a day. You’re stuck with your Social Security number, and so is anyone who steals it. The real risk is new-account fraud and the tax and benefits misuse that ride along with it.
The free stack here is strong, and it comes first. Freeze your credit at all three bureaus, which is the single most effective free move for blocking new accounts. Pull your free weekly reports at AnnualCreditReport.com. Get an IRS Identity Protection PIN, a six-digit number that stops anyone from filing a federal tax return under your SSN, which is one of the most common forms of tax identity theft. And lock down your my Social Security account so a fraudster can’t create one in your name or reroute your benefits.
A paid service can add value after an SSN breach, but the value is narrower than the ads suggest. Identity monitoring watches your information across credit applications, public records, and other places, and the better plans help you clean up the mess if fraud happens. What it can’t do is stop the theft. As the CFPB notes, monitoring mostly tells you after the fact. So a paid plan is a supplement to a freeze, never a substitute for one.
If you do pay, the profile to look for is three-bureau monitoring paired with real restoration help, meaning specialists who will work with creditors and bureaus on your behalf rather than just sending you an alert and wishing you luck. Whether that’s worth it depends a lot on you, which is the whole question I dig into here.
If the breach exposed full personal information
“Full PII” means enough of your static identity to impersonate you across systems. Name plus SSN, date of birth, address, and often account, medical, or insurance details. This is the widest exposure there is, and it’s the one where paying is easiest to justify.
The reason isn’t that a service can magically prevent identity theft. No service can. It’s that the number of plausible fraud channels is much larger, and so is the cleanup if something hits. A full-PII breach can surface as a fraudulent credit card, sure, but also as a fake utility account, a checking-account problem, a tenant-screening flag, or a medical claim for care you never received. The consumer-reporting system is far bigger than the three big credit bureaus, and a wide breach can touch any corner of it.
So the free response has to be wider too. Do all the SSN steps above, then add the specialty freezes most people have never heard of. ChexSystems handles bank-account screening and lets you place a freeze. NCTUE covers telecom and utility accounts and offers the same. If health data was in the breach, start reading the Explanation of Benefits statements from your insurer and flag any service you didn’t get.
This is the exposure where a broad paid service earns its keep, if you’re the kind of person who won’t keep watch yourself. The feature set that matters covers three-bureau credit changes, identity events outside the bureaus, financial-account monitoring where it’s offered, and human restoration. Services like Aura and LifeLock are built around this wider model, and you can see how they stack up in my LifeLock vs. Aura comparison.
One honest caveat on price, since the marketing won’t volunteer it. I’ve watched LifeLock’s family pricing jump close to 60 percent at the first renewal, while Aura has held its rate steady year over year. If you buy on the introductory number without reading the renewal terms, that’s the kind of surprise that shows up twelve months later. My Aura review and EverSafe review go through what each one actually monitors.
My practical advice is this. Do the free structural defenses first, every time. Then decide whether you want to pay someone to handle the ongoing watching and the recovery labor. If you’re organized, you already track your accounts closely, and you’re willing to manage freezes and disputes yourself, you may not need to pay at all. If you’re protecting a family, you have several exposed data types, you travel constantly, or you already know you won’t keep checking reports and statements, that’s the strongest case for buying broad monitoring with strong restoration.
What to skip, regardless of what leaked
A few things get sold harder than they deserve.
Don’t let the insurance number decide anything. A million-dollar coverage figure looks reassuring on the ad. Read the terms and you’ll usually find it reimburses incidental costs like postage, notary fees, and lost wages, not the money actually stolen from your accounts. The Consumer Federation of America has been blunt about this. The help that matters is the restoration support, not the headline figure.
Be skeptical of monitoring sold as comprehensive that only watches one bureau. The three bureaus don’t always hold the same information, so a one-bureau plan can miss exactly the file a thief is using.
Don’t mistake dark-web monitoring for protection. Knowing your data is for sale somewhere is a useful alert. It does not close the account, freeze the report, replace the card, or get you an IRS PIN. It tells you the horse is gone. It doesn’t shut the barn.
And if the breached company offers you free monitoring, take it, but treat it as an extra layer rather than your whole plan. Read the fine print on what happens when the free year ends, because plenty of these offers quietly roll into a paid subscription you have to remember to cancel.
The honest bottom line
The buying decision after a breach is simpler than the panic makes it feel. Buy the thing that fixes what was exposed, not the thing that markets fear the loudest.
A password leak points to a password manager, if you don’t already use one. A card-only breach points to your bank’s own tools and almost nothing else. An SSN breach points to free freezes first and a monitoring-plus-restoration plan only if you want to outsource the watching. A full-PII breach is the one case where broad paid protection most often earns its price, and even then, only after the free defenses are in place.
The letter that started all this was written to protect the company that lost your data. The good news is that the steps that protect you don’t depend on what that letter chose to tell you. They depend on what leaked, and now you know how to read that.
Tom Reardon spent over 20 years in product and operations at major identity protection providers. He writes at MyScamGuide.com to give consumers the honest picture the industry’s marketing never did.
Recommended resources:
- IdentityTheft.gov: the FTC’s official recovery resource and step-by-step plans
- AnnualCreditReport.com: free weekly credit reports from all three bureaus
- IRS Identity Protection PIN: free SSN protection against fraudulent tax filing
- my Social Security: secure your SSA account so no one can open one in your name