A document with four labeled response track rows representing the four data breach types and their action steps.

What to Do After a Data Breach

By Tom Reardon

Most breach notices read like they were written by a legal team, because they were. They protect the company. They don’t tell you what to actually do.

After two decades working inside the identity protection industry, I’ve read thousands of these letters. The pattern is consistent: vague language about what was “potentially accessed,” a deadline to enroll in free monitoring buried near the end, and almost nothing to help you judge how serious your situation actually is.

This guide skips the legal language and gets to what matters. What was exposed determines what you need to do. Everything else is noise.

Step One: Figure Out What Was Actually Exposed

The headline of a breach notice almost never tells you enough. “Personal information was accessed” is useless. You need the specific field list.

Look for whether the notice mentions any of these: password or login credentials, credit or debit card number, Social Security number, date of birth, driver’s license or passport number, bank account details, or health insurance information.

If the notice only says “name and email address,” your risk is low. If it says “name, SSN, date of birth, and financial account information,” you’re dealing with a different category of problem entirely.

Once you know what was exposed, ask what a thief can realistically do with it. Exposed passwords mean someone will try logging into your other accounts with that same password. Exposed card numbers mean someone will try making charges. An exposed SSN means someone could try to open credit accounts, file a tax return, or get a job in your name. That’s the practical frame. Match the response to the risk.

If Your Password Was Exposed

Change it everywhere it was used

This is where most people get it wrong. They change the password on the breached site and consider the problem solved.

Research on credential stuffing attacks shows the actual risk clearly: attackers take a breached username and password and try the exact combination on dozens of other sites, often automatically. They also try common variations like adding a number or changing a letter. If you used that password anywhere else, those accounts are now in play.

Change the breached account password immediately. Then change every account where you used the same or a similar password. Start with your email account. Email is the reset channel for most of your other accounts, so if a thief gets in there, the damage spreads fast.

After that: financial accounts, cloud storage, work accounts, social media, and anything that can authorize other logins.

Lock down the account itself

Changing the password isn’t the only step. Sign out of all active sessions if the service lets you. Turn on multi-factor authentication. Check that the recovery email address and phone number are still yours and haven’t been changed.

If your email account was the one that was breached, also check for forwarding rules you didn’t set up. Attackers sometimes add a forwarding rule so incoming mail routes to them even after you change your password. Check the sent and deleted folders too.

Use a password manager going forward

If you’re managing passwords in your head or reusing them across sites, a breach like this will keep creating the same problem. A password manager generates unique passwords for every account and removes the reuse problem entirely. The manager’s own master password should be strong, and the manager itself should have multi-factor authentication turned on.

For multi-factor authentication generally, an authenticator app is more secure than receiving codes by text message. A hardware security key is more secure still. Use the strongest option a service offers.

If Your Payment Card Was Exposed

Know your rights before anything else

The liability rules for credit cards and debit cards are very different, and the timelines matter.

Credit card liability

If someone makes unauthorized charges using your account number, you generally have no liability as long as you report it and the physical card wasn’t lost. Federal law caps liability at $50 even in the worst case, and most card agreements waive that entirely.

Debit card liability

The rules are stricter. Report a lost or stolen card within two business days: liability capped at $50. Wait longer than two business days: up to $500. Wait more than 60 days after a statement showing unauthorized charges: you may be responsible for later losses the bank could show you could have prevented by reporting sooner.

Call the issuer immediately

Use the number on the back of the card or inside the issuer’s official app. Don’t use a number from an email claiming to be from your bank.

Report any suspicious charges. Ask whether the card should be cancelled and replaced. If the card is debit-based, change the PIN.

For credit card billing errors, you have 60 calendar days from the first statement showing the error to send a written dispute. The issuer has to acknowledge it within 30 days and resolve it within two billing cycles. You typically don’t have to pay the disputed amount while the investigation is open.

For debit cards, the bank generally has 10 business days to investigate, though this can extend to 45 or 90 days in certain cases if provisional credit is issued. If they ask you to confirm a phone dispute in writing, do it within 10 business days.

After the new card arrives

Update any automatic payments and recurring subscriptions tied to the old card number. This step is easy to forget and will cause payments to fail.

If the bank or issuer stalls or mishandles your dispute, file a complaint with the Consumer Financial Protection Bureau. The CFPB has real enforcement authority over card issuers.

If Your Social Security Number Was Exposed

Freeze your credit at all three bureaus

An SSN breach means your biggest near-term risk is someone opening new credit accounts in your name. The most effective defense isn’t monitoring. It’s a credit freeze.

A credit freeze is free. It doesn’t affect your credit score. It stops most new credit from being opened in your name. And it lasts until you lift it. You have to place it with all three major bureaus separately: Equifax, Experian, and TransUnion. If you haven’t done this before, the step-by-step credit freeze guide walks through each bureau’s process.

I spent years inside this industry, and I’ll be direct: the industry doesn’t lead with credit freezes because they reduce the perceived need for paid monitoring. But for new-account fraud, a freeze is the stronger tool. Use it.

A fraud alert is a lighter option if you need to apply for credit soon. An initial fraud alert is free, lasts one year, and you only need to place it with one bureau. That bureau notifies the other two. If you’ve already confirmed identity theft and have an FTC Identity Theft Report or police report, an extended fraud alert lasts seven years.

The decision tree below maps the logic:

Lock your IRS and SSA accounts

Get an IRS Identity Protection PIN. You can do this through your IRS online account. An IP PIN is a six-digit number required to file your federal tax return. Without it, someone can’t file a fraudulent return in your name. This is free and takes a few minutes.

Create or secure your Social Security online account at ssa.gov. SSA says that opening your own account prevents someone else from creating one in your name using your SSN. If you believe your SSA information has actually been compromised, you can call SSA and request Block Electronic Access, which stops automated and online access to your record until you lift it.

Review your credit reports

Pull your free credit reports through AnnualCreditReport.com and look for accounts, inquiries, utilities, mobile accounts, or collections you don’t recognize. You can now do this weekly for free from each of the three major bureaus. That makes active review genuinely useful, not just a periodic formality.

If you get an IRS letter or a W-2 from an employer you don’t recognize, don’t include that income on your return and don’t file an amended return with it. Contact SSA directly.

If Your Full Identity Profile Was Exposed

Treat it as a multi-vector problem

A full-PII breach typically means name, SSN, date of birth, address, and one or more additional identifiers like driver’s license, financial account details, or health information. When all of those travel together, the risk isn’t one narrow problem. It’s several problems that can show up in sequence: new credit accounts, tax fraud, employment misuse, benefits fraud, medical identity theft.

The response covers all of those, not just one.

Start at IdentityTheft.gov

The FTC’s IdentityTheft.gov creates your Identity Theft Report and a personalized recovery plan. The report is important: it’s accepted by credit bureaus and most companies as formal documentation that you’re a victim, and it’s often enough without a separate police report.

Take all the steps from the SSN section: freeze your credit at all three bureaus, get an IRS IP PIN, secure your SSA account.

For any fraudulent accounts or charges that have already appeared, call the business’s fraud department and ask for written confirmation that the account isn’t yours, you aren’t liable, and the item has been removed. Get this in writing and keep it. Fraudulent accounts can resurface, and having documentation protects you when they do.

Get the records you’re entitled to

If a business opened a fraudulent account using your identity, you have the right under FCRA Section 609(e) to request the application and transaction records related to that fraud. The business has to provide them free of charge within 30 days of a proper written request. Include proof of your identity, your FTC Identity Theft Report, and a police report if you have one.

Those records often tell you a lot about how and when the fraud happened.

Handle specialized downstream harms

If health information was involved, treat it as medical identity theft specifically. Request records from any provider where the thief may have used your information, review them for errors, and report through IdentityTheft.gov. If you believe a HIPAA-covered entity violated your health privacy rights, you can file a complaint with the HHS Office for Civil Rights.

If unemployment or benefits fraud shows up, report it to your employer first, then your state workforce agency, then the FTC.

If tax-related fraud appears, follow IRS instructions and contact the IRS identity theft line. Most people don’t need to file Form 14039 on their own; the IRS will tell you when that step is actually needed.

Watch for Scams That Follow Breaches

After a high-profile breach, scammers impersonate banks, card issuers, and fraud departments. They know you’re on edge and more likely to engage with an urgent message.

Use only contact information from the official company website, the back of your card, or your account app. Don’t use phone numbers, links, or email addresses from inbound messages claiming to be about your account. That’s true even if the message looks legitimate.

Summary: Match the Response to the Exposure

What was exposed Highest priority
Password or login credentials Change the breached password and every account where you reused it. Start with email. Enable MFA.
Credit or debit card number Call the issuer immediately. Know your liability deadlines: 2 business days for debit, 60 days for credit billing errors.
Social Security number Freeze credit at all three bureaus. Get an IRS IP PIN. Secure your SSA account.
Full PII (name, SSN, DOB, financial or health data) Start at IdentityTheft.gov. Freeze credit. Dispute fraudulent accounts in writing. Get the application records you’re entitled to.

A word on monitoring offers

Most breach notices include an offer for free credit monitoring for one to three years. That’s worth accepting, with this caveat: monitoring alerts you after something changes. It doesn’t stop a thief from opening an account in your name. Think of it as an early-warning system. Useful, but it doesn’t replace a credit freeze, active account review, or the specific steps above for your breach type.

The same logic applies to paid identity protection services. They’re supplements to direct action, not substitutes for it. If you’re evaluating whether a paid service makes sense for your situation, see the honest breakdown of what identity protection services are actually worth.

Tom Reardon spent over 20 years in product and operations at major identity protection providers. He writes at MyScamGuide.com to give consumers the honest picture the industry’s marketing never did.

Recommended resources: