What to Do After a Data Breach

There were 3,322 data breaches in 2025 — a record. If you got a notification letter or email, you're in good company, but don't file it away: what you do in the next few days matters.

First, figure out what was taken

The notice should say what data was exposed. The risk level depends on it:

• Email + password: Change that password everywhere you reused it, now. Turn on two-factor authentication.
• Credit/debit card number: Ask the issuer for a replacement card and watch statements closely. Liability is limited, but catch it early.
• SSN, birthdate, address: The serious one. This combination lets thieves open accounts in your name — and it never expires. Follow every step below.

The essential steps

1. Freeze your credit at Equifax, Experian, and TransUnion. Free, and it blocks new-account fraud cold. Step-by-step guide.
2. Change the breached password and any account that shares it. Make your email account the priority.
3. Pull your credit reports at AnnualCreditReport.com and look for anything you don't recognize.
4. Watch your statements for small "test" charges — thieves verify cards with $1–5 transactions before going big.
5. Be suspicious of follow-up contact. Scammers use breach data for convincing phishing emails and calls pretending to be the breached company or your bank. Don't click links in "security alert" emails — go to the site directly.

About that "free credit monitoring" offer

Breached companies typically offer 12 or 24 months of free credit monitoring. Take it — but know its limits. It usually covers one bureau, not three. It often expires just as the stolen data starts getting used; criminals routinely sit on breach data until the free monitoring window closes. And it rarely includes dark web surveillance or meaningful insurance.

Advertising Disclosure: We receive compensation when you enroll with IdentityIQ through links on this site. This does not affect the price you pay.