Data Breach Checklist

Change the password for the breached account right away. Use a strong, unique password with at least 16 characters combining uppercase, lowercase, numbers, and symbols. Do not reuse any password you have used before.

If you reused the breached password on other accounts, change those immediately. Credential stuffing attacks test stolen passwords across hundreds of services automatically. Each account should have a completely unique password.

Enable 2FA on the breached account and any other important accounts. Use an authenticator app (like Authy or Google Authenticator) or a hardware key (like YubiKey) rather than SMS, which can be intercepted via SIM swapping attacks.

Log in to all bank accounts, credit cards, and payment services (PayPal, Venmo, etc.). Look for any transactions you do not recognize, no matter how small. Criminals often test with micro-transactions before making larger fraudulent charges.

Most services have an option to sign out of all devices/sessions (check security settings). This terminates any session an attacker may have established using your stolen credentials.

Check your email address, phone number, recovery options, and connected apps on the breached account. Attackers often change recovery information to maintain access even after you change your password.

Take screenshots of breach notifications, suspicious emails, unauthorized transactions, or any other evidence. This documentation may be needed for filing reports with your bank, law enforcement, or the FTC.

Contact Equifax (equifax.com/personal/credit-report-services), Experian (experian.com/freeze), and TransUnion (transunion.com/credit-freeze) to freeze your credit. A freeze prevents anyone from opening new credit accounts in your name. It is free and does not affect your credit score.

Place an initial fraud alert with one of the three credit bureaus (they are required to notify the other two). This alert requires creditors to verify your identity before opening new accounts. An initial alert lasts one year and is free.

If any of your security question answers were exposed, change them on all accounts that use them. Consider using random answers stored in a password manager rather than real answers, which can often be found through social media.

Attackers often set up email forwarding rules to silently receive copies of your emails (including password resets). Check your email settings for any forwarding addresses, filters, or rules you did not create.

Use a reputable password manager (like Bitwarden, 1Password, or KeePass) to generate and store unique passwords for every account. This prevents password reuse, which is the number one cause of account compromise after breaches.

Call your bank and credit card companies to inform them of the breach. Request enhanced fraud monitoring, new card numbers if payment data was exposed, and ask about their fraud protection policies and dispute procedures.

Go to the security settings of your breached account and review all third-party apps with access. Revoke any you do not recognize or no longer use. Attackers can use OAuth tokens from connected apps to maintain access.

If you used the same password for work accounts or if work data was potentially exposed, inform your IT department or security team immediately. They can take steps to protect company systems and data.

Sign up for a credit monitoring service to receive alerts about changes to your credit report. Many breach notifications include free monitoring (check the breach notification email). You can also use free services like Credit Karma or annualcreditreport.com.

If SSN, driver's license, or other identity documents were compromised, file a report at IdentityTheft.gov (FTC). This creates an official Identity Theft Report you can use to dispute fraudulent accounts and transactions.

Review login history and recent activity on all your important accounts: email, social media, cloud storage, shopping sites, and financial services. Look for logins from unfamiliar locations, devices, or IP addresses.

Ensure your recovery contact information is current and secure on all accounts. Use a secondary email address that is not publicly associated with your primary accounts. Consider using a Google Voice number for account recovery.

Check the breach notification and resources like HaveIBeenPwned.com to understand exactly what data was exposed (passwords, emails, SSN, financial data, etc.). This helps you prioritize your response based on the specific risks.

Attackers use personal information from social media for targeted phishing and social engineering. Review privacy settings on all social platforms, remove personal details from public profiles, and be cautious about what you share.

If your Social Security Number was compromised, create an account at IRS.gov to check your tax records. Consider filing an IRS Identity Protection PIN request to prevent fraudulent tax returns filed in your name.

If you experienced financial loss or identity theft, file a report with your local police department. While they may not investigate directly, the report can be valuable when disputing charges or dealing with creditors.

Request your free credit reports from annualcreditreport.com. Stagger requests across the three bureaus (one every 4 months) for year-round monitoring. Look for accounts you did not open, inquiries you did not authorize, and incorrect personal information.

After a breach, expect increased phishing attempts using your leaked data to look legitimate. Be suspicious of emails, texts, or calls referencing the breach, asking you to verify information, or creating urgency. Never click links in unexpected messages.

Check bank and credit card statements at least weekly for the first few months after a breach. Set up transaction alerts for any purchase over a threshold amount. Report unauthorized transactions immediately to benefit from fraud protection policies.

Use services like HaveIBeenPwned.com, your password manager's breach monitoring, or credit monitoring services that include dark web scanning. These can alert you if your data appears in new breaches or is being sold.

Monitor your physical mailbox for unexpected credit cards, loan offers, bills for unknown accounts, or tax documents. These could indicate someone is using your identity to open accounts. Set up USPS Informed Delivery to track incoming mail.

Periodically change passwords for your most sensitive accounts (email, banking, cloud storage). Use your password manager to generate and store strong unique passwords. Also rotate passwords if you hear about any new breach affecting a service you use.

Store your two-factor authentication recovery codes in a secure, offline location (printed and locked, or encrypted offline storage). If you lose access to your 2FA device, these codes may be the only way to recover your accounts.

Evaluate whether identity theft insurance makes sense for your situation. Many homeowner or renter insurance policies offer it as an add-on. Standalone policies typically cover expenses related to identity theft recovery, such as legal fees and lost wages.