What To Do If Your Data Has Been Breached

What Can You Do To Stay Safe After a Data Breach?

Data breaches are among the biggest threats to your identity and finances. Unfortunately, in 2024, it’s almost guaranteed that at least some of your personal data has been leaked in a data breach.

In April 2024, the hacking group USDoD stole and leaked 2.7 billion personal records from National Public Data — including names, addresses, birthdates, Social Security numbers (SSNs), and phone numbers from victims in the United States, Canada, and the United Kingdom [*].

How you should respond to a data breach depends on the type of data that has been stolen. But, as soon as you realize you’re a victim, these are the first steps you should take:

• Freeze your credit with the three major credit bureaus (Experian, Equifax, and TransUnion)
• Update all passwords, and enable two-factor authentication (2FA)
• Check your bank statements and free credit reports for signs of fraud
• Cancel any leaked accounts, and get new credit and debit cards
• Stay alert and be on the lookout for signs of fraud

Here’s what else you can do to stay safe and protect your identity:

{{show-toc}}

What You Should Do If Your Data Has Been Breached

1. Look for a data breach notification from the impacted company

All U.S. states and territories have legislation that mandates the disclosure of data breaches once they are discovered [*]. However, many companies don’t recognize and report breaches until months after they’ve happened. 

If you receive a data breach notification from a company, you can assume any leaked information is available to anyone on the Dark Web. 

Here’s what IdentityTheft.gov suggests you do, depending on what information was leaked:

Pro tip: Not sure how much of your sensitive information cybercriminals have stolen? Use Aura’s free Dark Web scanner to check what information has been exposed in recent data breaches. 

2. Freeze your credit with all major credit bureaus

A credit freeze blocks anyone from accessing your credit report. This means that scammers won’t be able to open new accounts or take out loans in your name (and ruin your credit score).

To freeze your credit, you must contact each of the three major credit reporting agencies individually. They'll ask for proof of your identity and give you a PIN to freeze (and unfreeze) your credit.

Here’s how to contact the credit bureaus:

Identity thieves may try to bypass credit freezes by using your personal information to impersonate you with businesses that rely on alternative reporting agencies. 

These lesser-known agencies — such as Innovis or LexisNexis — can be used by companies for screening purposes regarding employment, tenancy, new financial accounts, and credit-related applications like Payday loans. 

The Consumer Financial Protection Bureau (CFPB) has a list of consumer reporting agencies. To protect yourself, freeze your credit files with these smaller bureaus, too.

Why not use a fraud alert?

A fraud alert requires credit companies to identify you before verifying a credit approval. This added layer of security makes it harder for criminals to open new accounts or take out loans in your name. However, a fraud alert is less secure than a freeze because some lenders ignore the alert or use verification methods that scammers can easily bypass. 

3. Update your passwords, and enable 2FA

Once you know your data has been compromised, you need to secure your accounts and limit the damage that hackers can do. 

How to create secure passwords: 

• Make them unique. Use different passwords for every account. If you reuse a password that is compromised in a security breach, it can put multiple accounts in danger.
• Make them complex. Combine uppercase and lowercase letters, numbers, and symbols to create hard-to-guess passphrases. 
• Make them long. Aim for at least 13 characters to protect against brute force attacks. A password manager makes it easier to create and store long, unique, and complex passwords for every account.‍
• Back them up with 2FA. Enable two- or multi-factor authentication (2FA/MFA) on every account that allows it. This security measure requires a secondary authentication method to access your accounts — such as a one-time use code or biometric elements (fingerprint or facial scan).

4. Check your bank statements and free credit reports for signs of fraud

If scammers have used your leaked data to take out loans or open accounts, it should appear on your credit reports. Every American is entitled to free credit reports from all three bureaus each week by visiting AnnualCreditReport.com. 

Go through your credit reports and look for suspicious accounts, inquiries, and charges. Next, do the same with your bank statements. If you notice signs of fraud, immediately contact your bank or financial institution — they can put a fraud alert on your account and help you dispute fraudulent charges.

📚 Related: Do Banks Refund Scammed Money? (How To Dispute Fraud) →

5. Cancel any leaked accounts, and get new credit and debit cards

Depending on what financial information was stolen, you may need to replace your credit and debit cards. You should also cancel any accounts that were compromised in a data breach.

• To cancel and replace credit or debit cards: “Lock” your cards by using your online banking account or mobile bank app. If this isn’t an option, contact your bank’s fraud department by calling the number on the back of your card. Make sure to update your credit card numbers (or other payment methods) for any recurring bills.
• To cancel compromised financial accounts: Contact any lender or provider through which your account information was leaked, explain what happened, and ask to cancel your account. If you’re having problems disputing fraud or closing fraudulent accounts, you can file a CFPB complaint online. 

6. Carefully consider the help offered by breached companies

Many companies offer free services in the wake of a data breach — such as credit report monitoring or identity monitoring. 

Be sure you know what you’re getting into before signing up for these services. 

• Free services are often severely limited. Companies ultimately need to minimize the damage and cost of a data breach and may provide only one-bureau credit monitoring — or identity theft protection services that are inferior to other paid options. ‍
• Accepting help may limit your ability to be a part of class action lawsuits. For example, Equifax offered free credit monitoring after a 2017 breach leaked the data of 143 million U.S. citizens. However, some attorneys cautioned that the terms of service included in this type of "help" could limit victims from joining class-action lawsuits against the company in the future [*].

7. Stay alert, and look for signs of scams

Whenever your personal data is exposed, it makes you a more attractive target for scammers, hackers, and fraudsters. 

After you’ve been part of a data breach, be on the lookout for: 

• Suspicious account activity. If an online account looks different or is acting strangely, it may have been hacked (or your device could be infected with malware). Make sure you have access to all of your most important accounts. 
• Unfamiliar financial accounts or changes. Any unfamiliar withdrawal or change to a financial account should be a cause for concern. Don’t wait to report them either, as your liability for losses can change depending on how long you wait to contact your financial institution.
• Strange calls, emails, texts, or letters. Fraudsters may use information available on the Dark Web — such as your SSN or Medicare number — to trick you into thinking their correspondences are legitimate. Slow down, and look for the signs of a phishing scam. 

📚 Related: Aura vs. LifeLock Comparison and Showdown: Which One Is Better? →

What To Do If Your Leaked Data Was Used By a Criminal

If someone illegally uses your leaked data, you are the victim of identity theft. Along with the steps described above, you can minimize the damage by making sure you do the following:

• File a report with the Federal Trade Commission (FTC). Go to IdentityTheft.gov and report the crime. The FTC will provide you with an official identity theft affidavit and personalized recovery plan to help mitigate the impact of fraud.
• File a report with the police. A law enforcement report can also provide documentation to help you resolve the fraud.
• Call the impacted organizations and report the fraud. Call the affected companies and ask for the fraud department. Explain that you are the victim of identity theft, and ask to reverse charges and close any fraudulent accounts. You may need to supply a police or FTC report in order for them to comply.
• Claim your account with the Social Security Administration (SSA), and “Self Lock” your SSN. You can create a my Social Security account at www.ssa.gov to claim your account before someone else does. The SSA also offers a "Self Lock" service that helps prevent scammers from using your SSN to gain illegal employment. 
• Request an Identity Protection PIN from the IRS. To protect against fraudulent tax returns, the IRS can assign you a secret six-digit number, which you can use to verify your identity when filing your taxes. You can request an IP PIN by visiting the IRS.gov website.
• Regularly check your credit report and bank statements. Scammers are almost always after financial accounts. Check for the warning signs of identity theft — such as strange charges on your bank statement or accounts that you don’t recognize. 

{{show-cta}}

How To Protect Yourself Against Data Breaches

While you can't undo a previous data breach, you can lower your risk of exposure in future breaches. 

Here’s how to protect yourself:

• Reduce the amount of personal data that you share. Don’t give away your information to scammers. Limit what you share online and on social media, remove contact information from Google search results, and carefully consider all future photo and location sharing. 
• Use unique passwords for each account. Data breaches regularly leak passwords. When you use unique passwords for every account, you minimize the damage that hackers can do. 
• Use every digital security measure at your disposal. The more layers of security protecting your accounts, the better. Aura comes with a full suite of cybersecurity tools, including powerful antivirus software, a military-grade virtual private network (VPN), password manager, and more. 

Data breaches can catch you off guard. But with Aura, you’ll be warned in near real-time about new breaches and receive alerts when your personal information appears on the Dark Web. 

Plus, every account includes #1-rated identity theft protection, three-bureau credit monitoring with the industry’s fastest fraud alerts³, digital security tools for all of your devices, 24/7 U.S.-based support, and up to $5 million in identity theft insurance. 

Don’t Let Data Breaches Ruin Your Life. Try Aura free for 14 days.