How Do You Secure Your Identity After a Data Breach?
Data breaches are one of the biggest threats to your identity and finances. Unfortunately, in 2023, it’s almost guaranteed that at least some of your personal data has been leaked in a data breach.
In the past year alone, more than 166 million people had their personal information leaked in a data breach [*] from companies like Twitter, Uber, Experian, WhatsApp, student loan servicer Nelnet, and more.
But what’s worse is that the latest data from 2022 shows that [*]:
Only 50% of people change their passwords after finding out they were leaked in a data breach.
It can feel overwhelming to try and keep up with the latest data breaches and maintain the security of your personal information and online accounts. But with a few steps, you can ensure that you’re doing everything you can to avoid identity theft, fraud, and online account takeover.
Here’s what to do as soon as you find out you’ve been the victim of a data breach.
What To Do After a Data Breach: 12 Steps
- Confirm the breach has happened (but be cautious of emails)
- Find out what sensitive data was stolen
- Secure your log-ins, passwords, and PINS
- Switch to an authenticator app for 2FA/MFA
- Freeze your credit with all three bureaus
- File a report with the Federal Trade Commission (FTC)
- Take special steps for healthcare, government, and financial breaches
- Carefully consider the free support offered by breached companies
- Monitor other accounts for suspicious activity
- Remove your personal information from data brokers and public sites
- Delete old accounts and clean up your cyber hygiene
- Sign up for an identity theft monitoring service
You need to act quickly as soon as you discover that your personal data was leaked in a data breach. Here are 12 steps you can take to secure your accounts and minimize the damage:
1. Confirm the breach happened (but be cautious of emails)
Data breaches are often in the news. But the first place you’re most likely to hear that you’ve been affected is in an email from the impacted company.
State law mandates that companies need to disclose data breaches. Unfortunately, some hackers use these emails as an opportunity to steal your information even if there hasn’t been a leak.
Fake breach emails — known as “phishing emails” — use our fear and emotional response to hacks to get us to act irrationally. A hacker will send an email claiming to be an impacted company and ask you to either:
- Click a link (which could download malware to your device and allow them to hack your email).
- Confirm your account details (which will go straight to the hacker).
If you get a breach email, don’t click any links or respond to the message as someone could be trying to scam you online.
Before you take action, confirm the breach by visiting the organization's website or searching the web.
If the breach is real, you’ll find news alerts online and a data breach notification on the website or your account page.
2. Find out what sensitive data was stolen
Next, find out what information was stolen. This helps you to understand what types of identity theft you're at risk of and how you can mitigate the damage that hackers can do.
For example, a cybercriminal can do much more damage with your Social Security number than an unused account username.
Companies will often notify you of what information was breached in an email, account notification, or FAQ. But what can criminals do with each piece of your data?
Here are the most common data targets hackers go after and what they can do with them:
- Email — Thieves can use your email to send spam and attempt to log into other accounts that share the same email. For example, thieves may log into your bank using your Facebook email.
- Encrypted passwords — Most sites encrypt passwords. But hackers use software to crack weak ones within minutes or hours. Once they have access to your passwords, they’ll try them on as many accounts as possible. (This is why you should never reuse passwords across accounts.)
- Full name — Hackers use your name to find other publicly available information about you in your online footprint. With enough information, they can commit identity theft.
- Phone number — Cybercriminals can use your phone number for spam calls, identity theft, and SIM-jacking. This is where a thief claims your number for their own and receives all your texts and incoming calls.
- Home address — An exposed address can put you at risk of change-of-address scams, tax fraud, and other forms of identity theft.
- Credit card numbers — Thieves can use stolen credit card details to pay for goods online or buy gift cards that can’t be traced (a scam called “carding”). This is even if they don’t have your physical card.
- Social Security number (SSN) — Your Social Security number is perhaps the most vulnerable piece of information a thief can steal. With your SSN, they can commit identity theft, tax fraud, unemployment scams, loan fraud, and much more. (Plus, it's not always possible to change your Social Security number – even after identity theft.)
Once you know what personally identifiable information (PII) is vulnerable, it’s time to protect yourself.
3. Secure your log-ins, passwords, and PINS
Once you know your data has been compromised, you need to secure your accounts and limit the damage hackers can do. If you’re lucky, you’ll update your information before anyone is able to access your accounts.
Here’s how to update your passwords to make them more secure:
- Use unique passwords for each account. If you reuse a password that is compromised in a breach, it can put multiple accounts in danger. Always use a unique password for each account to minimize what scammers can do with your information.
- Choose a password that is at least 10–12 characters long. Include upper and lowercase letters, numbers, and symbols to make it harder for hackers to crack.
- Don’t include personal information in your passwords. This includes pet names, family names, or hometown information. Scammers regularly scan your social media profiles and online footprint to find this information.
To keep track of your new, more secure passwords, consider a password manager. This is a secure tool that records your strong passwords automatically so you don’t have to worry about forgetting them.
Aura’s included password manager can also warn you if an account has been compromised or if you’re using a weak password that could easily be cracked.
4. Switch to an authenticator app for 2FA/MFA
Next, set up two-factor or multi-factor authentication (2FA/MFA) on any account that allows it.
This is an extra security measure that requires a one-time-use code in addition to your username and password to log into an account. Many people use text messages (SMS) to receive their 2FA code, but this can be compromised by hackers.
Instead, try using an authenticator app like Google Authenticator or Okta.
5. Freeze your credit with all three bureaus
Identity thieves are almost always financially motivated — and the information they steal from a data breach can often give them access to your credit or even your bank account.
A credit freeze blocks anyone from accessing your credit report. This means that scammers won’t be able to open new accounts or take out loans in your name (and ruin your credit score).
To freeze your credit, you’ll need to contact each of the three major credit bureaus individually — Experian, Equifax, and TransUnion. They’ll ask for proof of your identity and then give you a PIN to be used to freeze or unfreeze your credit.
Here’s how to contact each of the credit bureaus:
How to request an Experian credit freeze
Online: Sign up online to freeze and unfreeze your credit.
By phone: 1-888-EXPERIAN (888-397-3742)
By mail: Send your request to Experian Security Freeze, P.O. Box 9554, Allen, TX 75013
How to request an Equifax credit freeze
Online: Sign up online to freeze and unfreeze your Equifax credit report.
By phone: 1-888 298-0045
By mail: Send your request to P.O. Box 740256 Atlanta, GA 30374
How to request a TransUnion credit freeze
Online: Sign up online to freeze and unfreeze your TransUnion credit report.
By phone: 1-888-909-8872
By mail: Send your request to P.O. Box 2000 Chester, PA 19016
Why not use a fraud alert?
A fraud alert requires credit companies to identify you before verifying a credit approval. This can also make it harder for criminals to open new accounts or take out loans in your name. However a fraud alert is only a suggestion — not a requirement. Some lenders will ignore the alert or use verification methods that scammers can easily bypass.
If you’d like to use a fraud alert, you only need to contact one of the credit bureaus. By federal law, they’re required to notify the other two of your alert.
Pro tip: Aura lets you lock your Experian credit file with a single click so you can easily keep your credit safe from hackers.
6. File a report with the Federal Trade Commission (FTC)
If your personal information is used by criminals, one of the best things you can do is file an identity theft report with the FTC at IdentityTheft.gov.
An official FTC report acts as proof of the crime and can be used when disputing fraudulent transactions or clearing your name of other crimes the identity thieves may have committed.
7. Take special steps for healthcare, government, and financial breaches
Depending on the type of breach you’ve suffered, there may be additional steps you should take to protect yourself.
What to do if your healthcare information was leaked in a data breach:
Healthcare breaches come from hospitals, health insurance or other providers. These leaks can lead to medical fraud or even blackmail.
Here are a few extra steps to take after a healthcare data breach:
- Ask your doctor and health insurance provider for copies of your most recent medical records and benefit statements. Verify each item to make sure someone else isn’t using your benefits.
- Contact your health care providers for a list of anyone with whom they’ve shared your information. Look for any unfamiliar organizations, conditions, or insurance claims. Legally, you have the right to request this information once per year, free of charge.
- Be cautious of bills for medical procedures you don’t know about. Respond and inform the collector that you may be the victim of identity theft.
- Review your Health Savings Account (HSA) and Flexible Spending Account (FSA), if applicable. Make sure thieves have not accessed the funds in these accounts.
What to do if you’re part of a government or tax-related data breach:
If a government agency is responsible for the data breach, you might need to take additional steps. This includes breaches from federal, state, or other government agencies, including the military. (Government data breaches can lead to military or veteran fraud).
In most cases, the impacted agency should reach out with guidance of what to do. But be cautious of any communication claiming to be from the government, especially emails and texts.
Another relatively common type of identity theft is tax fraud. This is where a thief uses your data to claim a tax refund in your name. If you receive a letter from the IRS informing you that someone else has filed a tax return in your name, follow the instructions provided in the letter.
What to do if your financial information was leaked in a data breach:
If the breach has come through a financial account — like a credit card company or bank — take extra precautions to protect your data.
- Call the card issuer, ask them to invalidate your credit card or debit card, and request a new one.
- If you see suspicious charges, contact the fraud department at the organization to begin resolving the charges.
- You may also need to take steps to help repair your credit after identity theft.
These steps are important to take on your own, but some additional help may also be available.
8. Carefully consider the free support offered by breached companies
Many companies offer free services as part of their breach responses. These can include credit report monitoring or other ways of protecting your sensitive data.
These offers aren’t a guarantee against identity theft or financial harm. And you should still protect yourself from the breach in the other ways we’ve listed.
Also, take any offer of support with a grain of salt. Companies ultimately need to minimize the damage — and cost — of a data breach. And sometimes accepting their help can limit your options for seeking other damages.
For example, Equifax offered free credit monitoring after a 2017 data breach leaked data on 143 million US citizens. But some attorneys cautioned that the terms of service included in this "help" could limit you from joining class-action lawsuits against the company in the future [*].
Either way, save any communication you receive from the company, like emails or letters. This documentation may be necessary later on as you work to protect your information.
9. Monitor other accounts for suspicious activity
Once your sensitive information has been leaked in a data breach, it can lead to other forms of fraud and identity theft. Just because a company says the leak has been resolved, doesn’t mean your data is safe.
After a breach, be especially mindful of:
- Suspicious activity on your online accounts and financial statements. This includes credit or debit card charges you don’t recognize or unfamiliar activity in your bank account.
- Unfamiliar credit inquiries, additional debt, and new accounts in your name. You can request a free credit report from each bureau once a year at AnnualCreditReport.com. Aura can also monitor your credit (as well as your bank and investment accounts) in near real-time to alert you of suspicious activity.
- Strange calls, emails, texts, or letters. Look for suspicious activity like failed login attempts or collection calls for unfamiliar bills.
Unfortunately, when we finally see the warning signs of identity theft, it’s often too late.
That’s why Aura takes care of almost all of these issues for you. With Aura, you get near-real-time credit and identity monitoring, fraud alerts, protection from malware and phishing attacks, and even a $1 million insurance policy for eligible damages resulting from identity theft.
10. Remove your personal information from data brokers and public sites
Once your sensitive information has been leaked, it can spread quickly from Dark Web forums to the public internet where it’s accessible to all.
Companies called data brokers (also known as “people finder sites”) collect and sell this data to telemarketers and even scammers. Removing your personal information from data brokers not only makes you safer, but can also reduce the amount of spam and scam calls and texts you receive.
The bad news is that there are hundreds of data brokers in the United States — and manually removing your information from each of them would take weeks or months (and potentially end up with even more of your information being available).
Instead, an automatic data broker removal service (like what’s included with Aura) can do the work for you. Aura scans data broker lists for your contact information and sends removal requests. If your information is re-added, we’ll send another request to ensure you’re safe and secure.
Try Aura free for 14 days and get access to our full suite of tools — including automatic data broker removal.
11. Delete old accounts and clean up your cyber hygiene
A data breach can be a good opportunity to clean up your cyber hygiene — the tools and habits you use to stay safe online.
Here are some areas of your digital life you should consider “cleaning up:”
- Account security: Are your passwords and accounts safe? Are you using strong, unique passwords and 2FA?
- Software and operating system updates: Are your devices up to date? Hackers use vulnerabilities in outdated software to hack you.
- Data protection: Are your data and hard drives encrypted so that hackers can’t gain access to them? Do you have recent backups of your important files in case of a hack?
- Device and network protection: Are you using antivirus software and a virtual private network (VPN) to protect your devices from viruses and hacking?
- Email security: Are your email spam filters up to date? Email is one of the main entry points through which scammers will target you.
- Your digital footprint: How much of your personal information is freely available to scammers online? Fraudsters use social media and other parts of your online footprint to learn more about you.
12. Sign up for an identity theft monitoring service
Some of the most critical tasks for cybersecurity protection are difficult or nearly impossible for humans to do. We can’t spend all day scanning our credit statements, Dark Web archives, and up-to-date breach information.
That’s why millions of Americans use an identity and credit monitoring service like Aura. Even if you have no idea what to do if your identity is stolen, Aura has your back.
Aura protects the entire family, including children, who are particularly susceptible to identity theft.
It also secures your devices and Wi-Fi network from malware and phishing attacks so you can continue to browse, shop, and use social media while staying safe.
But what if you suspect a cybercriminal has already taken advantage of your data?
The Most Recent Data Breaches: Were You Impacted?
If you use any of these services, your sensitive information could be at risk:
- PayPal: In January of 2023, PayPal sent out notices that hackers had accessed close to 35,000 customer accounts using a credential stuffing attack [*].
- The “China” leak of 2022: In July of 2022, a hacker on an underground forum claimed they‘d breached the Shanghai police database and was advertising the sale of over 23 terabytes of data on almost 1 billion Chinese citizens [*].
- Twitter: The personal information, including emails and phone numbers, of over 5.4 million Twitter accounts were put up for sale on a Dark Web forum. The list supposedly included the contact information of celebrities and companies.
- Nelnet Servicing: The student loan servicing company was hacked leading to a leak of more than 2.5 million Social Security numbers (SSN) of current and former students [*].
- Facebook: Over 550 million Facebook users had their data published online, including Facebook IDs, names, dates of birth, locations, and relationship statuses.
- T-Mobile: The most recent T-Mobile data breach in 2021 exposed data for 50 million users, including names, addresses, SSNs, driver's licenses, and device information.
- American Airlines, United, Lufthansa, and other major airlines: Passenger info for more than 2.1 million fliers was leaked after SITA — a technology company that works with 90% of the world's airlines — was breached.
- MeetMindful: 2 million users of the dating app had their PII stolen and leaked by a hacking group. (Data breaches are just one of the many dangers of online dating you should be aware of.)
- Volkswagen, Audi: Over 3.3 million owners and potential buyers of the car brand had their data leaked, the majority of which were from the U.S.
- Neiman Marcus: Over 3.1 million customers had their payment card information leaked.
- Robinhood: Close to 5 million users of the trading app had their email addresses, phone numbers, and more leaked.
These are just some of the most recent data breaches.
Remember, you can see what data has been leaked by hackers using Aura’s Dark Web Scanner.
Were You the Victim of a Data Breach? Do This
If you’ve discovered you’re a victim of identity theft or your data has been leaked after a security breach, what do you do?
Unfortunately, hackers can move quickly, and even the fastest response to a personal data breach can be too late. Here’s what to do if you believe a criminal has stolen your identity:
- Secure your accounts. Update your passwords to be more secure. Set up a password manager. Enable 2FA using an authenticator app.
- File a report with the Federal Trade Commission (FTC). Go to IdentityTheft.gov and report the theft. This will provide you with necessary documentation you may need to provide to resolve fraudulent charges.
- File a report with the police. A law enforcement report can also provide documentation to help you resolve the fraud.
- Call the impacted organizations and report the fraud. Call the affected companies and ask for the fraud department. Explain you are the victim of identity theft. You can usually reverse charges for credit card fraud and similar types of activity.
- Freeze your credit and set up fraud alerts. Freezing your credit makes it harder for criminals to get access to your accounts or take out new credit in your name.
- Regularly check your credit report and bank statements. Scammers are almost always after your financial accounts. Check for the warning signs of identity theft — such as strange charges on your bank statement or accounts you don’t recognize. An identity theft protection service like Aura can monitor your credit and statements for you and alert you to any signs of fraud.
How To Protect Your Private Info From Hackers
While you can’t take back exposed data, you can protect your data from future breaches. Here’s how:
Reduce the amount of data you share
The first and simplest recommendation is to reduce the amount of data you share online. This includes social media.
Decide carefully before creating new accounts. Consider deleting accounts you don’t use and removing extra account details. These can be forgotten about during a data breach. For example, if you have a credit card on file with a company or website you don’t use very often, remove it.
Use unique log-in details for each account you create
One of the best ways to protect yourself in the event of a breach is to make data hard to transfer. Don’t give hackers a skeleton key to your digital life by using the same email address, log-in, and password for every account.
Instead, use a unique password on each site and consider using different email accounts. For example, you could create one email address for newsletters and social media and another email for financial accounts.
Every Aura plan includes a feature called email masking, which hides your personal email and reduces your exposure in the case of a data breach. Instead, when you sign up for a new service, Aura creates an alias for your email account. All emails are still forwarded to your inbox, but you don’t have to worry about receiving additional spam or scam emails.
Use every digital security measure at your disposal (2FA, credit freeze, etc.)
The final way you can protect your data from third-party breaches is to set up safeguards that thwart even a thief with your data. For example:
- Two-factor authentication (2FA) makes your accounts much harder to hack, even if a thief has your username and password. Make sure you’re using an authenticator app — not SMS.
- A credit freeze will decline loans to a thief who impersonates you.
- Strong antivirus and VPN solution protects your devices against malware and Wi-Fi hacking.
- Credit and identity monitoring will alert you as soon as anyone tries to use your information without your permission.
The Bottom Line on Protecting Yourself From Data Breaches
It feels like there’s very little we can do during a breach. We’ve entrusted our data to a third party, but that organization has betrayed that trust with poor data security and open vulnerabilities.
And for those who haven’t been victims of a breach, the question is not if a breach will reveal information, but rather when it will happen.
So stay vigilant. Protect your accounts with unique passwords. And most importantly, use every security measure at your disposal to keep your personal and financial information safe and secure.