I received a data breach notification

What you're actually dealing with

A data breach notification means a company that held your information was attacked, and your data was taken. That data — depending on what it was — is now likely for sale on the dark web, being tested against other accounts, or sitting in a database waiting to be used.

Here's what most notifications don't tell you: the breach already happened. The company is telling you after the fact, often weeks or months later. The damage to their systems is done. What you control now is limiting the damage to you.

The good news: most breaches are credential exposures — email and password. Annoying and worth acting on, but manageable. The scarier ones involve Social Security numbers, financial data, or medical records. We'll walk through all of them.

One thing to do before anything else: verify the notification is real.

Phishing emails that look like breach notifications are common. Before clicking any links in the notification email, go directly to:

• haveibeenpwned.com — type in your email address to confirm the breach is real
• The company's official website — check their newsroom or security page for a breach announcement

If the breach is confirmed, keep reading.

If passwords were exposed

This is the most common type of breach. Here's what happens after your password is stolen: automated bots immediately start testing it against hundreds of other sites — your email, your bank, Amazon, PayPal — looking for reuse. This happens within hours.

Do these in order. Right now if you can.

Step 1: Change the password on the breached site

— Do this first, before anything else.

Log in to the breached site and change your password. Make it unique — not a variation of your old one. If you use a password manager (1Password, Bitwarden, etc.), let it generate something random. If you don't, now is a good time to start.

Why it matters: even if attackers have your old password, changing it locks them out of that specific account.

Step 2: Find every other site where you used that same password

— Do today.

This is the part most people skip. It's the part that actually matters.

If you reuse passwords, the breached password is now a key that might open your email, your bank, your other accounts. You need to find every place you used it and change it.

How to find them:

• If you use a password manager: search for sites using the compromised password. Most password managers (1Password, Bitwarden, iCloud Keychain) have a built-in breach or reuse alert.
• If you use Chrome or Safari: go to Settings → Passwords → look for reuse or compromise warnings
• If you don't have a system: think hard. Email, banking, Amazon, PayPal, Venmo, your phone carrier, your health insurance portal, your work accounts.

Start with the highest-risk accounts: your primary email, your bank, your phone carrier. Those three control almost everything else.

Step 3: Secure your primary email account first

— Do today — this is the most important step.

Your email is the master key to your digital life. Whoever controls your email can reset the password on almost every other account you have.

• Change your email password if it matches the breached one
• Turn on two-factor authentication (2FA) — use an authenticator app (Google Authenticator, Authy) rather than SMS if possible
• Check your email settings for anything suspicious:
  • Forwarding rules (Settings → Forwarding) — delete any you didn't create
  • Filters that delete or archive security emails
  • Recovery email and phone number — make sure they're yours
  • Devices with access — remove anything you don't recognize
  • Third-party apps with access — revoke anything unfamiliar

Why forwarding rules matter: attackers who got into your email will often set up a silent forwarding rule so they keep receiving your emails even after you change your password. This is one of the most common things people miss.

Step 4: Turn on two-factor authentication everywhere important

— Do this week.

2FA means that even if someone has your password, they still can't get in without a second verification — usually a code from an app on your phone.

Priority order:

• Primary email
• Bank and financial accounts
• Phone carrier account (critical — controls SIM swap risk)
• Apple ID / Google Account
• Password manager
• Social media

Authenticator apps are stronger than SMS codes. SMS can be intercepted via SIM swap. Apps like Authy, Google Authenticator, or 1Password's built-in authenticator are better options.

Step 5: Check haveibeenpwned.com for your full exposure history

— Do this week.

Go to haveibeenpwned.com and enter your email address. It will show you every known breach your email has appeared in — not just this one. You may find others you weren't notified about.

For each breach listed, check whether you still have an account there and whether you're still using that password anywhere.

If your email address was exposed (but not your password)

An email-only exposure is less urgent but still worth acting on.

What it means: your email address is now in more databases. You'll likely see an increase in phishing attempts and spam. Attackers will try to use your email to social-engineer their way into your accounts.

What to do:

• Be more skeptical of emails asking you to click links or enter credentials in the next few months
• Don't click links in unexpected emails — go directly to sites by typing the URL
• Turn on 2FA on your important accounts if you haven't already
• Consider using an email alias service (SimpleLogin, Apple's Hide My Email) for future signups so your real address isn't exposed again

If financial data was exposed (card number, bank account)

Act quickly. Financial data is valuable and moves fast.

Immediately

• Call the number on the back of your card or log in to your bank to report the breach
• Ask them to issue a new card number — most banks will do this without closing your account
• Review your recent transactions for anything you don't recognize — report anything suspicious immediately

Within 24 hours

• Place a fraud alert with one of the three credit bureaus (Equifax, Experian, TransUnion) — when you place it with one, they notify the others. This makes it harder to open new accounts in your name.
  • Equifax: equifax.com/personal/credit-report-services
  • Experian: experian.com/fraud
  • TransUnion: transunion.com/fraud
• Consider a credit freeze if your financial data exposure was significant. A freeze is stronger than a fraud alert — it prevents new credit from being opened in your name entirely.
  • Freeze at all three bureaus: Equifax, Experian, TransUnion
  • Also freeze at: ChexSystems — covers bank account fraud
  • Cost: Free by law since 2018
  • You can lift it temporarily when you need to apply for credit

This week

• Set up account alerts with your bank if you haven't — notifications for every transaction over a certain amount
• Review linked payment methods in PayPal, Venmo, Amazon, and anywhere else your card was saved

If your Social Security Number was exposed

This is the most serious type of breach. An SSN is the skeleton key for identity fraud — opening credit accounts, filing fraudulent tax returns, taking out loans, claiming government benefits.

Don't panic. Do these things in order.

Immediately — freeze your credit at all three bureaus

This is the single most important step. A credit freeze prevents anyone from opening new credit in your name.

Freeze here — you must do all three:

• Equifax: equifax.com/personal/credit-report-services/free-credit-freeze | 1-800-349-9960
• Experian: experian.com/freeze/center.html | 1-888-397-3742
• TransUnion: transunion.com/credit-freeze | 1-888-909-8872

Also freeze at:

• ChexSystems (bank account fraud): chexsystems.com/web/chexsystems/consumerdebit/page/securityfreeze
• Innovis (fourth credit bureau): innovis.com/personal/securityFreeze

Save your freeze PINs somewhere secure. You'll need them to temporarily lift the freeze.

Within 24 hours

• Go to ssa.gov/myaccount and create or secure your my Social Security account — lock it down before anyone else does
• Go to irs.gov/identity-theft-central and get an Identity Protection PIN — this prevents someone from filing a tax return using your SSN
• File a report at identitytheft.gov — this creates an official FTC Identity Theft Report, which you'll need if you have to dispute fraudulent accounts

This week

• Check your credit reports at annualcreditreport.com — look for accounts you didn't open, inquiries you don't recognize
• Contact your state's unemployment office to place a fraud alert — SSN fraud is commonly used to claim unemployment benefits
• Watch your mail for unexpected bills, collection notices, or new card arrivals you didn't apply for
• If you file taxes: consider filing early this year to prevent someone from filing before you

What to know about the SSA

The Social Security Administration almost never issues new SSNs. If someone tells you they can get you a new one, it's a scam. Your focus is on freezing credit and monitoring for misuse, not replacing the number.

What to know about the IRS

If someone files a fraudulent tax return using your SSN, resolution takes a long time — the IRS average is over 500 days. The IP PIN is your best protection against this happening. Get it now, before there's a problem.

If medical information was exposed

Medical breaches are underreported and underreacted to. The risks are real.

What medical data enables:

• Medical identity theft — someone receives care in your name, leaving fraudulent debt and incorrect information in your medical records
• Insurance fraud — using your insurance to file claims
• Discrimination — in employment or insurance, if sensitive conditions are exposed
• Blackmail — in rare cases involving sensitive diagnoses

What to do:

• Contact your health insurer and request an accounting of recent claims — look for any you don't recognize
• Contact your healthcare providers and request your medical records — look for treatments, prescriptions, or visits that aren't yours
• Ask your insurer to add a fraud alert to your account
• If you find fraudulent medical records, contact the provider directly to dispute them and request correction
• File a complaint with the HHS Office for Civil Rights (hhs.gov/ocr) if a HIPAA-covered entity was involved

Medical record errors can persist for years and affect your care. It's worth taking the time to check.

The hidden persistence checklist

This is what most breach guides don't tell you. After a breach, if an attacker got into any of your accounts, they may have set up mechanisms to stay in — even after you change your password.

Check all of these on your email account and any other account that was accessed:

In Gmail

• Settings → See all settings → Forwarding and POP/IMAP → check for forwarding addresses you didn't set up
• Settings → See all settings → Filters and Blocked Addresses → delete any filters you didn't create
• myaccount.google.com → Security → Your devices → remove anything unfamiliar
• myaccount.google.com → Security → Third-party apps with account access → revoke anything you don't recognize
• myaccount.google.com → Security → 2-Step Verification → check backup codes, recovery phone, recovery email

In Outlook / Microsoft

• account.microsoft.com → Security → review recent activity
• outlook.com → Settings → Mail → Forwarding → check for rules you didn't create
• account.microsoft.com → Privacy → App permissions → revoke unfamiliar apps

On your phone carrier account

• Log in to your carrier account and check for SIM changes, new lines, or number port requests you didn't make
• Set up a port-out PIN or account lock if your carrier offers it:
  • AT&T: enable "Extra security" in your account settings
  • Verizon: set up a port-out PIN (Account → Security)
  • T-Mobile: enable "Account Takeover Protection" in your account settings

What the official agencies actually do (and don't do)

FTC / identitytheft.gov

Creates an official Identity Theft Report — a legally useful document for disputing fraudulent accounts with creditors and credit bureaus. Does not investigate individual cases or stop active attacks. File here if financial or identity fraud occurred.

IRS

Issues Identity Protection PINs to prevent fraudulent tax returns. Takes an average of 500+ days to resolve tax identity theft cases once fraud has occurred. Get the IP PIN now — before there's a problem.

Social Security Administration

Handles benefit fraud and monitors your SSN's use in the SSA system. Does not replace SSNs in most circumstances. Does not fix downstream creditor or credit bureau problems.

Your state Attorney General

Some states offer Identity Theft Passports — useful if your identity is being used in law enforcement encounters. Requires a police report. Not an emergency resource.

Credit bureaus

The three major bureaus (Equifax, Experian, TransUnion) maintain your credit file. You can freeze it, place fraud alerts, and dispute fraudulent accounts directly with them. This is active and useful — not just bureaucratic.

Evidence to preserve

If you discover actual fraud — not just exposure — document everything.

• Screenshot the breach notification email (don't delete it)
• Screenshot any fraudulent accounts, transactions, or records you find
• Keep a log: date, what you found, what you did, who you spoke to
• Save reference numbers from any calls with banks, credit bureaus, or agencies
• If you file a police report, get the case number

This documentation matters if you need to dispute fraudulent accounts or work with any agency.

Ongoing — what to watch for

A breach isn't a single event. The data is out there, and fraud can emerge weeks or months later.

• Set up credit monitoring — many breach notifications include free monitoring. Also available free at Credit Karma, or through your credit card issuer
• Check your credit report every few months at annualcreditreport.com
• Watch for unexpected bills, collection calls, or unfamiliar accounts
• Be more skeptical of phishing attempts — your email is now in more databases and attackers will try to use it
• If you froze your credit, remember to lift the freeze before applying for new credit

Quick reference — what to do right now

Based on what was exposed:

Resources

• haveibeenpwned.com
• identitytheft.gov
• annualcreditreport.com
• IRS IP PIN
• ssa.gov/myaccount
• Equifax freeze
• Experian freeze
• TransUnion freeze

Built by Lab 1908. We make privacy-first apps — no ads, no accounts, no tracking. This guide has no agenda except being useful.