Security

What to Do After a Data Breach

Q: Should I freeze my credit after a data breach?

If the breach exposed your Social Security number, a credit freeze is one of the most effective steps you can take. It is free and can be placed with each of the three major credit bureaus, then lifted later when needed.

Q: Where do I report identity theft after a breach?

IdentityTheft.gov is the official FTC starting point. It provides a personalized recovery plan based on what information was exposed, including pre-filled dispute letters for creditors and credit bureaus.

Q: How long does breach data stay dangerous?

Indefinitely. Breach data does not expire and can resurface or be re-sold years after the original breach, which is why changing reused passwords matters even for old breaches.

Q: Do I need to do all of this right away?

No. Changing the breached password and checking financial statements are the most time-sensitive steps. Credit freezes and credit report reviews are important but can happen over the following days.

Another breach notification just landed in your inbox. Before the panic sets in: here's a calm, ordered checklist of exactly what to do — and just as importantly, what can wait until later.

Quick answer

Change the password for the breached account and any account that reuses it, starting with email. Check recent financial statements for unfamiliar activity. If your Social Security number was exposed, consider a free credit freeze with all three bureaus. Visit IdentityTheft.gov for a personalized recovery plan from the FTC.

First: what was actually exposed?

Breach notifications vary widely in how serious they actually are. Before reacting, it helps to know what category of information was involved — because the right response depends on it.

Email and password only

Lower severity, but still requires changing that password anywhere it was reused — including more important accounts.

Payment card details

Contact your card issuer. Most will proactively reissue the card, but it's worth confirming and watching statements closely.

Social Security number

The most serious category. This is when a credit freeze and IdentityTheft.gov become genuinely worth your time.

Account security questions

If security questions were exposed, treat them as compromised everywhere — they're often reused across accounts and can't easily be "changed."

The checklist, in priority order

Change the breached password — and anywhere it was reused Start with the account that was actually breached. Then think honestly about whether you've used that same password — or a close variation — anywhere else, especially email, banking, or your phone carrier account. Do this first

Secure your email account specifically Email often controls password resets for everything else. If your email was part of the breach, or shares a password with the breached service, prioritize securing it — including enabling two-factor authentication if it isn't already on. Do this first

Check recent financial statements Look at your bank and credit card statements from the past few weeks for anything unfamiliar — even small charges, which are sometimes used to test whether a card is still active before a larger charge follows. Within 24 hours

If your SSN was exposed, consider a credit freeze A credit freeze restricts access to your credit file, making it harder for someone to open new accounts in your name. It's free, doesn't affect your credit score, and can be placed with Equifax, Experian, and TransUnion individually, then lifted later when you need it. Within a few days

Visit IdentityTheft.gov if your information is being misused The FTC's IdentityTheft.gov generates a personalized recovery plan based on what was exposed, including pre-filled dispute letters for credit bureaus and creditors. An official Identity Theft Report can also give you certain rights under the Fair Credit Reporting Act, including faster removal of fraudulent information. If misuse occurs

Request your free credit reports After a breach, you're entitled to additional free credit reports beyond your normal annual allowance. Review them for accounts you don't recognize, and dispute anything inaccurate directly with the credit bureau. Within a few weeks

"Breach data doesn't expire. A password from a breach years ago can still be tested against your accounts today — which is why step one is always the reused password, no matter how old the breach is."

Why old breaches still matter

It's tempting to dismiss a breach notification for a service you barely remember signing up for. But breach data doesn't disappear — it gets traded, bundled with other stolen records, and sold on to other people. In some documented cases, data stolen in one breach has resurfaced years later with previously encrypted fields fully decrypted and readable.

The practical implication: if you reused a password from an old, seemingly unimportant account on something that matters today — your email, your bank, your phone carrier — that connection is the actual risk, regardless of how old or minor the original breach seemed.

Frequently asked questions

What is the first thing I should do after a data breach?

Change the password for the breached account first, and for any other account that uses the same or a similar password — especially email, since it often controls password resets for other accounts.

Should I freeze my credit after a data breach?

If the breach exposed your Social Security number or other identity-verifying information, a credit freeze is one of the most effective steps available. It's free, doesn't affect your credit score, and can be placed with each of the three major bureaus and lifted later when needed.

Where do I report identity theft after a breach?

IdentityTheft.gov is the official FTC starting point. It generates a personalized recovery plan based on what information was exposed, including pre-filled dispute letters for creditors and credit bureaus.

How long does breach data stay dangerous?

Indefinitely. Breach data doesn't expire — it can resurface, get resold, or have encrypted fields decrypted years later. This is why changing reused passwords matters even for breaches that happened a long time ago.

Do I need to do all of this right away?

No. Changing the breached password and any reused passwords, plus checking recent financial statements, are the most time-sensitive steps. Credit freezes and credit report reviews are important but can happen over the following days.

From Attune

Join others catching what slips through the cracks

The quietly important things most people miss — money you're owed, exposure you didn't know about, costs that quietly add up. A few worth your attention, every so often. No noise.

Your accounts shouldn't depend on you remembering every old breach.

Attune is being built as a trusted awareness layer for modern adult life — a calmer way to notice overlooked risks, hidden financial leakage, forgotten responsibilities, unused benefits, privacy exposure, and quietly important things before they disappear from view.

Get Early Access Learn what Attune is →