Data breaches are often in the news, but your personal information can be compromised even if you haven’t heard about an incident.
In August 2024, for example, hackers obtained 2.9 billion Social Security number records from National Public Data. Other recent cyberattacks targeted healthcare systems, cell phone providers, and banks. Consumer Reports constantly monitors the news for these incidents to ensure our readers stay informed and up to date on the latest data privacy and security practices.
In this article
- What to Do After a Data Breach
The severity of these breaches varies, but the most alarming cases can include exposing passwords, phone numbers, home addresses, financial data, and other sensitive information. In the aftermath, criminals may try to log in to your accounts using your email address and password.
More on Digital Security
CR Security Planner
Why It's Smart to Use Authentication Apps for Multifactor Security
How to Delete Your Information From People-Search Sites
I Tried to Get My Name off People-Search Sites. It Was Nearly Impossible.
They may also try logging in to other services using the same information—an attack known as credential stuffing. Depending on the information that was compromised, they may even attempt to steal your identity. Thankfully, CR has compiled several preventive and last-ditch measures you can take to mitigate the damage.
“The main thing is looking at what data was breached and where you might have used that data,” says Katie Moussouris, founder and CEO of Luta Security, a firm that helps businesses and governments work with hackers to better defend themselves from digital attacks. “Take a look at which pieces of information were compromised, and start looking at any places where you reuse that information.”
Whether you’ve been involved in a data breach or want to proactively protect yourself from potential disaster, read on forsteps you can take to regain control of your accounts and protect your personal information.
Find Out What Was Breached
The first step in responding to a data breach is to figure out exactly what information was exposed.
Sometimes, companies will contact you to let you know whether your information was found in a data breach. You can also search across multiple data breaches at Have I Been Pwned to check to see whether your email address or phone number has been compromised.
Change Any Exposed Passwords
If your password was compromised, you have to change it not only on the breached service but also everywhere else you’ve used that password.
The quickest way to do this is by using a password manager, which allows you to store unique, complex passwords for each account. Although it’s important to have a different password for each account, it’s best to start by changing passwords you know were a part of a data breach.
Switch From Text-Based MFA to an Authentication App
If your name and phone number were part of a data breach, attackers can use it to try to log in to your account. When you turn on multifactor authentication (MFA)—which is available for financial sites, social media sites, and many others—you’ll need a second factor in addition to your password to log in. That way, if an attacker gets your password, they still won’t be able to access your account.
Experts recommend using MFA, but some methods are better than others. If you’re using text messages, it’s best to switch to an authentication app such as Google Authenticator or Authy, which you can download on mobile devices running Android or iOS. Or you can use a hardware security key such as a YubiKey.
To remember all the services you want to switch, you can start by scrolling through your text messages to see which services have sent you security codes to log in to your account. Then look for those accounts in this directory, to see whether you can use a software token for MFA. If you can, follow the steps listed. You’ll need to download an authenticator app if you don’t have one already, and scan the QR code from the website for the service you have an account with. That way you’ll be able to log in to your account with your password and a temporary code on your authenticator app.
Some accounts don’t allow you to use authenticator apps or hardware keys for MFA. In those cases, Moussouris recommends getting a Google Voice number for any account that requires you to use a phone number as a second layer of authentication.
Remove Your Home Address
If your home address was compromised in a data breach and you learn that it’s been posted on another site, you can report it and see whether it can be removed.
If your address is showing up in web searches, you can report it to Google and Bing. Both of those search engines can help you remove your address from their results. You can make similar requests on several social media platforms:
- On X, file a report stating that private information was posted.
- On Facebook, click on the three dots above the post and select “report post” and select the most appropriate option.
- On Reddit, click on the “report” icon next to the post and select “sharing personal information.”
It’s not always possible to scrub your home address from the web entirely, because addresses are often included in voter rolls, real estate listings, and other public records. You can limit how easy it is to use your information by removing it from certain sites online through a paid service such as EasyOptOuts or Optery, which we evaluated in a recent CR study. You can also opt out yourself for free, but it’s a time-consuming process.
Freeze Your Credit
If your Social Security number or financial information was part of a data breach, freezing your credit will restrict access to it, which makes it challenging for identity thieves to open new accounts in your name.
To do this, contact each of the three major credit bureaus: Equifax, Experian, and TransUnion. All three now offer free weekly credit reports through AnnualCreditReport.com. You’ll have to temporarily lift the freeze in certain circumstances—for example, when you’re applying for a credit card or car loan, or want to rent an apartment.
Delete Accounts You’re Not Using
Having too many digital accounts increases the risk of your data being misused or stolen. The first step to getting rid of accounts for defunct platforms or ones you haven’t used in years is to find them. Type your usernames, old and new, into a search engine, or look for combinations of your name and email address. You can also look for phrases such as “welcome to” or “new account” in your inbox, or look for saved logins in your search engine. Or just head back to Have I Been Pwned and remove accounts from apps you no longer use where your information has been compromised in the past.
Once you’ve taken these steps, be sure to monitor all your active accounts, including those with your banks, lenders, and retailers.
@consumerreports One key step: Freeze your credit. Learn more through the link in our bio. #moneytips #databreach #financetiktok #cybersecurity
♬ original sound - Consumer Reports
Correction: This article, last published Sept. 6, 2024, has been updated to correct errors introduced during editing, including clarifying the nature and results of CR’s recent study of people-search removal services.
Yael Grauer
Yael Grauer is an investigative tech reporter covering digital privacy and security. She manages Security Planner, a free, easy-to-use guide to staying safer online. She has covered surveillance, online privacy and security, data brokers, dark patterns, clandestine trackers, security vulnerabilities, VPNs, hacking, and digital freedom for the Atlantic, Wired, Vice, The Intercept, Slate, Ars Technica, OneZero, Wirecutter, Business Insider, Popular Science, and other publications.