BreachesJune 18, 20266 min read

How to Respond to a Data Breach: The Step-by-Step Checklist

By Scott Anderson, Clearfront maintainer

A company just told you it lost your data, or a breach checker flagged your email. Here is the response that actually protects you, in order, from the free steps everyone should take to the ones that depend on what leaked. The US Federal Trade Commission is the authority behind most of this.

What should you do first after a data breach?

Change the password on the affected account and turn on two-factor authentication, then change that password anywhere else you reused it. Do this before anything else, because reused passwords are what turn one breach into many.

The Federal Trade Commission's guidance, at IdentityTheft.gov, sorts the response by what was exposed. But the password step comes first every time, because it is free, fast, and stops the most common follow-on attack.

If login details were exposed

  • -Change the password on that account immediately
  • -Turn on two-factor authentication, ideally an app or passkey rather than text messages
  • -Change the same password anywhere else you used it

A leaked password is only dangerous because it gets tried elsewhere. Unique passwords everywhere means a single breach stays contained to one account.

If your financial details were exposed

If a card or bank number leaked, contact the bank for a replacement and watch your statements. If your Social Security number or national ID leaked, consider a fraud alert or a credit freeze.

For card or account numbers, call the issuer, get a new number, and monitor for charges you do not recognize. For a national ID or Social Security number, the credit tools below are your protection.

Fraud alert vs credit freeze

A fraud alert is free, lasts a year, and only needs one credit bureau, which notifies the others. A credit freeze is also free, locks your credit file so no one can open new accounts, and does not affect your credit score, but you have to set it with all three bureaus.

  • -Fraud alert: free, one year, contact one bureau, tells lenders to verify your identity
  • -Credit freeze: free, contact all three bureaus separately, blocks new credit, no effect on your score, and you can lift it for free when you need credit

In the US the three bureaus are Equifax, Experian, and TransUnion. A freeze is the stronger protection; a fraud alert is the lighter-touch option. The FTC explains both at Credit freezes and fraud alerts. In the UK, the equivalent is to check your report with the credit reference agencies and consider a protective registration through Cifas.

Then keep watching

A breach response is not one and done. Monitor your accounts, statements, and credit reports over the following months, because stolen data gets used on a delay.

Attackers often sit on breached data or sell it on, so misuse can show up weeks or months later. Keep an eye out, and if you see actual identity theft, report it at IdentityTheft.gov for a recovery plan.

How to know if you are in a breach in the first place

If you are reading this before a breach hits, get ahead of it: check your email against a breach index, and set up monitoring so you are told when a new leak includes you. The free and open-source ways are in open-source Have I Been Pwned alternatives, and for a recent example, how to check the 24 billion record leak.

Frequently asked questions

What should I do first after a data breach?
Change the password on the affected account, turn on two-factor authentication, and change that password anywhere else you reused it. That stops the most common follow-on attack, credential stuffing.
Should I freeze my credit after a data breach?
If your Social Security or national ID number was exposed, yes. A credit freeze is free, blocks new accounts from being opened in your name, and does not affect your credit score. You set it with all three credit bureaus.
Does a credit freeze hurt my credit score?
No. A credit freeze restricts access to your credit file but has no effect on your score, and you can lift it for free whenever you need to apply for credit.

Scott Anderson believes your personal data is yours to own and protect. He built Clearfront, a free, open-source tool for scanning and scrubbing your own digital footprint from public data, and he writes about OSINT, breach exposure, and personal privacy.