How to Respond to a Data Breach: The Step-by-Step Checklist
By Scott Anderson, Clearfront maintainer
A company just told you it lost your data, or a breach checker flagged your email. Here is the response that actually protects you, in order, from the free steps everyone should take to the ones that depend on what leaked. The US Federal Trade Commission is the authority behind most of this.
What should you do first after a data breach?
Change the password on the affected account and turn on two-factor authentication, then change that password anywhere else you reused it. Do this before anything else, because reused passwords are what turn one breach into many.
The Federal Trade Commission's guidance, at IdentityTheft.gov ↗, sorts the response by what was exposed. But the password step comes first every time, because it is free, fast, and stops the most common follow-on attack.
If login details were exposed
- -Change the password on that account immediately
- -Turn on two-factor authentication, ideally an app or passkey rather than text messages
- -Change the same password anywhere else you used it
A leaked password is only dangerous because it gets tried elsewhere. Unique passwords everywhere means a single breach stays contained to one account.
If your financial details were exposed
If a card or bank number leaked, contact the bank for a replacement and watch your statements. If your Social Security number or national ID leaked, consider a fraud alert or a credit freeze.
For card or account numbers, call the issuer, get a new number, and monitor for charges you do not recognize. For a national ID or Social Security number, the credit tools below are your protection.
Fraud alert vs credit freeze
A fraud alert is free, lasts a year, and only needs one credit bureau, which notifies the others. A credit freeze is also free, locks your credit file so no one can open new accounts, and does not affect your credit score, but you have to set it with all three bureaus.
- -Fraud alert: free, one year, contact one bureau, tells lenders to verify your identity
- -Credit freeze: free, contact all three bureaus separately, blocks new credit, no effect on your score, and you can lift it for free when you need credit
In the US the three bureaus are Equifax, Experian, and TransUnion. A freeze is the stronger protection; a fraud alert is the lighter-touch option. The FTC explains both at Credit freezes and fraud alerts ↗. In the UK, the equivalent is to check your report with the credit reference agencies and consider a protective registration through Cifas.
Then keep watching
A breach response is not one and done. Monitor your accounts, statements, and credit reports over the following months, because stolen data gets used on a delay.
Attackers often sit on breached data or sell it on, so misuse can show up weeks or months later. Keep an eye out, and if you see actual identity theft, report it at IdentityTheft.gov for a recovery plan.
How to know if you are in a breach in the first place
If you are reading this before a breach hits, get ahead of it: check your email against a breach index, and set up monitoring so you are told when a new leak includes you. The free and open-source ways are in open-source Have I Been Pwned alternatives, and for a recent example, how to check the 24 billion record leak.
Frequently asked questions
- What should I do first after a data breach?
- Change the password on the affected account, turn on two-factor authentication, and change that password anywhere else you reused it. That stops the most common follow-on attack, credential stuffing.
- Should I freeze my credit after a data breach?
- If your Social Security or national ID number was exposed, yes. A credit freeze is free, blocks new accounts from being opened in your name, and does not affect your credit score. You set it with all three credit bureaus.
- Does a credit freeze hurt my credit score?
- No. A credit freeze restricts access to your credit file but has no effect on your score, and you can lift it for free whenever you need to apply for credit.
Sources and further reading
Scott Anderson believes your personal data is yours to own and protect. He built Clearfront, a free, open-source tool for scanning and scrubbing your own digital footprint from public data, and he writes about OSINT, breach exposure, and personal privacy.
Related posts
- Free and Open-Source Have I Been Pwned Alternatives (2026)
Have I Been Pwned is the standard, but not the only option. Here are the free and open-source breach-check tools, how they work, and where each one fits.
- 24 Billion Records Just Leaked. Here Is How to Check If Yours Are In It.
A June 2026 dump exposed around 24 billion credential records. Here is what was in it, how to check if your data is included, and the 15-minute response.
- How to Check Your Digital Footprint: A Self-OSINT Walkthrough
Audit your own digital footprint in about an hour, for free, using the five OSINT passes a security analyst would run on you. Step by step, with the shortcut.