First 24 Hours After a Data Breach

You got a breach notification email. Or you saw your email address in a news story. Or someone told you the company you use got hit.

Here's what to actually do — in order, without panic, focused on what matters.

Step 0: Confirm the Breach Is Real

Not every "breach notification" is legitimate. Scammers send fake breach alerts designed to push you toward phishing sites or unnecessary paid services.

Verify through at least one of these:

• Have I Been Pwned — search your email address. Troy Hunt built this in 2013; it now indexes over 12 billion records from known breaches. If your address appears, it shows which breach and what data types were exposed.
• The company's official website or press release — look for a direct announcement on the company's own domain, not a link from the notification email
• FTC breach news at consumer.ftc.gov

If you can't verify the breach through an independent source, treat the notification email itself as potentially suspicious. Go directly to the company's website.

Step 1: Identify What Was Exposed

The right response depends entirely on what data was in the breach. These are not equivalent situations:

Email address only — lowest urgency. Your address is now on marketing and phishing lists. Change nothing immediately; add the address to HIBP notifications if it isn't already.

Email + password — change the password on the affected account right now. Then check whether you've used that same password — or a close variant — anywhere else. Every account sharing it needs to be changed. This is where password reuse compounds a single breach into a much larger problem.

Payment card — call your card issuer (number on the back of the card). Dispute authority kicks in immediately. Ask them to issue a replacement card proactively rather than waiting for fraudulent charges to appear.

Social Security Number or government ID — this is the one that requires the most steps and has the longest tail. A fraudulent credit card opened in your name using your SSN can happen months or years after the breach. Move to Step 3.

Physical address + name — lower direct risk than SSN, but this is the data that fuels physical mail phishing and makes social engineering more convincing. Worth knowing it's out there.

Step 2: If a Password Was Exposed

Change the password on the affected account first. Use a randomly generated one — 20+ characters, stored in your password manager.

Then open your password manager's breach or reused-password report. Any account using the same or similar password gets changed now, not later. Prioritize by account value: email accounts first (a compromised email lets an attacker reset everything else), then financial accounts, then anything identity-linked.

If the account in question doesn't yet have two-factor authentication enabled, add it before you close the tab. Compromised credentials are most dangerous when there's nothing else protecting the account.

Also Read:

Why MFA Isn’t Enough — and What Attackers Do When It Fails

The most useful piece of security advice I’ve encountered lately isn’t about software or settings. It’s a mindset shift: assume they already know. Your password. Your address. Where you went to school. Your Social Security number. If you’ve been in the US for more than a few months, your SSN

Frank Line TechFrank Line Tech

If you've been meaning to start moving toward passkeys for your most important accounts — this is a concrete moment to do it for the affected service if they support it.

Step 3: If an SSN or Identity Data Was Exposed

Place a credit freeze. All four bureaus.

A credit freeze tells the bureaus not to release your credit file to lenders — which means no one can open a new credit card, take out a loan, or finance a car using your SSN without you first unfreezing your credit. It doesn't affect existing accounts. It's free, and has been since federal law mandated it in 2018.

The four bureaus:

• Equifax: equifax.com/personal/credit-report-services/credit-freeze/
• Experian: experian.com/help/credit-freeze/
• TransUnion: transunion.com/credit-freeze
• Innovis: innovis.com/personal/securityFreeze

Most people freeze the big three and forget Innovis — the fourth national credit bureau, smaller but used by some lenders. Takes five minutes online. Ignore it at your own risk.

Online freezes at all four bureaus take effect within one business day. Each bureau issues a PIN — write it down somewhere safe, you'll need it to temporarily lift the freeze when you legitimately need to apply for credit.

What a Credit Freeze Actually Stops (and Doesn't)

Freeze stops: new credit lines, new loans, new accounts requiring a hard credit pull.

Freeze does not stop: fraudulent charges on your existing credit cards, tax fraud (someone filing a return in your name using your SSN), medical identity theft, utility accounts opened in your name, government benefits fraud.

For tax fraud protection: file your tax return early, before a fraudulent return can be filed first. The IRS also has a Identity Protection PIN program — a six-digit PIN that must accompany any return filed under your SSN.

Step 4: If Payment Card Data Was Exposed

Call your card issuer. Number on the back of the card.

Ask them to issue a new card proactively. Most issuers will do this immediately for a confirmed breach; some will wait for fraudulent activity. Push for the replacement — changing the card number eliminates the exposed card as an attack surface without requiring you to dispute individual charges.

Going forward: virtual card numbers are a structural solution here. Services like Privacy.com, Apple Pay, and many bank apps now generate single-use or merchant-locked virtual card numbers. If a merchant's database is breached, the compromised virtual number is useless anywhere else. The data broker opt-out guide gets into the broader question of how card data circulates through data broker pipelines once it's exposed.

The 24–48 Hour Window

The first hour is urgent. After that, the next day or two is about triage and setup:

Sign up for HIBP email notifications (if not already). haveibeenpwned.com sends an alert when your email address appears in a new breach. Free. Takes 30 seconds.

Check your existing financial accounts for unfamiliar transactions. Breaches involving payment data are sometimes monetized within hours.

Update your email address on high-value accounts if you were using a bare address rather than an alias. The email aliases guide covers why compartmentalizing by service limits the blast radius of future breaches — if the alias gets compromised, it tells you exactly which service was the source and you can disable just that one.

The Benefits of Using Email Aliases: How to Stay Organized and Protect Your Privacy

Have you ever asked yourself why it seems like everybody knows your e-mail? It is because we use it everywhere. Name them: for purchases, newsletter sign-ups, at the doctor’s office, and government websites! This one unique identifier links all our activities together and unfortunately, this e-mail is easily findable

Frank Line TechFrank Line Tech

The Context Nobody Mentions

The 2024 National Public Data breach exposed approximately 2.9 billion records — a background-check data broker scraped clean. SSNs, names, addresses, relatives' names. Up to 170 million people in the US, UK, and Canada. The company filed for bankruptcy. The data ended up on hacker forums.

Then in late 2025, 700Credit was breached — an automotive lending credit-check company. 5.8 million people's SSNs, names, addresses, and dates of birth exposed through a compromised third-party API.

The point: your SSN has likely already been in at least one major breach. That's not fatalism — it's a reason the credit freeze matters regardless of whether you've received a specific notification recently. The freeze is preventive infrastructure, not a one-time crisis response.

U.S. data breaches hit a record 3,322 reported incidents in 2025, up 4% from the prior year, with SSNs involved in roughly two-thirds of cases. Breach notifications are routine events now. The goal is a baseline posture that limits damage when one hits — not a state of emergency every time it happens.

Ongoing Monitoring

After the immediate steps:

• Annual credit report checks — free annually at annualcreditreport.com (all three major bureaus); scan for accounts you didn't open
• HIBP notifications — already covered; worth doing
• Password manager breach reports — run them quarterly; Bitwarden's Exposed Passwords report and 1Password Watchtower both check against the same HIBP database

That's the ongoing layer. None of it is complicated. Most of it is set-and-forget after the initial setup.

What You Can Do Nothing About

Some data is already out there. The NPD breach data is on public hacker forums. The 700Credit dump is circulating. Data brokers are actively selling aggregated profiles built from dozens of sources simultaneously. The data broker ecosystem repackages breach data and sells it.

How to Remove Yourself From Data Broker Sites (And Keep It That Way)

Search your name in quotes. Add the city you grew up in. Add the city you live in now. Hit enter. If you haven’t done this in a while, you might be surprised what comes back — a current address, a list of relatives, an old phone number, maybe a property

Frank Line TechFrank Line Tech

There's no fix for data that's already in the wild. The credit freeze contains the damage at the credit application layer. Unique passwords and 2FA contain it at the account access layer. Compartmentalized email aliases limit the correlation layer.

You can't scrub your SSN from every database that's already been breached. What you can do is make that SSN less useful to anyone who has it — by making sure a credit file can't be opened with it alone, and by making sure the password and email address attached to the account can't be guessed or reused.

That's the actual goal: not zero exposure, but limiting what an attacker can do with the exposure that already exists.