What to Do After a Data Breach — Your 7-Step Action Plan

First: Understand What Was Exposed

Not all breaches are equal. The severity of your response should match the type of data that was compromised. Before taking action, read the breach notification carefully and identify what was exposed:

• Email address only: Low severity. Expect increased phishing attempts. Change your password on that service.
• Email + password: Medium severity. Change the password immediately, plus anywhere you reused it. Enable 2FA.
• Financial data (credit card, bank account): High severity. Contact your bank, freeze the card, monitor for unauthorized transactions.
• Social Security number: Critical severity. Freeze your credit at all three bureaus immediately. Set up identity monitoring. File an IRS Identity Protection PIN.
• Medical records: High severity. Request your medical records to check for fraudulent entries. Contact your insurance provider.

Now, let's walk through the 7 steps in order.

Step 1: Change Your Passwords (Within 1 Hour)

Start with the breached account, then work through every account that shares the same password. This is where most people fail — they change the password on the breached service but forget the dozen other sites where they used the same credential.

How to do this effectively:

• If you use a password manager like 1Password, run the Watchtower audit to identify every account using the compromised password.
• Generate a unique, random password (20+ characters) for each affected account.
• If you don't have a password manager, start with the most critical accounts: email (since it controls password resets for everything else), banking, and social media.
• Prioritize your primary email account above everything else. If an attacker controls your email, they can reset passwords on every other service.

Step 2: Enable Two-Factor Authentication (Within 2 Hours)

Two-factor authentication ensures that even if an attacker has your password, they can't access your account without a second verification factor.

• Best option: Hardware security key (YubiKey) — physically impossible to phish.
• Good option: Authenticator app (Google Authenticator, Authy, 1Password built-in TOTP) — generates time-based codes on your device.
• Acceptable option: SMS codes — better than nothing, but vulnerable to SIM swapping attacks.

Enable 2FA on these accounts first (in priority order):

1. Primary email
2. Banking and financial accounts
3. The breached service
4. Social media accounts
5. Cloud storage (Google Drive, Dropbox, iCloud)
6. Shopping accounts (Amazon, PayPal)

Step 3: Freeze Your Credit (Within 24 Hours)

If the breach exposed your Social Security number, date of birth, or address, freeze your credit immediately. A credit freeze prevents anyone from opening new credit accounts in your name — including credit cards, loans, and mortgages.

Freeze at all three bureaus:

• Equifax: equifax.com/personal/credit-report-services/credit-freeze or call 1-800-349-9960
• Experian: experian.com/freeze/center.html or call 1-888-397-3742
• TransUnion: transunion.com/credit-freeze or call 1-888-909-8872

Also freeze your report at the lesser-known bureaus: Innovis (1-800-540-2505) and NCTUE (National Consumer Telecom & Utilities Exchange) to prevent fraudulent utility accounts.

Save your freeze PINs in your password manager. You'll need them to temporarily lift the freeze when applying for legitimate credit.

Step 4: Check Your Financial Accounts (Within 24 Hours)

Even if the breach didn't directly expose financial data, review all of your financial accounts for unauthorized activity:

• Bank accounts: Look for unfamiliar transactions, especially small charges ($0.50-$2.00). Criminals test with micro-transactions before larger theft.
• Credit cards: Review all recent charges. Report anything you don't recognize immediately — federal law limits your liability to $50 for credit cards if reported promptly.
• Investment accounts: Check brokerage and retirement accounts for unauthorized trades or withdrawals.
• Payment apps: Review Venmo, PayPal, Zelle, and Cash App for unauthorized sends.

Set up real-time transaction alerts on all financial accounts if you haven't already. Most banks let you configure alerts for any transaction over $0.01.

Step 5: Scan for Malware (Within 48 Hours)

Some breaches originate from malware on your device — keyloggers, info-stealers, or remote access trojans that captured your credentials before they were transmitted. Even if the breach was on the company's end, this is a good time to verify your devices are clean.

• Run a full system scan with Norton 360 or Malwarebytes.
• Check for unfamiliar programs, browser extensions, or apps you don't recognize.
• Review your browser for unauthorized extensions (a common attack vector).
• On mobile, check for apps with excessive permissions — especially accessibility permissions, which can be used for screen recording.

Step 6: File Official Reports (Within 1 Week)

If you've suffered financial loss or identity theft, document everything and file official reports:

• FTC Identity Theft Report: File at IdentityTheft.gov. This creates an official record and generates a personalized recovery plan.
• IRS Identity Protection PIN: If your SSN was exposed, request an IP PIN at irs.gov to prevent fraudulent tax filings.
• Police report: File a local police report if you've suffered financial losses. Some creditors require this for fraud disputes.
• Accept free monitoring: If the breached company offers free credit monitoring, sign up for it (it's usually single-bureau monitoring for 12-24 months — limited but free).
• Check for class actions: Search "[company name] data breach lawsuit" to see if a class action has been filed. You may be eligible for compensation.

Step 7: Set Up Long-Term Monitoring (Ongoing)

The danger from a data breach doesn't end after a week. Stolen data can surface months or years later. Set up continuous monitoring to catch delayed exploitation:

How Aura and Norton Catch Breaches Early

The best defense against data breaches is early detection. Here's how the leading security tools help:

Aura

• Near real-time alerts: Aura monitors your credit, SSN, bank accounts, and the dark web, sending alerts within minutes of suspicious activity — versus the industry average of 4-7 days.
• Automated data broker removal: Aura continuously scans people-search sites and submits opt-out requests on your behalf, reducing your digital footprint.
• $1 million insurance: Every Aura plan includes up to $1 million in identity theft insurance with dedicated U.S.-based recovery specialists.
• Family coverage: Family plans protect children's SSNs — a prime target for synthetic identity fraud since minors have no existing credit to trigger alerts.

Norton 360

• Dark Web Monitoring: Norton scans dark web forums, marketplaces, and paste sites for your personal information and sends alerts when it's found.
• LifeLock integration: Norton 360 with LifeLock adds comprehensive identity monitoring, SSN alerts, and credit monitoring with insurance up to $1 million.
• Device protection: Norton's antivirus catches malware-based credential theft at the source, preventing breaches on your end before they happen.

Data Breach Response Checklist

Bookmark this page. Here's your complete action checklist:

• Read the breach notification and identify what data was exposed
• Change the password on the breached account (use a password manager)
• Change the password everywhere you reused it
• Enable 2FA on all critical accounts (email, banking, social media)
• Freeze credit at Equifax, Experian, TransUnion, Innovis, and NCTUE
• Review bank accounts, credit cards, and payment apps for unauthorized activity
• Run a full malware scan on all devices
• File an FTC report at IdentityTheft.gov (if identity theft occurred)
• Request an IRS Identity Protection PIN (if SSN was exposed)
• Accept any free credit monitoring offered by the breached company
• Set up continuous monitoring with Aura or Norton LifeLock
• Check for class action lawsuits related to the breach