Emergency·8 min read

Data Breach Response Guide: What to Do When Your Information Is Leaked

Over 4,200 data breaches exposed 5.4 billion records in 2025. If your data is in one of them — and statistically, it is — here's exactly what to do, in what order, starting right now.

The First 10 Minutes

1. Check haveibeenpwned.com to confirm the breach. 2. Change the breached account's password. 3. Change that same password everywhere else you reused it. 4. Enable 2FA on the breached service and your email. 5. Check your email for suspicious login notifications. Then continue with the full response below.

Step 1: Immediate Containment (First Hour)

1

Change the breached account's password immediately. Use a unique, randomly generated password of at least 16 characters. A password manager makes this trivial. Do not reuse any part of your old password.

2

Change passwords on ALL accounts that shared that password. This is why password reuse is so dangerous — one breach cascades into many. If you used the same password on your email, banking, and social media, all are now compromised. Start with email (it controls password resets for everything else), then banking, then everything else.

3

Enable two-factor authentication. On the breached account first, then your email, then banking. Use an authenticator app (Google Authenticator, Authy, 2FAS) — not SMS. SMS-based 2FA can be defeated by SIM-swapping.

4

Check for unauthorized access. Review recent activity on the breached account — logins from unfamiliar locations, sent messages you didn't write, purchases you didn't make, changed settings. Check your email for "password changed" or "new login" notifications from other services.

Step 2: Assess What Was Exposed (First Day)

Data breaches expose different types of information — and your response depends on what was leaked:

  • Email + password only: Steps 1-4 above are sufficient. Password reuse is your main risk.
  • Name + address + phone: Expect increased phishing attempts (calls, texts, emails). Enable spam filtering. Never click links in unsolicited messages.
  • Social Security number + DOB: High risk of identity theft. Proceed immediately to Step 3 (credit freeze).
  • Credit card numbers: Contact your bank to cancel and reissue the card. Monitor statements for fraudulent charges.
  • Government ID / passport details: Report to the issuing agency. Document the breach for future reference if your identity is used fraudulently.

Step 3: Freeze Your Credit (If Identity Info Was Exposed)

A credit freeze prevents anyone — including you — from opening new credit accounts in your name. It's the single most powerful protection against identity theft. It's free, takes about 10 minutes per bureau, and can be temporarily lifted (thawed) when you need to apply for a loan or credit card.

Contact all three major credit bureaus:

  • Equifax: equifax.com/personal/credit-report-services
  • Experian: experian.com/freeze
  • TransUnion: transunion.com/credit-freeze

You'll receive a PIN from each bureau — save these securely in your password manager. You'll need them to lift the freeze later.

Step 4: Monitor and Prevent (Ongoing)

  • Sign up for breach monitoring: haveibeenpwned.com's notification service emails you when your address appears in new breaches. Free, reliable, run by a respected security researcher.
  • Check your credit reports: AnnualCreditReport.com provides free weekly reports from all three bureaus. Review for accounts you don't recognize.
  • Use unique passwords everywhere: A password manager generates and remembers a unique password for every service. If one gets breached, the others stay safe.
  • Use a VPN going forward: A VPN prevents your ISP from adding your browsing data to the pool of information available about you. Combined with the steps above, it reduces your exposure surface.

Related guides: clear your digital footprint · 10-step privacy guide · spot a fake VPN.

Prevention Starts With Encryption

Shield VPN keeps your traffic private so your ISP can't add to the data profile that breaches expose. WireGuard + AES-256 + audited no-logs. 30-day money-back guarantee.

Download on Google Play