What to do after a data breach: a step-by-step checklist
Getting told your data was exposed is unsettling, but the right response is a short, ordered checklist — not panic. Work through these steps in order; the early ones matter most.
Your post-breach checklist
- Confirm the breach is real. Scammers send fake "you have been breached" emails to get you to click. Do not click links in the notification. Instead, go directly to the company’s site, or verify the breach independently on Have I Been Pwned.
- Change the affected password immediately. Log in the normal way (not through the email link) and set a new, unique password for the breached account.
- Change that password anywhere you reused it. If the leaked password protected any other account, change those too. Attackers will try the leaked combination across dozens of popular sites within hours.
- Turn on two-factor authentication. Add 2FA to the breached account and to your primary email. It is the single biggest thing that makes a leaked password useless to an attacker.
- Watch for targeted phishing. Breached data — your name, address, and which company leaked it — is used to craft convincing scam messages. For the next few weeks, be extra skeptical of emails, texts, and calls referencing that company.
- Freeze your credit if financial or ID data leaked. If a Social Security number, bank details, or full date of birth were exposed, place a free credit freeze with the three major bureaus. It is free, reversible, and blocks new accounts opened in your name.
- Keep monitoring going forward. The same accounts can be exposed again in a future breach. Ongoing monitoring means you find out immediately next time instead of months later. Clearly does this for free and tells you what each new breach means for you.
Done in order, this whole list takes well under an hour and closes the doors that a breach leaves open. The people who get hurt are usually the ones who reused a password and never found out it leaked.