What To Do After a Data Breach: A Step-by-Step Guide

If you just got a data breach notice in the mail, an email, or a text, here is the order that actually protects you: confirm the notice is real, figure out exactly what was exposed, freeze your credit at all three bureaus for free, and take the free monitoring the notice offers. Everything else, watching your accounts, changing passwords, checking for a settlement, comes after those first moves. This guide walks through each step in the order that matters most.
1. Verify the Notice Is Real Before You Click Anything
Fake data breach notices are a well-documented attack on their own. Scammers copy a real company's breach announcement, add a link or phone number they control, and count on the panic of "your data was exposed" to get you to hand over exactly the information a real breach did not expose yet, your Social Security number, your bank login, or your card number "to verify your identity."
Before you do anything else, confirm the notice came from the company it claims to. Do not click the link in the email or text and do not call the phone number printed in the notice. Instead, open a new browser tab and type the company's website address yourself, or call a number you already have, from a billing statement, the back of your card, or a prior receipt. A legitimate breach notice will match what the company posts on its own official site.
Nobody legitimate cold-calls, texts, or emails you asking for your full Social Security number, a bank password, or a card's security code to "confirm" you were affected by a breach. The FTC's guidance on phishing scams covers the exact tells: urgency, a link that does not quite match the real domain, and a request for information a real company would never need from you to send a notice it already mailed you.
2. Work Out Exactly What Was Exposed
Read the notice again and look for the specific data types listed. A breach notice is required to say what categories of information were involved, and the right response is different for each one. Treating a password breach the same way you treat a Social Security number breach means you either overreact and waste time, or underreact and leave a real exposure unaddressed.
Social Security number, driver's license, or other government ID number exposed. This is the highest-severity exposure because it can be used to open new credit in your name for years. Freeze your credit at all three bureaus (step 3, below) and watch for the identity-theft warning signs covered in step 7.
Password or login credentials exposed. Change that password immediately, on the breached site and on every other account where you reused it or a close variation of it. This matters even if the breached account seems unimportant, because attackers test stolen credentials against banks, email, and shopping accounts automatically.
Card or bank account number exposed. Call the number on the back of the physical card, not a number from the notice, and ask for the card to be reissued. Card fraud is the easiest of these to reverse; federal protections and card-network rules mean you are very unlikely to be held liable for charges you report, but you still want a new card number issued promptly.
Email address, phone number, or mailing address only. This is lower severity on its own, but it fuels the next round of phishing, since scammers now know a real email tied to a real breach and can send a more convincing follow-up attack. Treat unexpected messages referencing the breach with extra suspicion for months afterward.
3. Freeze Your Credit at All Three Bureaus. It Is Free by Federal Law.
If your Social Security number was in the exposed data, this is the single highest-value action on this entire list. A credit freeze blocks lenders from pulling your credit file to open a new account, which means an identity thief who has your Social Security number still cannot open a credit card or loan in your name.

Since a federal law that took effect in 2018, credit freezes are free to place and free to lift, at every one of the three nationwide bureaus, Equifax, Experian, and TransUnion, according to the FTC's guidance on credit freezes and fraud alerts. You have to freeze all three separately, since a freeze at one bureau does not cover the others, and a freeze does not affect your credit score or stop you from using existing accounts. For the exact steps at each bureau, see our step-by-step credit freeze guide.
A credit freeze is stronger than a fraud alert, which only asks lenders to verify your identity before opening an account rather than blocking the pull outright. The Consumer Financial Protection Bureau recommends a freeze specifically when a Social Security number has been exposed, precisely the situation a data breach notice describes.
4. Enroll in the Free Monitoring the Breach Notice Offers
Most companies that experience a breach involving sensitive data offer affected people a period of free credit monitoring or identity theft protection, often 12 to 24 months. It is already paid for as part of the company's breach response. There is close to no downside to enrolling, even if you also plan to freeze your credit.
Check the notice for an enrollment code and a deadline. These offers are usually time-limited, so if you set the notice aside "for later," put a reminder on your calendar. Note the date the free monitoring ends, because that date, not the day you got the notice, is when you should reassess whether you want ongoing protection.
5. Change Passwords and Turn On Two-Factor Authentication
If a password was exposed, or you are not sure whether one was, change it, and change it on every other account where you used the same or a similar password. This is the step people skip most often, and it is the reason one breach cascades into several: attackers buy lists of stolen username-and-password pairs and try them automatically against banks, email providers, and retailers, a technique called credential stuffing that only works because so many people reuse passwords.
Turn on two-factor authentication wherever it is offered, starting with your email account, since email is usually the account a thief uses to reset everything else. The FTC explains how two-factor authentication works: even if an attacker has your password from a breach, a second factor, a code from an app or a security key, stops them from logging in with the password alone.
6. Watch Your Accounts and Your Credit Reports
Review your bank and card statements for charges you do not recognize, even small ones, since fraudsters sometimes test a stolen card with a tiny charge before a larger one. Set up transaction alerts through your bank's app if you have not already.

Pull your credit reports through AnnualCreditReport.com, the site the three bureaus are required to provide free reports through by federal law. All three bureaus now let you check your report from each of them once a week at no cost, according to the FTC, so there is no reason to pay a third party for a credit report or a credit score check. Look for accounts you did not open, inquiries you do not recognize, and an address you never lived at.
7. If Something Already Happened, Use IdentityTheft.gov
If you already see a new account you did not open, a collection notice for a debt that is not yours, or a tax return rejected because someone already filed under your Social Security number, go to IdentityTheft.gov, the FTC's free recovery site.
IdentityTheft.gov asks what happened and builds a personalized, step-by-step recovery plan, and it pre-fills the letters, affidavits, and dispute forms you need to send to credit bureaus, the businesses involved, debt collectors, and, if relevant, the IRS. It is free and it is run by the FTC, not a private company. If you would rather report the scam or the breach itself without opening a recovery case, ReportFraud.ftc.gov is the FTC's general fraud-reporting intake.
8. Check Whether a Settlement Exists
Some data breaches eventually produce a class-action settlement, where the company pays into a fund that affected people can file a claim against. Many do not, or the litigation is still ongoing with no claim form open yet, which is common and does not mean nothing is happening.
Search RecordingLaw's data breach settlement tracker for the company that sent your notice to see whether a settlement exists, what stage it is in, and, if a claim window is open, the link to file directly on the official settlement site. Filing is always free and always happens on the official administrator's site, never through a third party that contacts you first. If a settlement exists, treat any realistic payout as modest and pro rata, most claimants receive far less than a headline maximum figure, and never treat a possible future claim as a substitute for freezing your credit today.
9. Know Your State's Breach Notification Rights
Every US state, plus the District of Columbia, has its own data breach notification law requiring a company to tell you when your personal information is exposed, though the details of what counts as personal information, how fast the company must notify you, and what penalties apply vary by state.

California is currently the only state that gives consumers a direct, individual right to sue over certain data breaches, under the California Consumer Privacy Act, when a business's failure to maintain reasonable security procedures leads to specific categories of unencrypted personal information being stolen. In every other state, an individual's realistic path after a breach runs through a class action rather than a solo lawsuit. See our state-by-state data privacy law guide for the notification and rights specific to where you live.
When Paid Monitoring Might Be Worth Considering
The free steps above, a credit freeze and the monitoring the breach notice already includes, are enough protection for most people after most breaches. A paid identity protection service is worth a look mainly in two situations: your free monitoring period from the breach has ended and you want it to continue, or you want broader coverage than the breach notice offers, such as dark-web monitoring for existing account logins or monitoring across more than one credit bureau at once.
Broader identity monitoring after the free period
Aura monitors your own credit, SSN, and accounts for new fraud, and adds dark-web alerts. Consider it after your credit is frozen and any free breach monitoring has ended, or if you want wider coverage than a single bureau.
See Aura's CoverageAffiliate disclosure: if you sign up through this link we may earn a commission, at no extra cost to you. Learn more
Frequently Asked Questions
What is the very first thing I should do after getting a data breach notice?
Confirm the notice is genuine before you act on it. Go to the company's official website by typing the address yourself, or call a number you already have on a bill or card, rather than clicking a link or dialing a number printed in the notice.
Is it safe to click the link in a data breach notification email or text?
Treat it as unsafe by default. Fake breach notices that mimic a real company are a documented attack, and the FTC warns that legitimate companies do not ask you to confirm your Social Security number, bank login, or card number through a link in an unsolicited message.
Do I need to freeze my credit if my Social Security number was exposed?
A credit freeze is the strongest free protection available when a Social Security number is exposed, because it blocks lenders from opening new credit in your name even if someone has your number. It is free at all three bureaus under federal law and does not expire on its own.
Does freezing my credit hurt my credit score?
No. A credit freeze does not affect your credit score, and it does not stop you from seeing your own reports or using existing credit cards. It only blocks new lenders from pulling your file to open new accounts.
Should I pay for credit monitoring right after a data breach?
Not as your first move. Enroll in any free monitoring the breach notice already offers and freeze your credit first, since those two free steps cover most of what paid monitoring sells, and consider a paid service only for broader coverage or after the free period expires.
What is IdentityTheft.gov and does it cost anything?
IdentityTheft.gov is a free federal government site, run by the FTC, that builds you a personalized identity theft recovery plan and pre-fills the letters, affidavits, and dispute forms you need to send to credit bureaus, businesses, and debt collectors.
How do I find out if there is a class-action settlement for the breach that affected me?
Check RecordingLaw's data breach settlement tracker for the company that notified you. Not every breach produces a settlement, and if one exists it may still be in litigation with no claim form open yet, so this is a step to take after you have secured your credit and accounts, not instead of it.
Can I sue a company directly after a data breach?
In most states, an individual breach victim's realistic path is joining or waiting on a class action rather than filing an individual suit, though the facts of a specific breach can differ. California is currently the only state that gives consumers a direct private right to sue over certain data breaches on their own, under the California Consumer Privacy Act.
How long should I keep a credit freeze in place?
There is no requirement to ever lift a credit freeze. Many people leave freezes in place indefinitely and only lift them temporarily, at a specific bureau, when they are actually applying for new credit.
Sources and References
- Credit Freezes and Fraud Alerts(consumer.ftc.gov).gov
- IdentityTheft.gov: Data Breach Recovery Steps(identitytheft.gov).gov
- How To Recognize and Avoid Phishing Scams(consumer.ftc.gov).gov
- Use Two-Factor Authentication To Protect Your Accounts(consumer.ftc.gov).gov
- Free Credit Reports(consumer.ftc.gov).gov
- AnnualCreditReport.com, the official site for free credit reports(annualcreditreport.com)
- ReportFraud.ftc.gov(reportfraud.ftc.gov).gov
- What is a credit freeze or security freeze on my credit report?(consumerfinance.gov).gov