You open your mail, or your email, and there it is. A letter from some company, official-looking, with vague language about how your personal information "may have been compromised in a security incident." Fine print about what happened. An offer for free credit monitoring. A phone number to call.
Most people do one of two things: panic and spiral into worst-case scenarios, or toss the letter and hope nothing comes of it. Both are the wrong move.
The truth is these letters are shockingly common. Hundreds of millions of records are exposed in data breaches every year. You've probably been in more breaches than you realize. Most people find out they're in five, ten, or fifteen when they actually check. A breach notification letter doesn't mean you're doomed or that anything bad has already happened. It means a company that had your data failed to protect it, and now you need to take a few specific actions before someone uses that data against you.
This article is the exact playbook: what to do first, what to check, and how to close the door before anything turns into real damage.
Find Out Where Your Account Is Exposed
The free BuyWiseGuy security audit walks through everything in this article, checks your specific situation, and gives you a clear action list. It takes about 3 minutes and costs nothing.
Take the Free Security Audit →Free. No email required to start.
Why You Got That Letter (and What It Actually Means)
Understanding the letter before you react to it.
Companies are legally required to notify you when your personal data is exposed in a security breach. The rules vary by state and country, but most places with mandatory disclosure laws require notification within a set number of days after the company discovers the incident.
The phrase "may have been compromised" is legal hedging. In most cases your data was exposed. The company's legal team wrote it that way to limit liability, not to reassure you. Read past that language and focus on what the letter actually tells you: which specific types of data were involved.
That part matters a great deal. A breach that exposed only your email address is very different from one that exposed your Social Security number. The letter should specify what category of data was affected. If it's vague, search for the company name plus "data breach notification": they typically publish a more detailed page.
One more thing worth knowing: the breach didn't happen to you specifically. A company you trusted with your data failed to protect it. You didn't do anything wrong. But you do need to respond.
How serious is your situation?
Email address and name only
Expect more phishing emails and spam. Low risk of account takeover if your passwords are unique to each site. Still worth checking haveibeenpwned.com.
Email + password, or email + phone number + date of birth
Real account takeover risk. Change your password for the breached service immediately, and change it anywhere you used the same password. Enable two-factor authentication.
Social security number, financial account numbers, or medical records
Identity theft risk. Act immediately: credit freeze at all three bureaus, fraud alert, and close monitoring of financial accounts. Follow every step in Section 2.
The First 48 Hours: What to Do Immediately
Priority-ordered steps based on what was exposed.
Breaches are often disclosed weeks or months after they happened. That gap means one of two things: either the data has already been used and you'd know about it by now, or it's sitting in a database waiting to be used. Either way, acting now closes options for whoever has it.
Don't panic, and don't wait
The worst thing you can do is spend three days anxiously reading about it without actually doing anything. Equally bad: deciding it's probably fine and forgetting about it. The steps below take less than an hour total. Block out an hour. Do them.
Figure out exactly what was exposed
5 minReread the letter or email carefully. What specific types of data are listed? Email address only? Password? Phone number and date of birth? Social Security number? Financial account numbers? Medical records?
If the letter is vague, search for the company name plus "data breach notification": they typically publish a detailed page. The data types listed determine which of the following steps are urgent versus precautionary.
Change your passwords immediately
15 minStart with the breached service. Then, and this is the step most people skip, change the password on every other account where you used the same or a similar password. Your bank. Your email. Any financial service. Any site you visit regularly.
Each new password should be unique to that site. Not a variation of the old one.
Enable two-factor authentication everywhere
15 minTwo-factor authentication means that even if someone has your password, they still can't get into your account without a second code. Start with your email account: it's the master key to everything else. Then your bank and financial accounts. Then social media and shopping.
If you have a choice between an authenticator app (Google Authenticator or Microsoft Authenticator) and receiving codes by text message, choose the app. It's more secure and not vulnerable to SIM swapping. Text message codes are still far better than nothing.
If financial data was exposed
30 minCall your bank and credit card companies. Let them know your financial information was in a breach and ask whether they recommend issuing new account numbers. Most will do this at no charge.
Place a fraud alert on your credit reports. One call to any one of the three credit bureaus (Equifax, Experian, or TransUnion) automatically places alerts at all three. A fraud alert tells lenders to take extra steps to verify your identity before opening new accounts in your name.
Monitor your financial statements closely for the next 90 days. Unexpected charges, even small ones, should be reported immediately.
If your Social Security number was exposed
1 hourThis is the most serious scenario. A Social Security number combined with your date of birth and address gives someone enough to open credit cards, take out loans, and file tax returns in your name. Move quickly.
- Place a credit freeze at all three bureaus: Equifax, Experian, and TransUnion. A freeze prevents anyone from opening new credit accounts in your name until you temporarily lift it. Free at all three.
- Sign up for the free credit monitoring offered in the breach letter. Yes, the signup is tedious. Do it anyway: it's the company's money paying for it, and it adds a monitoring layer.
- Consider an IRS Identity Protection PIN to prevent someone from filing a fraudulent tax return in your name. Available at irs.gov/identity-theft-central.
- If you spot any suspicious activity, file an identity theft report at identitytheft.gov. This creates an official record and generates a personalized recovery plan.
Check the Breaches You Don't Know About
The letter you got is probably not the only one.
The breach you just got notified about is one breach. You've almost certainly been in others that you either missed the notification for or were never told about. Companies aren't always quick to disclose, and smaller breaches often go unreported entirely.
Go to haveibeenpwned.com and enter your email address. This site, run by a respected security researcher named Troy Hunt, checks your email against a database of hundreds of known breaches and shows you exactly which ones your address appeared in.
Don't be surprised if you find five, ten, or more entries listed. This is genuinely normal for anyone who has been online for more than a few years. It doesn't mean you've been hacked in any serious sense. It means companies that had your data weren't careful with it.
For each breach listed, check what data was exposed. If any of them included a password, and if you were reusing that password anywhere, consider it compromised and change it everywhere it was used.
Not sure where you stand?
The free BuyWiseGuy security audit checks your setup and tells you exactly what needs attention. No technical knowledge required. Takes about 3 minutes.
Why This Keeps Happening (and Why It's Getting Worse)
You can't stop breaches from happening. You can control the damage they cause.
Companies collect enormous amounts of personal data, often more than they need for the service they're providing. Security practices vary wildly across industries and company sizes. Some invest heavily in protecting what they store. Others do the minimum required by law.
Attackers have become more sophisticated and more organized over time. Data theft isn't a lone hacker in a basement anymore. Professional criminal organizations run breach operations and dark web marketplaces where stolen data is bought and sold at scale.
Regulation is slowly catching up, but penalties for breaches are often too small to force meaningful change. A company fined millions after a breach affecting tens of millions of customers did the math and decided the security investment wasn't worth it.
You can't control whether companies protect your data. What you can control is how much damage a breach causes when it happens. That's the purpose of everything in this article: reducing the blast radius.
What Actually Happens With Your Stolen Data
Understanding what happens next helps you know what to protect.
This is what the people who buy breached data do with it, and why the specific steps in this article matter.
The Data Gets Sold
After a breach, stolen data almost always ends up on dark web marketplaces, sold in bulk to other criminals. Email and password combinations sell for pennies per record. A full identity package (name, address, Social Security number, date of birth) might go for a few dollars per person.
The attacker who originally stole your data might not be the one who uses it. It gets passed around to multiple buyers with multiple potential uses. This is why acting quickly matters: your data might not have been used yet, but it will be available to an expanding number of people who might try.
Credential Stuffing Attacks
Criminals take email and password combinations from a breach and run them through automated software that tests those exact credentials on hundreds of other websites: banks, email providers, online shopping accounts, investment platforms, streaming services. Software does this thousands of times per minute. It requires no manual effort.
If you reused the breached password on any of those sites, the software finds it and logs in. You don't get a warning. You don't get a call. You find out later when something is missing or changed.
This is the direct reason why changing passwords on other sites matters, not just the one that was breached. The breached site's password is already burned. The question is how many other accounts are exposed because you used the same one.
Targeted Phishing That Uses the Breach
Once attackers have your name, email address, and the name of the company that was breached, they build convincing phishing emails. Something like: "We've detected suspicious activity on your [Breached Company] account. Click here to verify your identity and restore access."
This is how people get hit twice: first the breach, then a phishing attack that exploits the anxiety from the breach notification. The email is personalized, references a real company you actually used, and arrives exactly when you're already worried about your account.
Be extra suspicious of any emails related to the breached company for the next several months. When in doubt, go directly to the company's website by typing the address yourself. Don't click links in security-themed emails.
A VPN doesn't prevent credential stuffing directly: that attack hits website servers, not your device. But using a VPN on any network you don't control (coffee shop, hotel, airport) protects your active sessions and makes it harder for anyone on that network to intercept login credentials or session cookies while you're using them.
See our top-rated VPN picks →Identity Theft (the Worst Case)
When attackers have enough data points: Social Security number, date of birth, current address, plus a few answers to common security questions. With that combination, they can open credit cards, take out personal loans, file tax returns, and apply for government benefits, all in your name.
Identity theft is the longest recovery process in this space. Resolving it can take months or years of phone calls, disputes, and paperwork. This is why the credit freeze matters so much when a Social Security number is involved. A freeze makes it nearly impossible for anyone to open new credit in your name, regardless of what information they have about you.
How to Protect Yourself Before the Next One
Because there will be a next breach. Set these up now.
Every step below reduces how much damage the next breach can do. Most of them also reduce the damage from the one you just got the letter about.
Every account gets its own unique password. A password manager handles the generation and storage automatically. This is the single highest-impact change you can make.
Public wifi at hotels, airports, coffee shops, and libraries. A VPN encrypts your connection so intercepted traffic is unreadable. One-click protection on phone and laptop.
A credit freeze prevents anyone from opening new accounts in your name. Free to freeze and unfreeze at all three bureaus. Minor inconvenience when you apply for credit. Major protection the rest of the time.
Bank transaction alerts for any amount. Login notifications on email and social accounts. Free credit monitoring through Credit Karma. Detection is the second line of defense when prevention fails.
Delete old accounts you no longer use: each one is a potential breach source with your data still attached. Use a secondary email for site signups and keep your primary email for accounts that actually matter.
Covers your specific setup and gives you a personalized action list for anything this article didn't address.
Not sure where you stand?
The free BuyWiseGuy security audit checks your setup and tells you exactly what needs attention. No technical knowledge required. Takes about 3 minutes.
About That Free Credit Monitoring They Offered
Free is free. But know what it actually does.
Almost every data breach notification comes with an offer for 12 or 24 months of free credit monitoring. Most people skip it because the signup process is mildly annoying or they assume it won't matter.
Sign up for it. The reasoning is simple: it's free, it's being paid for by the company that failed to protect your data, and it adds a monitoring layer on top of everything else you're doing. The signup is tedious. Do it anyway.
That said, understand what credit monitoring actually is and what it isn't. It tells you after something happens: a new account was opened in your name, a hard inquiry appeared on your report, your score changed significantly. It doesn't prevent any of that. It's detection, not protection.
Think of it as a smoke alarm, not a sprinkler system. Worth having, but not a substitute for the other protective steps in this article.
Getting a data breach letter is alarming. Now you know exactly what it means and exactly what to do about it. The key is order and speed: understand what was exposed, change affected passwords across every site where you used them, lock down two-factor authentication, and take the extra steps if financial data or a Social Security number was involved.
The breach itself isn't the disaster. The disaster is doing nothing afterward and letting attackers use that data unopposed for months while you assumed everything was probably fine.
Most of the steps in this article take less than an hour total. That hour doesn't just close the door on this breach: it also shrinks the blast radius of every breach that comes after. There will be more. The only question is how much damage they cause.
I write about this stuff because nobody should have to figure it out alone. If this article helped, take two minutes to run the free security audit below. It covers your specific situation and flags anything you might have missed.
Find Out Where Your Account Is Exposed
The free BuyWiseGuy security audit walks through everything in this article, checks your specific situation, and gives you a clear action list. It takes about 3 minutes and costs nothing.
Take the Free Security Audit →Free. No email required to start.
Free checklist
10 Security Moves That Take 10 Minutes
No fluff. Quick wins you can actually do today — VPN, passwords, 2FA, and more.
No spam. Unsubscribe anytime.