Data Breach Notification: How to Respond When Your Info Is Exposed

You received a data breach notification email. Now what? The next 48 hours are critical. This guide walks you through exactly what to do.

Step 1: Verify It's Real (Not a Phishing Scam)

Before clicking anything in the notification email, verify the breach through a trusted source like HaveIBeenPwned.com or the company's official website. Scammers often send fake breach notifications to steal credentials.

Step 2: Find Out What Was Exposed

The breach notification should specify what data was compromised:

• Passwords — Change immediately on that site and anywhere you used the same password.
• Email addresses — Expect phishing attempts. Enable spam filters.
• Credit card numbers — Contact your bank to issue a new card.
• SSN or government ID — Freeze your credit immediately (see our SSN guide).
• Medical records — Monitor your Explanation of Benefits statements.

Step 3: Change Affected Passwords Immediately

Use a password manager to generate a unique, strong password for every account. Never reuse passwords. Enable two-factor authentication (2FA) wherever possible — use an authenticator app, not SMS.

Step 4: Freeze Your Credit

If financial data was exposed, freeze your credit at all three bureaus. It's free, takes minutes, and prevents anyone from opening new accounts in your name.

Step 5: Monitor for 12+ Months

Stolen data is often not used immediately — criminals package and sell it on the dark web. Your information may surface months or years later.

Key Fact: The average time between a data breach and its discovery is 204 days (IBM Cost of a Data Breach Report). Continuous monitoring is essential.

Sources: IBM Cost of a Data Breach Report 2024; FTC; HaveIBeenPwned.