What to Do When a Company Gets Hacked and Has Your Data

You open your email and there it is: "We recently discovered a security incident that may have affected your personal information." Another breach. Another company that had your data and lost control of it.

The feeling is a mix of annoyance and dread. What did they have? Your name and email? Your Social Security number? Your credit card? And what exactly are you supposed to do about it? Most people read the email, feel anxious for an hour, and then do nothing. That is the worst response. The second-worst response is panic. The best response is a calm, specific checklist executed within the first 48 hours.

Here is that checklist.

Step 1: Figure Out What Was Actually Exposed

Not all breaches are equal. The breach notification email or the company's incident page will usually specify what data was compromised. The severity of your response depends entirely on what was taken.

Low severity (email address + name): You will get more phishing emails. That is about it. Update your password for that service, watch for suspicious emails referencing the company, and move on.

Medium severity (email + password hash, or phone number + address): Change your password for that service immediately. If you used the same password anywhere else, change those too. Expect targeted phishing attempts — scammers buy breach data and craft convincing emails using your real details.

High severity (Social Security number, date of birth, financial account numbers): This is the real danger zone. SSN exposure means someone can open credit in your name, file taxes as you, or commit medical identity theft. You need to execute every step below within 48 hours.

Critical (full financial records, bank account numbers, or medical records): Everything in high severity, plus direct contact with your financial institutions and potentially an IRS Identity Protection PIN.

Read the notification carefully. Do not skim it.

Step 2: Freeze Your Credit (15 Minutes)

If your Social Security number, date of birth, or financial information was exposed, freeze your credit at all three bureaus immediately. This is the single most impactful action you can take.

• Equifax: equifax.com/personal/credit-report-services/credit-freeze/ or 1-800-685-1111
• Experian: experian.com/freeze or 1-888-397-3742
• TransUnion: transunion.com/credit-freeze or 1-888-909-8872

A credit freeze prevents anyone — including you — from opening new credit accounts in your name. It is free, takes about five minutes per bureau, and stays active until you lift it. You will get a PIN for each bureau. Store these PINs in your password manager.

Also freeze at Innovis (innovis.com/securityFreeze) and NCTUE (nctue.com) to close gaps that most people miss.

If you are not sure whether the breach included your SSN, freeze anyway. There is no downside. You can always unfreeze temporarily when you need to apply for credit.

Step 3: Change Passwords and Enable 2FA

Change the password for the breached service. Then honestly assess: did you use that same password or a variation of it on any other accounts? If yes, change those too.

This is the moment to stop reusing passwords forever. A password manager generates unique, complex passwords for every account and remembers them for you. You only need to remember one master password.

After changing passwords, enable two-factor authentication (2FA) on every account that supports it, starting with your email. Your email is the skeleton key — if someone gets into your email, they can reset passwords on everything else. Use an authenticator app (not SMS) when possible.

Priority accounts for 2FA:

1. Email — the most important account you have
2. Banking and financial accounts
3. Social media (used for identity verification and password resets)
4. Healthcare portals
5. The breached service itself

Step 4: Monitor Your Accounts for 90 Days

The first 90 days after a breach are the danger window. Stolen data gets packaged and sold on dark web forums, and buyers use it for fraud attempts within weeks.

During this period, actively monitor:

• Bank and credit card statements — check weekly for unfamiliar charges, even small ones. Scammers often test with a $1-5 charge before making larger purchases.
• Credit reports — pull a free report from annualcreditreport.com and review it for accounts you did not open.
• Email inbox — watch for password reset emails you did not request. These indicate someone is trying to access your accounts.
• Health insurance EOBs — if your medical data was exposed, watch for Explanation of Benefits for services you did not receive. Medical identity theft is harder to detect and harder to fix than financial identity theft.
• Tax filings — if your SSN was exposed between January and April, consider filing your taxes early before someone files a fraudulent return in your name.

Step 5: Reduce Your Exposure for Next Time

Every breach notification is a reminder that companies you gave your data to can lose it at any time. You cannot control their security, but you can control how much data is out there with your name on it.

Practical steps to reduce your exposure:

• Use email aliases for signups. Services like Apple Hide My Email or SimpleLogin let you create unique email addresses for each service. When one gets breached, the exposure is contained.
• Only give real information when legally required. That online retailer does not need your real birthday. That loyalty program does not need your home address.
• Delete accounts you no longer use. Every dormant account is a breach waiting to happen with zero benefit to you.
• Remove your personal data from data brokers. Your name, address, phone number, and relatives are publicly available on hundreds of people-search sites. This data helps scammers craft convincing phishing attempts after a breach.

Step 6: Do Not Fall for the Breach Itself Being Used as a Scam

This is important: after a major breach hits the news, scammers send fake "breach notification" emails that link to phishing sites. The email looks like it is from the breached company but actually leads to a page designed to steal your credentials.

Rules for breach notification emails:

• Never click links in the email. Go directly to the company's website by typing the URL.
• The company will never ask for your password, SSN, or credit card number via email.
• If the email asks you to "verify your identity" by entering personal information, it is a scam.
• Check the sender's email address carefully. Scammers use domains like "support-equifax.com" instead of "equifax.com."

Key Takeaways

• Read the breach notification carefully to understand what was exposed — your response depends on the severity
• Freeze your credit immediately if SSN, DOB, or financial data was compromised — all three bureaus plus Innovis and NCTUE
• Change passwords and enable 2FA on the breached service and any account that shared the same password — then switch to a password manager permanently
• Monitor accounts actively for 90 days — bank statements, credit reports, email, health insurance, and tax filings
• Reduce your exposure by using email aliases, deleting unused accounts, and removing your data from broker sites
• Do not click links in breach notifications — go directly to the company's website

Data breaches are not going away. Companies will continue to lose your data. The difference between being a victim and being a person who shrugs it off is having a response plan you execute quickly and calmly.

Related articles:

• How to Lock Your Credit in 15 Minutes (and Why You Should)
• Is This Email a Scam? How to Tell Every Time
• Someone Stole My Identity — What Do I Do First?

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.