What to Do After a Data Breach: Your Step-by-Step Action Plan (2026)
If you've received a data breach notification — an email or letter telling you your information was exposed in a company's breach — you're not alone. These notices have become routine, and most people aren't sure what, if anything, they actually need to do.
Here's the real action plan, in order of priority.
Step 1: Figure Out What Was Actually Exposed
Not all breaches are equal. The notice you received should say what categories of data were involved — and that determines everything else:
| What Was Exposed | Why It Matters |
|---|---|
| Email address only | Low risk on its own, but useful for phishing |
| Email + password | High risk if you reused that password elsewhere |
| Name, address, phone | Useful for scammers' social engineering and phishing |
| Social Security number | Highest risk — can enable new-account and tax fraud |
| Financial account numbers | Risk to existing accounts; contact your bank |
| Medical information | Risk of medical identity theft |
Don't skip this step — it tells you which of the steps below actually apply to you.
Step 2: Change Your Password — Everywhere You Reused It
If your password was exposed (even hashed), change it on the breached site immediately. Then think about every other account where you used the same or a similar password — attackers run breached email/password combinations against other popular sites, a technique called credential stuffing.
A password manager makes this far less painful by generating and storing unique passwords per site, so one breach can't cascade into others.
Step 3: Turn On Two-Factor Authentication
If the breached account (or any account using the same credentials) doesn't already have two-factor authentication (2FA) enabled, turn it on now. Even if your password is compromised, 2FA blocks most automated login attempts.
Want full protection beyond link checks? Aura monitors threats, blocks phishing & protects your identity — all in one app.
Try Aura →Step 4: If Your SSN or Financial Data Was Exposed — Act Fast
This is where the stakes go up significantly. If the breach involved your Social Security number, follow our full guide:
What to Do If Your Social Security Number Is Stolen
At minimum, that means placing a fraud alert and freezing your credit at all three bureaus:
How to Freeze Your Credit at All 3 Bureaus
If financial account numbers were exposed, contact your bank or card issuer directly — they can often reissue account numbers or flag the account for extra monitoring.
Step 5: Watch for Breach-Themed Phishing
After any major breach, scammers send fake "security alert" emails referencing the breach to trick people into clicking malicious links or "verifying" their information. These often look more convincing right after a real breach because the topic feels timely and credible.
Be especially skeptical of any email or text that:
- References the breach by name and asks you to "verify your account"
- Asks you to log in via a link rather than going to the site directly
- Creates urgency ("your account will be suspended")
Step 6: Use the Free Credit Monitoring — But Don't Rely On It Long-Term
Companies that experience a breach often offer free credit monitoring for a year or two. It's worth activating since it costs nothing — but be aware of its limits:
- It usually expires after 1-2 years, while exposed data (especially SSNs) doesn't expire
- It typically covers credit monitoring only — not dark web monitoring, SSN misuse alerts, or identity theft insurance
- Enrollment often requires action on your part — it's rarely automatic
RecommendedAll-in-one identity protection with $1M Insurance, credit monitoring, VPN & antivirus. From $10/mo.
* Affiliate link. We may earn a commission at no extra cost to you.
How Long Should You Stay Vigilant?
This is the part most people get wrong: they take the steps above right after the notification, then stop thinking about it once the free monitoring period ends.
But stolen data — especially an SSN — doesn't expire. It can sit in a dark web marketplace for years before being used. This is exactly the gap that ongoing identity monitoring fills: instead of a one-time response to one breach, it continuously watches for your information showing up in new breaches and for misuse of your identity going forward.
If you're not sure whether your information has shown up in other breaches beyond the one you were notified about, see our guide: Has My Personal Information Been Leaked?
For details on what's included in continuous identity and credit monitoring, see our Aura pricing guide or full Aura review.
Bottom Line
When you get a data breach notification:
- Read the notice to find out exactly what was exposed
- Change passwords — everywhere you reused them
- Enable 2FA on affected accounts
- If your SSN was exposed, freeze your credit and follow the full SSN guide
- Watch for breach-themed phishing in the weeks after
- Use free credit monitoring if offered, but don't treat it as a permanent solution
The companies involved move on quickly. Your exposed data doesn't — which is why the response that matters most is the one that continues after the headlines fade.
RecommendedAward-Winning Online Safety — All in One Place
Aura brings together everything you need to stay safe online — identity monitoring, credit protection, VPN, antivirus, and a password manager — in a single, easy-to-use platform. Ranked best in class by Forbes Advisor, US News, and Money.
$1M
Identity Insurance per adult
3
Credit bureaus monitored
4.6★
Trustpilot rating
24/7
U.S.-based expert support
* Affiliate link. We may earn a commission at no extra cost to you.
Sources & References
Frequently Asked Questions
What's the first thing I should do after receiving a data breach notification?
Read the notice carefully to find out exactly what type of information was exposed (email, password, SSN, financial data, etc.) — your next steps depend entirely on that. Then change the password for the affected account and anywhere else you reused it.
Should I change my password if my password wasn't part of the breach?
Yes, if you've ever reused that password anywhere else. Breached email addresses are commonly used in 'credential stuffing' attacks, where attackers try the same email/password combination across many other sites.
Is it worth using the free credit monitoring breached companies offer?
It's worth activating since it's free, but don't rely on it long-term — these offers are typically limited to 1-2 years and only cover credit monitoring, not the broader identity, SSN, and dark web monitoring that ongoing identity protection services provide.
What's the most dangerous type of information to have exposed in a breach?
Your Social Security number is the most consequential, since it can be used to open new accounts, file fraudulent tax returns, or commit medical and employment fraud. Financial account numbers and passwords are next, followed by personal details like address and date of birth, which are often used to answer security questions.
How long should I stay vigilant after a data breach?
Indefinitely for sensitive data like your SSN — stolen information doesn't expire and can be used or resold years after the original breach. This is why many people choose ongoing identity monitoring rather than a one-time check.