What to Do After a Data Breach: Step-by-Step Response

In September 2017, Equifax disclosed that attackers had accessed the personal data of 147 million Americans — names, Social Security numbers, dates of birth, addresses, driver's license numbers, and credit card numbers for approximately 209,000 people. The breach occurred in May 2017. Equifax knew about it by July. They disclosed it in September. During that window, executives sold stock. Consumers had no idea.

The FTC settlement in 2019 provided affected consumers up to $125 in cash compensation — or free credit monitoring for 10 years. Almost every claim for cash was rejected because the pool cap was reached; most people received a few cents.

The personal consequences of the Equifax breach are still playing out today. Social Security numbers do not change. A SSN exposed in 2017 is usable for identity fraud in 2026. There is no notification that tells you when your data is used for fraud — only the downstream effects: a rejected mortgage application, a call from a debt collector about a credit card you never opened, a rejected tax return because one was already filed in your name.

This guide covers the response framework for any personal data breach — what to verify, what to do immediately, what to do in the first week, and how to monitor long-term. The sequence matters. The speed matters. The specifics of what was exposed determine exactly which responses apply.

Step 0: Verify Before Reacting

A company emails you about a breach. Before taking any action based on that notification, verify two things: that the breach is real, and that the notification is real.

Check HaveIBeenPwned

HaveIBeenPwned (HIBP), built and maintained by security researcher Troy Hunt, indexes hundreds of breaches containing billions of records. It is the most reliable public resource for checking personal exposure.

Navigate to haveibeenpwned.com and enter each email address you use. HIBP returns:

• Which specific breaches your address appears in
• The data types exposed in each breach (passwords, phone numbers, physical address, etc.)
• Whether your address appears in stealer log data (separate and more serious: malware that ran on a device you own and exfiltrated credentials in real time)

Check every email address — old addresses on accounts you barely remember are common blind spots. The address you used in 2009 to sign up for a gaming forum has probably been in three breaches by now.

Reading HIBP results accurately:

"Pwned in 4 data breaches" means your email appears in 4 breach databases.
It does NOT mean all 4 breaches exposed the same data.

Read each breach's data types:
- "Passwords" in the exposure types → passwords were in the breach
- "Hashed passwords" → encrypted but potentially crackable, treat as exposed
- "Passwords stored in plaintext" → worst case, treat as immediately exposed
- "Email addresses only" → lower risk, primarily useful for spam

HIBP stealer logs section (added 2024):
These are different and more serious than breach databases.
Stealer logs come from information-stealing malware (RedLine, Vidar, Raccoon)
that ran on a victim's device and exfiltrated credentials in real time.
If your email appears in stealer logs, a device you used was compromised.
Change every password stored in the browser on that device immediately.

Verify the Breach Notification Itself

Phishing emails impersonating breach notifications are standard practice. Attackers register domains like equifax-breach-update.com within hours of a major breach announcement and send fake notification emails exploiting consumer fear and confusion.

Before clicking any link in a breach notification email:

Verification procedure:
1. Open a NEW browser tab
2. Type the company's known URL directly (e.g., equifax.com, not the URL in the email)
3. Look for official breach announcement in their newsroom, security page, or status page
4. Search: "[Company name] breach [year]" in Google — look for news articles and official statements
5. Check the FTC's BreachCheck resource or state AG consumer alerts for confirmed notices

If the notification email asks you to:
- "Verify your account" → suspicious, verify via direct navigation first
- "Click here to see what was exposed" → suspicious
- "Reset your password via this link" → suspicious
- "Enroll in free credit monitoring at this URL" → verify the URL resolves to the real company

Legitimate breach notifications:
- Do NOT require you to click a link to see if you were affected
- Do NOT ask for current credentials to verify identity
- Link to official domain (not a third-party URL shortener or unexpected domain)
- Are typically very vague about what specifically you should do (avoid liability language)

Understand Exactly What Was Exposed

The response actions below depend heavily on what type of data was in the breach. Read the notification and public reporting carefully.

| Data Exposed | Risk Level | Primary Response | |---|---|---| | Email address only | Low | Monitor for spam/phishing, no urgent action | | Hashed passwords (bcrypt) | Low-Medium | Change password on that site; monitor | | Hashed passwords (MD5/SHA1) | High | Treat as plaintext — change password immediately and all reused passwords | | Plaintext passwords | Critical | Change immediately everywhere it was used | | Phone number | Medium | Watch for smishing; SIM swap risk | | Physical address | Medium | Watch for mail fraud, identity fraud | | Date of birth | Medium-High | KBA (knowledge-based auth) risk; combined with SSN = identity fraud | | Driver's license number | High | Fraud alert; monitor for identity fraud | | Social Security / Tax ID number | Critical | Credit freeze immediately | | Payment card data | High | Contact bank to cancel card immediately | | Medical records | High | Watch for medical identity theft, insurance fraud | | Passport number | High | Identity fraud, coordinate with issuing agency if needed | | Security question answers | High | Update security questions everywhere you use them |

The First 24 Hours

These actions have time-sensitive value. Attackers automate credential stuffing within hours of obtaining fresh breach data.

Action 1: Change the Compromised Password Immediately

Do this on the breached service before anything else. Even if passwords were "hashed," hashing doesn't mean uncrackable. MD5, SHA-1, and unsalted SHA-256 are crackable in minutes on modern hardware. Bcrypt and Argon2 with weak master passwords are cracked within days in targeted attacks.

Generate the new password correctly:

Use your password manager to generate a new password. If you do not have a password manager (install one — this incident is the best possible motivation), generate using:

# Python: generate a cryptographically random password
import secrets
import string
 
alphabet = string.ascii_letters + string.digits + "!@#$%^&*"
password = ''.join(secrets.choice(alphabet) for _ in range(24))
print(password)  # e.g., "xK9#mP2@vL7qRn4$dX8&wJ5%aB"

Characteristics of a correct generated password:

• 20+ characters (for critical accounts; 16 minimum for others)
• Cryptographically random (not your dog's name + birth year)
• Unique: never used anywhere else
• Not based on any personal information

Action 2: Rotate Every Reused Password

Credential stuffing attacks are automated. Within hours of a breach dump appearing on forums, automated tools are testing those credentials against Gmail, banking, PayPal, Amazon, and dozens of other high-value services simultaneously.

If you used the same password on the breached site as on any other site, those accounts are at risk right now.

Priority order for password rotation:

1. Primary email account — this is the recovery mechanism for everything else. If an attacker controls your email, they can reset every account through password recovery.
2. Secondary email accounts
3. Financial accounts — banking, PayPal, Venmo, Cash App, brokerage, cryptocurrency exchanges
4. Password manager account — if your password manager shares a password with the breach (it shouldn't, but check)
5. Any account linked to your primary email — social media accounts used for login elsewhere ("Sign in with Google/Facebook")
6. Everything else — work through your password manager's reused passwords list

Finding reused passwords in your password manager:

Bitwarden: Reports → Reused passwords
  (Shows every password that appears more than once in your vault)

1Password: Watchtower → Reused passwords
  (Shows all reused passwords with site names)

KeePassXC: Tools → Password Health Check
  (Shows duplicate, weak, and old passwords)

If no password manager: manually check your most important accounts
Email → Banking → Social media → Work accounts

Action 3: Enable Two-Factor Authentication

If the breached service didn't have 2FA enabled, turn it on now. Then work through the priority list above.

The failure mode without 2FA: even if you successfully change your password on the breached site, attackers who have your credentials will immediately try them on other services. If any service with your credentials doesn't have 2FA, a successful credential stuff means an attacker who obtained your password from one breach now controls your account on that service.

2FA by account type:

Email: Hardware key (YubiKey) or TOTP authenticator app
       NOT SMS — email is too critical to protect with SMS-2FA
       SMS is vulnerable to SIM swapping (see below)

Banking: TOTP app preferred; hardware key if supported
         Most major banks support TOTP; some still only offer SMS
         SMS on banking is weak but better than nothing

Password manager: TOTP app or hardware key
                  Bitwarden: Settings → Security → Two-step login
                  1Password: Profile → More Actions → Manage Two-Factor Authentication

Everything else: TOTP app minimum; hardware key for high-value accounts
                Passkeys where supported (Google, Apple, Microsoft, GitHub, Cloudflare)

Action 4: Revoke Active Sessions

After changing your password, revoke all existing sessions on the breached service and on any service where you rotated credentials. This logs out any attacker who authenticated before you changed the password.

Google: myaccount.google.com → Security → Your devices → Sign out of all devices

Facebook: Settings → Security and Login → Where You're Logged In → Log Out of All Sessions

Microsoft/Outlook: account.microsoft.com → Security → Sign-in activity → Terminate session

Twitter/X: Settings → Security → Sessions → Log out of all other sessions

GitHub: github.com/settings/sessions → Revoke all

For any service: look for "Active sessions," "Logged-in devices," or "Security"
in account settings. The option exists on most major platforms.

Action 5: Check for Unauthorized Account Changes

Before an attacker changes your password, they sometimes make changes to maintain access after you rotate credentials:

Check in your email account:
□ Mail forwarding rules (Settings → Filters and blocked addresses / Mail forwarding)
  Attackers set silent forwarding to their address before you notice the breach
□ Connected apps and third-party access (Settings → Security → Third-party apps)
□ Recovery email and phone number — attackers may update these to maintain access after password change
□ Trusted devices list — remove devices you don't recognize

Check on financial accounts:
□ Payment method changes
□ Saved addresses
□ Account notifications email address

Check on work accounts:
□ OAuth app authorizations
□ API keys and tokens associated with your account
□ Team member permissions (if you're an admin)

The First Week

Place a Credit Freeze if SSN Was Exposed

A credit freeze is the strongest available protection against new account fraud. It prevents credit bureaus from releasing your credit report to new lenders — without your credit report, a new credit account cannot be opened in your name, even if an attacker has your full Social Security number, date of birth, and personal details.

A credit freeze is free, does not affect your credit score, does not affect existing accounts, and can be lifted temporarily when you legitimately apply for credit.

Required freeze locations (US):

You must freeze at all three major bureaus and several specialty bureaus:

| Bureau | Website | Phone | |---|---|---| | Equifax | equifax.com/personal/credit-report-services/credit-freeze/ | 1-800-685-1111 | | Experian | experian.com/freeze/center.html | 1-888-397-3742 | | TransUnion | transunion.com/credit-freeze | 1-888-909-8872 | | Innovis | innovis.com/personal/securityFreeze | 1-800-540-2505 | | ChexSystems | chexsystems.com (security freeze section) | 1-800-428-9623 | | NCTUE | nctue.com | 1-866-349-5355 |

ChexSystems is used by banks for checking account applications — freeze here to prevent a fraudster from opening new bank accounts. NCTUE is used by telecom and utility providers — freeze here to prevent new phone or utility accounts.

The freeze process:

Online (fastest):
1. Navigate to each bureau's freeze page (links above)
2. Create an account or log in
3. Submit identity verification (SSN, address, DOB — ironic but required)
4. Receive PIN or set one — STORE THIS SECURELY
5. Freeze takes effect immediately

Confirm: log back in and verify freeze status is "Active"

Lifting for a credit application:
1. Log in to the bureau's freeze management page
2. Lift the freeze for a specified time window (e.g., "lift for 24 hours" or "lift until [date]")
3. Apply for credit during that window
4. Re-freeze after application is processed (it may re-freeze automatically)

If you applied for credit and need to know which bureau the lender uses:
Ask the lender directly which credit bureau(s) they pull from, then only lift at those.

Place a Fraud Alert

A fraud alert is lighter than a freeze — it doesn't block new credit applications but requires lenders to take extra identity verification steps before approving. Contact only one bureau; they are legally required to notify the other two.

Equifax initial fraud alert (1 year): online at equifax.com or call 1-800-525-6285
  - Alert active at all three bureaus within 24 hours
  - Free, renewable annually

Extended fraud alert (7 years): requires identity theft affidavit (FTC Identity Theft Report)
  - Contact local police for police report number
  - File at IdentityTheft.gov for FTC report
  - Submit both reports to one bureau

Active duty military alert: 1 year at a time for deployed service members
  - All bureau contact info listed above accepts this

Use a fraud alert when you want a warning layer without a full freeze, or while waiting for the freeze process to complete at all bureaus.

Review Your Credit Reports

You are entitled to one free credit report per year from each major bureau via annualcreditreport.com (the official FTC-mandated site — not any other "free credit report" site, which are usually subscription services in disguise).

Following a breach involving your SSN, pull all three simultaneously and review carefully:

What to look for:

Fraudulent accounts:
□ Credit cards, loans, lines of credit you didn't open
□ Accounts with addresses you've never lived at
□ Hard inquiries you didn't authorize (each represents a credit application)

Signs of identity theft already in progress:
□ Accounts in collections for debts you don't recognize
□ Employer history you never provided to a bureau
□ Addresses that are unfamiliar (addresses you've never lived at)

Errors vs. fraud:
□ Minor errors (wrong spelling, old address) — dispute with bureau
□ Fraudulent accounts — dispute + file FTC report + police report

Dispute process:
All three bureaus accept disputes online:
- Equifax: equifax.com/personal/credit-report-services/credit-dispute/
- Experian: experian.com/disputes/
- TransUnion: transunion.com/credit-disputes/dispute-your-credit

Include: description of error, copies of supporting documentation
Timeline: bureau must investigate within 30 days (15 days if you provide additional info)
If they verify as correct but you believe it's fraud:
→ File FTC identity theft report at IdentityTheft.gov
→ File police report with local law enforcement
→ Submit both reports to bureau as supporting documentation

Check for Dark Web Exposure (Beyond HIBP)

HIBP indexes publicly known breaches that have been disclosed to Troy Hunt. It does not capture:

• Breaches that haven't been discovered yet
• Private breach sales in closed forums
• Fresh stealer malware logs before they're distributed publicly
• Specific data types like SSN or medical records (HIBP doesn't store PII beyond email)

Deeper dark web monitoring options:

| Service | Cost | Coverage | |---|---|---| | HIBP notifications | Free | Future breaches involving your email | | Google One Dark Web Report | Free (Google account) | Email, phone, SSN, physical address | | Mozilla Monitor | Free | Breach notifications + limited dark web | | Aura | ~$12-15/month | Comprehensive: ID monitoring, insurance, family coverage | | LifeLock (Norton) | ~$10-20/month | Three-bureau monitoring, alerts, insurance | | Identity Guard | ~$8-16/month | AI-powered monitoring, insurance |

For most people after a breach: Google One Dark Web Report (free) combined with HIBP email alerts is adequate. Paid services add insurance components and broader monitoring that matters more if your SSN was exposed.

Watch for Post-Breach Phishing

Within days of a major breach announcement, targeted phishing attacks exploiting the breach begin. Attackers know:

• Your name and email (from the breach itself)
• Which service you used (the breached company)
• Your approximate location (from billing address in the breach)

This enables highly convincing targeted phishing:

Example post-breach phishing email (attacker has your real breach data):

From: breach-notification@equifax-alert.com
To: yourname@gmail.com
Subject: Action Required: Equifax Breach Victim Support — Verify Your Identity

Dear [YOUR REAL NAME],

As part of our breach response, we are offering affected customers
free identity monitoring services. Our records indicate you may have been
affected based on your account at [ACTUAL BREACHED COMPANY].

To claim your free 3-year monitoring service, please verify your identity:
[Phishing link]

Note: Your case number is [PLAUSIBLE ID]. This offer expires in 72 hours.

---

How to recognize this:
- Equifax-alert.com is NOT equifax.com
- Actual breach response portals don't require identity re-verification via email link
- "Case number" creates false legitimacy
- 72-hour urgency is a social engineering pressure tactic

Defense: Navigate directly to equifax.com for any Equifax-related action.
Never use email links for identity verification.

Additional post-breach account hygiene:

# Check email forwarding rules (most important)
# These can be set even by temporary access before password change
 
Gmail: Settings → See all settings → Filters and Blocked Addresses
       Settings → See all settings → Forwarding and POP/IMAP
       Look for: any forwarding rules you didn't create
                 any filters that "skip inbox" + "forward"
 
Outlook/Exchange:
  Settings → Mail → Rules
  Or via PowerShell (admin): Get-InboxRule -Mailbox user@domain.com
 
# Check connected third-party applications
Gmail: myaccount.google.com → Security → Third-party apps with account access
Outlook: account.microsoft.com → Privacy → Apps and services
Facebook: Settings → Security and Login → Apps and Websites
GitHub: github.com/settings/applications (both OAuth Apps and Authorized OAuth Apps)

Legal Framework: What Companies Owe You After a Breach

Understanding breach notification laws matters for two reasons: it tells you how much delay is legally acceptable (often more than you'd hope), and it gives you leverage when companies are slow to notify.

US Federal and State Notification Laws

The US has no comprehensive federal breach notification law for commercial data. Instead:

HIPAA (healthcare): Covered entities and business associates must notify affected individuals within 60 days of breach discovery. Breaches affecting 500+ people in a state also require notification to local media and HHS. Breaches of 500+ people nationally must be reported to HHS within 60 days and are publicly listed on the HHS "Wall of Shame" at ocrportal.hhs.gov.

GLBA (financial): Financial institutions must notify customers "as soon as reasonably possible" after discovering a breach. A 2023 FTC amendment requires notification within 30 days.

SEC Rules (2023): Public companies must disclose material cybersecurity incidents to the SEC within 4 business days of determining the incident is material.

State laws: All 50 states have breach notification laws. Key examples:

| State | Law | Notification Window | |---|---|---| | California | CCPA/CPRA + Civil Code 1798.82 | "Expedient" — no specific window | | New York | SHIELD Act | "Expedient" notice, no specific window | | Florida | FIPA (Florida Information Protection Act) | 30 days | | Massachusetts | 201 CMR 17.00 | "As expeditiously as possible" | | Texas | Business and Commerce Code Ch. 521 | 60 days |

What "expedient" means in practice: "As expeditiously as possible" has been interpreted by courts to mean somewhere between 30 and 90 days in most state enforcement actions. This is why consumers routinely receive breach notifications months after the actual breach — companies take the maximum defensible time.

GDPR (for EU residents): Controllers must notify the supervisory authority within 72 hours of discovery. Individual notification to affected data subjects is required "without undue delay" when there is high risk to their rights and freedoms. GDPR breach notifications have substantially more information requirements than US laws.

Your Rights as a Breach Victim

Credit freeze: Free under the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA, 2018). This law preempted state laws that allowed bureaus to charge fees.

Extended fraud alert: Available free for 7 years to confirmed identity theft victims. Requires an FTC Identity Theft Report.

FTC identity theft report: Filing at IdentityTheft.gov creates an official FTC report you can provide to creditors and law enforcement. The site also generates a personalized recovery plan.

Free credit reports: One per year per bureau via annualcreditreport.com under FCRA. After identity theft, you can request additional free reports during the recovery period.

Dispute errors: Under FCRA, bureaus must investigate disputes within 30 days and must delete unverifiable information.

Equifax settlement (2019): The $575 million FTC settlement created a consumer fund. The cash claims were largely exhausted (oversubscribed); most affected consumers received extended credit monitoring instead. If you haven't enrolled in the free Equifax monitoring from the settlement, it remains available at equifaxbreachsettlement.com.

Class action notification: Major breaches typically produce class action lawsuits. You may receive a settlement notice years after the breach. The settlements are usually small (the Equifax $125 cash offer worked out to pennies per person after oversubscription) but worth responding to.

What to Do If You're a Confirmed Identity Theft Victim

If fraudulent accounts have already been opened, the response escalates:

Step 1: File an FTC Identity Theft Report
  → IdentityTheft.gov
  → This is the official report; generates a personalized recovery plan
  → Provides legal protection in disputes with creditors

Step 2: File a police report
  → Go to your local police department with your FTC report
  → Request a copy of the police report number
  → Some creditors require a police report number

Step 3: Contact creditors for fraudulent accounts
  → Provide: FTC report, police report number, your ID, proof of address
  → Request in writing: account closure, removal of charges, credit inquiry removal
  → CFPB has sample dispute letters at consumerfinance.gov

Step 4: Place an extended fraud alert (7 years)
  → Contact one bureau (they notify the others)
  → Requires FTC Identity Theft Report

Step 5: Dispute fraudulent information on credit reports
  → Submit to each bureau separately
  → Include copies of FTC report and police report

Step 6: Contact Social Security Administration if SSN was used fraudulently
  → ssa.gov/fraud/report.html
  → For tax fraud specifically: IRS Identity Protection PIN at irs.gov/identity-theft-central

Step 7: Monitor for follow-on fraud (it escalates over time)
  → Identity theft victims experience multiple fraud events — initial fraud enables more
  → Extended monitoring via paid service may be warranted

Long-Term Protection

Ongoing Monitoring Strategy

Free monitoring stack (covers the basics):

□ HaveIBeenPwned email notifications (subscribe at haveibeenpwned.com/NotifyMe)
  → Notified when your email appears in new breach databases

□ Google One Dark Web Report
  → Monitors email, phone, SSN, physical address, usernames

□ Annual credit report rotation (one bureau every 4 months):
  → January: Equifax (annualcreditreport.com)
  → May: TransUnion
  → September: Experian

□ Credit score monitoring (free via bank apps):
  → Most major banks now provide free FICO score or VantageScore in their app
  → Sudden unexplained score changes can indicate new fraudulent accounts

Paid monitoring (warranted if SSN was exposed or fraud has already occurred):

□ Aura ($12-15/month):
  → Three-bureau monitoring with real-time alerts
  → $1 million identity theft insurance
  → 24/7 support
  → Covers family members

□ Freeze management advice:
  → Credit freezes are free and more effective than monitoring at preventing new account fraud
  → Use monitoring to catch what freezes miss: tax fraud, medical fraud, existing account takeover

Email Compartmentalization

Using one email address for everything maximizes breach exposure — any breach at any site exposes the same email that's linked to your banking, healthcare, and sensitive accounts.

Compartmentalization strategy:

Financial email (yourbankaddress@proton.me or similar):
  → Used ONLY for: banking, brokerage, credit cards, mortgage, insurance
  → Never used to sign up for retail, social media, newsletters
  → Strong password, hardware key 2FA, not shared with anyone

Public email (yourname@gmail.com):
  → Used for: social media, professional contacts, press inquiries
  → Compromise exposes public-facing identity but not financial accounts

Alias email (via SimpleLogin, Apple Hide My Email, or Firefox Relay):
  → Unique alias per shopping/registration site
  → Breach at RetailSite.com exposes only the alias for that site
  → Forward to your primary inbox
  → If an alias starts receiving spam, delete it and create a new one

Throwaway (for one-time signups):
  → Mailinator, Guerrilla Mail (not for anything you need long-term)
  → Never associated with real identity

# SimpleLogin alias example:
# Real email: yourname@gmail.com
# Amazon alias: amazon-xyz123@simplelogin.co → forwards to Gmail
# Target alias: target-abc456@simplelogin.co → forwards to Gmail
# Hulu alias: hulu-def789@simplelogin.co → forwards to Gmail

# If Hulu is breached:
# Attacker has: hulu-def789@simplelogin.co
# Cannot test this against Gmail, banking, or anything else
# You delete the alias, problem solved

Reduce Your Attack Surface: Delete Old Accounts

You have more online accounts than you know. Each is a potential breach vector.

Finding old accounts:

# Search your email inbox for account-related emails
# Gmail search operators:
 
# Registration confirmations
from:noreply subject:"welcome" OR subject:"account created" OR subject:"confirm your email"
 
# Account notifications
subject:"your account" OR subject:"account summary" OR subject:"account update"
 
# Password-related
subject:"password" OR subject:"login" OR subject:"sign in"
 
# Review results: every distinct sender represents an account somewhere

# More systematic approach: search for unique sender domains
# (Email export + Python for large inboxes)
import email
import mailbox
from collections import Counter
 
# Load mbox export (Gmail: Settings → See all settings → Forwarding and POP/IMAP → Download)
mbox = mailbox.mbox('/path/to/mail.mbox')
domains = Counter()
 
for message in mbox:
    from_addr = message.get('From', '')
    if '@' in from_addr:
        domain = from_addr.split('@')[-1].strip('>')
        domains[domain] += 1
 
# Print most common senders (likely accounts you have)
for domain, count in domains.most_common(200):
    print(f"{domain}: {count} emails")

Deleting accounts:

• JustDeleteMe.com rates account deletion difficulty for hundreds of services and provides direct links to deletion pages
• GDPR requests (EU and UK): Any company with EU users must delete your data within 30 days of a valid erasure request. Use gdprrequests.io for templates.
• CCPA requests (California residents): Similar rights; use privacyrightsclearinghouse.org for templates.
• Direct contact: Email privacy@[company].com requesting account deletion; most will honor it even without legal obligation

For accounts that cannot be easily deleted: change the email to an alias, change the password to a generated one, remove payment methods, and archive the entry in your password manager.

Know the Signs of Identity Theft Early

Catching identity theft early limits damage dramatically. Watch for:

Financial warning signs:
□ Bills or collection notices for accounts you didn't open
□ Denied credit when you expected approval
□ Unexplained drops in credit score
□ New accounts on your credit report you didn't open
□ Hard inquiries you didn't authorize

Tax-related signs:
□ IRS letter about multiple returns filed with your SSN
□ Your e-filed return rejected as a duplicate
□ W-2 from an employer you never worked for
→ Response: irs.gov/identity-theft-central → Get an Identity Protection PIN
  (IRS IP PIN is a 6-digit number that must accompany any tax filing with your SSN)
  Enroll at irs.gov/identity-theft-central/get-an-identity-protection-pin

Medical identity theft signs:
□ Medical bills for services you didn't receive
□ Explanation of Benefits from insurer for unknown treatments
□ Notification that you've reached your annual insurance benefit maximum
□ Inaccurate medical records (your doctor notes a condition you don't have)
→ Response: Request medical records from insurer and providers; dispute errors;
  file complaint with HHS Office for Civil Rights if HIPAA covered entity

Employment / IRS wage record signs:
□ IRS notices about unreported income
□ State unemployment claim from an employer where you didn't work
□ Social Security earnings statement showing employment you didn't have
→ Response: File identity theft report; contact the Social Security Administration

Breach Response Checklist (Priority Order)

Print this list. When a breach hits, work through it in order.

Within 24 hours:

• [ ] Verify exposure via HaveIBeenPwned and direct company check
• [ ] Verify the notification itself is legitimate (check company's official site)
• [ ] Read what data types were actually exposed
• [ ] Change password on breached service to a generated password
• [ ] Identify and rotate all reused passwords — email and banking FIRST
• [ ] Enable 2FA (TOTP or hardware key) on the breached service
• [ ] Revoke all active sessions on the breached service
• [ ] Check for unauthorized changes: forwarding rules, recovery email/phone, connected apps

Within one week:

• [ ] Credit freeze at Equifax, Experian, TransUnion, Innovis, ChexSystems (if SSN exposed)
• [ ] Place fraud alert at one bureau (if freezes are delayed or SSN not exposed)
• [ ] Pull all three credit reports at annualcreditreport.com — review for fraud
• [ ] Set up HIBP email alerts at haveibeenpwned.com/NotifyMe
• [ ] Enable Google One Dark Web Report or equivalent monitoring
• [ ] Review connected apps and third-party access on major accounts
• [ ] Increase skepticism of incoming emails and SMS for the next 30 days

Ongoing:

• [ ] Annual credit report review (one bureau every 4 months)
• [ ] Monitor credit score via bank app or monitoring service for unexplained changes
• [ ] Delete old accounts you no longer need
• [ ] Compartmentalize email addresses (financial separate from public)
• [ ] Keep credit freezes in place until you actively need them lifted
• [ ] Store freeze PINs in password manager
• [ ] Know the signs of identity theft and what to do if they appear

The breach that affects you today may not cause visible damage for months or years. The SSN exposed in the Equifax breach is still being used for identity fraud nine years later. The actions you take in the first 24 hours — and the monitoring you maintain afterward — are what determine whether this breach becomes a footnote or a years-long identity recovery process.