Data Breach: What to Do Immediately if Your Information Is Exposed
Getting notified that your data was exposed in a breach is alarming — but the next 24 hours matter most. This guide walks through the exact steps to take immediately after a data breach: what to change first, how to check what was exposed, and how to protect yourself from the identity theft and account takeovers that follow.
Don't Panic — But Act Fast
Data breaches are increasingly common. In 2025 alone, billions of records were exposed across major companies including healthcare providers, financial institutions, and e-commerce platforms. If you received a breach notification email, or discovered your information on a site like HaveIBeenPwned.com, your immediate instinct might be to panic — but what you need is a clear, prioritized action plan. The first 24 to 72 hours after discovering a breach are when attackers move fastest. Automated credential-stuffing tools can test a stolen username and password pair against thousands of sites within hours of a breach going public. Speed matters.
This guide walks you through every step in the correct order — from identifying what was actually exposed, to locking down financial accounts, to setting up long-term monitoring so you catch any downstream effects before they cause serious harm.
Step 1: Identify Exactly What Was Exposed
Not all breaches are equal. A breach exposing only your email address is a nuisance — expect more spam, but your accounts are not directly at risk. A breach exposing your password hash, Social Security number, date of birth, payment card details, or security question answers is a serious emergency requiring different and more urgent responses.
Start by reading the breach notification carefully. Reputable companies are legally required in most jurisdictions to disclose what categories of data were exposed. Check HaveIBeenPwned.com and enter every email address you use regularly — it aggregates hundreds of known breaches and tells you exactly which ones include your address. If the breached company has published an incident FAQ, read it.
The categories requiring the most urgent response, in order of severity:
- Plaintext or hashed passwords — change immediately; credential stuffing attacks start within hours
- Social Security or national ID numbers — triggers identity theft risk; freeze credit immediately
- Financial account numbers or card details — contact your bank or card issuer to reissue
- Date of birth + full name + address — high identity fraud risk even without SSN
- Security question answers — review and update recovery options on all accounts
- Email address only — update phishing vigilance; no immediate account action required
Step 2: Change the Compromised Password Immediately
If your password was included in the breach — even as a hashed value — change it on the affected site right now. Use a long, randomly generated password you have never used anywhere else. Our free password generator can create one instantly: aim for at least 16 characters with a mix of uppercase, lowercase, numbers, and symbols. Length matters more than complexity; a 20-character random string is vastly stronger than an 8-character password with substitutions.
Next — and this step is critical — identify every other account where you used the same or a similar password. This is the most dangerous consequence of a breach: attackers run automated credential-stuffing attacks, testing stolen username and password pairs across thousands of sites within hours. If your Netflix password is the same as your bank password, and Netflix was breached, your bank is effectively compromised too.
This is precisely why using a different password for every account matters — and why a dedicated password manager like NordPass or 1Password is so valuable. When every account has a unique password stored in your manager, you only need to change the one that was exposed. Both NordPass and 1Password also include built-in breach-monitoring features that continuously scan your stored credentials against known breach databases and alert you automatically — so you catch future exposures faster.
Step 3: Enable Two-Factor Authentication Everywhere
If the breached account does not yet have two-factor authentication (2FA) enabled, enable it immediately after changing your password. Even if an attacker has your correct password from a future breach, 2FA prevents them from completing a login without also controlling your second factor.
Prefer an authenticator app — Google Authenticator, Microsoft Authenticator, or Authy — over SMS-based 2FA when the option is available. SMS 2FA can be defeated by SIM-swapping attacks, where an attacker convinces your carrier to transfer your phone number to their SIM card. Authenticator app codes are generated locally on your device and are not interceptable in transit.
Most importantly: enable 2FA on your primary email account if you haven't already. Your inbox is the master key to your digital life. Anyone who controls your email can reset passwords for essentially every other account you own by clicking "forgot password." A breached password is far less dangerous if your email remains locked down with a strong authenticator-based 2FA.
After securing the breached account and your email, work through your highest-value accounts — banking, investment, PayPal, Apple ID or Google account, and your password manager itself — and confirm each has 2FA enabled.
Step 4: Handle Financial and Identity Data Breaches
If the breach exposed financial account numbers, Social Security numbers, passport data, or a combination of personal identifiers (name + DOB + address), you need additional steps beyond password management.
Contact your bank or card issuer immediately. Report that your account number or card details were exposed. They will issue a new card number proactively. Most institutions also have a fraud department that can flag your account for enhanced monitoring. Check your statements and transaction history for the past 30–60 days for any unauthorized charges, no matter how small — fraudsters often test with small transactions before making larger ones.
Place a credit freeze at all three major bureaus. A credit freeze (also called a security freeze) prevents anyone — including you — from opening new credit accounts in your name until you temporarily lift it. It is free, reversible, and the single most effective protection against identity thieves opening fraudulent credit lines. You must freeze at all three separately: Equifax (equifax.com), Experian (experian.com), and TransUnion (transunion.com). You can unfreeze temporarily when you need to apply for credit, then re-freeze.
Set up a fraud alert. A fraud alert requires lenders to take additional verification steps before extending credit in your name. It is free, lasts one year, and you only need to contact one bureau — they are required to notify the others. A fraud alert is less restrictive than a freeze but still adds meaningful friction for attackers.
Consider identity theft protection. Services like NordProtect monitor the dark web, credit bureaus, and financial accounts continuously for signs your identity is being misused, and provide restoration assistance and insurance if theft does occur. After a breach involving SSN, financial data, or a combination of personal identifiers, ongoing monitoring is worth the investment — because the effects of identity theft can surface months or years after the initial breach.
Step 5: Monitor for Dark Web Exposure
Breached data is often sold or shared on dark web forums and marketplaces before — or sometimes instead of — being used directly by the attacker who stole it. This means your exposed data can circulate for years after the original breach, being purchased by different attackers for different purposes.
Dark web monitoring tools scan these forums and marketplaces for your email addresses, phone numbers, SSN, and other personal identifiers, alerting you when they appear. NordProtect includes dark web monitoring as part of its identity protection suite. Some password managers, including NordPass, also include breach scanning that checks your stored email addresses against known breach datasets.
Free options include HaveIBeenPwned's notification feature (sign up with your email address to receive alerts for future breaches) and Google's free dark web report for Gmail users.
Step 6: Watch for Follow-On Phishing Attacks
A data breach predictably triggers a wave of targeted phishing attacks in the weeks that follow. Attackers now know your email address, possibly your name and partial account details, and can craft convincing fake emails that appear to come from the breached company. Common tactics include: fake breach notification emails asking you to click a link to "secure your account," messages claiming you have a compromised charge that needs review, and SMS texts with fake fraud alerts.
The defense is simple but requires discipline: go directly to any company's website by typing the address in your browser, never by clicking links in emails or texts. If you receive a message claiming to be from your bank or a breached company, call them using the number on the back of your card or on their official website — not a number in the email.
Also watch for increased spam calls and credential-phishing attempts on other accounts. Attackers often use breached data from one source to attempt social engineering at other institutions, using the legitimate data to seem credible.
Step 7: Review and Update Your Recovery Information
After a significant breach, it is worth auditing the recovery options on your most important accounts. Check that the recovery email and phone number on each high-value account are current and secure. An attacker who can access your recovery email can reset your account even if they don't have your password.
If any of your accounts still use security questions for recovery, audit those too. Security questions like "What is your mother's maiden name?" or "What city were you born in?" are often trivially researchable through social media. Replace the answers with random strings stored in your password manager — the question text doesn't matter, what matters is that the answer can't be guessed or researched.
Post-Breach Checklist at a Glance
Within 1 hour: Identify what was exposed. Change the breached password. Identify reused passwords and change those. Enable 2FA on the affected account.
Within 24 hours: Enable 2FA on your primary email. Check HaveIBeenPwned for additional exposures. If financial or identity data: contact your bank, place credit freezes at all three bureaus, set up a fraud alert.
Within one week: Review bank and card statements for unauthorized activity. Audit recovery emails and phone numbers on high-value accounts. Review security questions. Consider identity protection monitoring if SSN or financial data was involved.
Ongoing: Monitor your credit report (free annually at annualcreditreport.com). Run your password manager's breach health report monthly. Review which accounts still lack 2FA and add it progressively.
Recommended Tools
A password manager is the single most effective tool for limiting breach damage. We recommend NordPass — zero-knowledge encryption, built-in breach monitoring, strong free tier — or 1Password for families and teams needing shared vault access. For identity protection after a breach involving personal or financial data, NordProtect provides dark web monitoring, credit monitoring, and identity restoration support.
See our full security tools guide for more recommendations. And use our free password generator whenever you need to create a new strong credential during the cleanup process.
Recommended next step
Compare identity protection tools
Breach alerts and recovery support are most useful before a leaked credential turns into account takeover.
Compare identity protection tools →Keep Improving Your Account Security
- Browse the password managers hub for the complete set of related guides.
- The Dangers of Password Reuse: Why Using the Same Password Everywhere Is a Security Disaster
- How to Recover from Identity Theft: A Complete Step-by-Step Action Plan
- How to Check If You've Been Hacked: Warning Signs and What to Do Next
- NordProtect Review 2026: Is This Identity Protection Service Worth It?