What to Do After a Data Breach: Your 48-Hour Action Plan
Most breach guides stop at credit monitoring. Here is the 48-hour action plan, including the step about data brokers that every other guide omits.
Most data breach guides lead with credit monitoring. Credit monitoring detects fraud after it has already occurred, it reports that someone opened a new account in your name three months after they did it. Here is what actually matters in the first 48 hours: the actions that prevent the fraud, not the ones that detect it after the fact.
The guide below is structured as a timed action plan. The most time-sensitive items come first.
Key Takeaways
- If your SSN was exposed, go to Step 2 first: freeze credit at all six bureaus (Equifax, Experian, TransUnion, ChexSystems, Innovis, NCTUE) before doing anything else — it is free and blocks new accounts immediately.
- Change passwords in priority order: email first, then financial accounts, then social media used for "Sign in with" — email is the master key to every other account's password reset.
- Data broker opt-outs belong in your 48-hour action plan — fraudsters enrich breach data with people-search profiles to build complete identity dossiers; removing those profiles breaks the enrichment pipeline.
- Breach data stays operationally useful for 18–24 months, so fraud risk does not expire quickly — set 6-month and 12-month reminders to check for new fraudulent accounts.
- Get an IRS Identity Protection PIN at irs.gov if your SSN was exposed — this 6-digit PIN prevents fraudulent tax returns from being filed in your name.
The 2024–2025 Breach Landscape: Why This Guide Matters More Than Ever
The scale of data breaches has accelerated. In 2025 alone, 8,019 data breach notification filings were recorded, representing over 4,080 unique breach events affecting at least 375 million individuals. Several recent breaches directly relevant to this guide's advice:
National Public Data (2024): 2.9 billion records including Social Security Numbers, names, addresses, and phone numbers leaked from a background check company. For anyone in the US, there is a non-trivial probability your SSN is now in circulation. If you have not frozen your credit since 2024, do it today.
Gravy Analytics (2025): A major location data broker suffered unauthorized access to their AWS cloud storage, with consumer location data leaked. Location data can be used to infer home address, workplace, medical facilities visited, religious institutions attended, and political meetings.
Snowflake-connected breaches (2024): Several large companies experienced data exposure through their Snowflake cloud data warehouses. Affected companies included AT&T (73 million records), Ticketmaster (560 million records), and others. These breaches exposed names, phone numbers, addresses, and in some cases SSNs.
What this means for you: If you have received a breach notification in the past 18 months, your data is likely already in circulation on dark web markets. The actions in this guide — credit freeze, data broker opt-outs, IRS IP PIN — are not theoretical precautions; they are active defenses against exploitation of already-circulating breach data.
Step 0: Determine What Was Actually Exposed
The appropriate response depends entirely on what data was in the breach. Most breach notifications tell you the data categories involved, read this carefully before taking any action.
| Data exposed | Primary risk | First action |
|---|---|---|
| Email + password | Account takeover on sites where you reused the password | Change password everywhere the password was reused |
| Email + name + phone | Profile enrichment for targeted fraud | Data broker opt-outs + password changes |
| Social Security number | Credit fraud, tax fraud, government benefits fraud | Credit freeze at all 6 bureaus within 2 hours |
| Medical records | Insurance fraud, medical identity theft | Contact insurer, review Explanation of Benefits |
| Financial account numbers | Direct account takeover | Contact financial institution immediately |
| Home address + phone | Doxxing risk, targeted scam calls | Data broker opt-outs |
| Date of birth | Social engineering ammunition | Password changes + 2FA everywhere |
If your SSN was exposed, skip to Step 2 first. The credit freeze is the single most protective action for SSN breaches and should be done before anything else.
Step 1: Change Every Compromised Password (First 2 Hours)
If the breached service stored your password in any form, assume it is compromised. If you reused that password anywhere else, every account using that password is also at risk.
Priority order:
- Email accounts, email is the master key that unlocks every other account's password reset
- Financial accounts (bank, brokerage, credit cards, PayPal, Venmo, Zelle)
- Social media accounts used for "Sign in with [platform]" on other services
- Any account where you stored payment information or personal documents
Enable two-factor authentication everywhere, using an authenticator app (not SMS). SMS-based 2FA is vulnerable to SIM-swap attacks, a fraudster who calls your carrier claiming to be you can redirect your texts to a new SIM within minutes. Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) generate codes on your device that cannot be redirected.
Use a password manager. If you are using the same password in multiple places, this breach is a forcing function to fix that. Bitwarden is free and open-source. 1Password and Dashlane are paid options. Generate unique 16+ character passwords for every account going forward.
Step 2: Freeze Your Credit at All Six Bureaus (Hours 2–4)
A security freeze prevents new credit accounts from being opened in your name even if a fraudster has your SSN, birthdate, and address. It is free under federal law and does not affect your existing accounts or credit score.
Freeze at all six:
| Bureau | URL | What it controls |
|---|---|---|
| Equifax | equifax.com/personal/credit-report-services | Standard credit (all major lenders) |
| Experian | experian.com/freeze | Standard credit (all major lenders) |
| TransUnion | transunion.com/credit-freeze | Standard credit (all major lenders) |
| ChexSystems | chexsystems.com/security-freeze | New bank account openings |
| Innovis | innovis.com/personal/securityFreeze | Specialty lenders |
| NCTUE | nctue.com/consumer | New utility and telecom accounts |
Most of these can be completed online in under 5 minutes each. You will need your SSN and address. Each bureau will provide a PIN or code to use when you want to temporarily lift the freeze for a legitimate credit application.
See the complete credit freeze guide for the full process and what each bureau covers.
Step 3: Remove Yourself from Data Broker Databases (Hours 4–24)
This is the step most breach response guides omit, and it is one of the most impactful.
Here is the mechanism: after a breach, stolen records circulate on dark web marketplaces. Sophisticated fraudsters do not use raw breach data directly, they enrich it. A breach record containing your name and email is significantly more valuable when paired with your current home address, phone number, employer, and relatives' names. All of that enrichment data is available, for $1–$5, on people-search sites like Spokeo, Whitepages, and Radaris.
Removing yourself from data broker databases breaks the enrichment pipeline. A stolen email address without a correlatable physical address and phone is dramatically harder to operationalize for fraud, social engineering, or targeted scam calls.
Priority brokers to opt out of immediately:
| Site | Opt-out URL | Processing time |
|---|---|---|
| Whitepages | whitepages.com/suppression-requests | 24–72 hours |
| Spokeo | spokeo.com/optout | 24–48 hours |
| BeenVerified | beenverified.com/app/optout/search | 24 hours |
| TruePeopleSearch | truepeoplesearch.com/removal | Same day |
| FastPeopleSearch | fastpeoplesearch.com/removal | 24 hours |
| Radaris | radaris.com/page/privacy | 48–72 hours |
| Intelius | intelius.com/optout | 72 hours |
| MyLife | mylife.com/optout or call 1-888-704-1900 | 5–14 days |
| Nuwber | nuwber.com/optout | 24–48 hours |
| TruthFinder | truthfinder.com/opt-out | 72 hours |
OfflistMe covers 500+ data brokers for a one-time fee with no subscription. Requests send from your own email address, which bypasses the authorized agent verification friction that slows commercial services.
Step 4: File a Report and Set Up Monitoring (Hours 24–48)
File an FTC identity theft report at identitytheft.gov. This creates an official record, which is required documentation for disputing fraudulent accounts with credit bureaus and financial institutions. IdentityTheft.gov also generates a personalized recovery plan based on your specific situation.
Check haveibeenpwned.com and subscribe your email addresses. This free service tracks over 13 billion breached records across thousands of incidents. You will be notified automatically when your email address appears in any new breach that is added to the database.
Review your recent account activity. Log into financial accounts and check the last 30–60 days of transactions and account activity. Look for: unexpected new accounts, unusual transfers, changes to contact information or security settings, or login activity from unfamiliar locations.
File a police report if fraud has already occurred. If you find fraudulent accounts or transactions, a police report number is required to dispute fraudulent accounts with credit bureaus and to access certain consumer protections. Most jurisdictions accept online identity theft reports.
Step 5: Specific Actions by Breach Type
SSN Exposure
- Freeze credit at all 6 bureaus (Step 2), do this first
- Get an IRS Identity Protection PIN at irs.gov/identity-theft-central. This 6-digit PIN must be included on your tax return and prevents fraudulent returns in your name. Issue new PIN annually.
- Request a free annual credit report from annualcreditreport.com. Review for accounts you do not recognize.
- Consider placing a fraud alert (free, 1-year) as a supplement to the credit freeze
Medical Records Exposure
- Contact your health insurer and request a copy of your Explanation of Benefits (EOB) statements for the past 12 months. Look for services you did not receive.
- Request a copy of your medical records from your providers to verify accuracy.
- If fraudulent medical services appear in your name, contact the healthcare provider directly and file a police report.
Financial Account Numbers Exposure
- Contact the financial institution immediately and report the exposure.
- Request new account numbers and new cards.
- Review recent transactions for unauthorized charges.
- Update payment information on any services linked to the compromised accounts.
Password Exposure
- Change the password on the breached site immediately.
- Change the same password everywhere you reused it.
- If you used the same password on your email account, treat your email as fully compromised, change it first.
Step 6: Long-Term Posture (Ongoing)
Breach data stays operationally useful for 18–24 months. The fraud risk from a breach does not expire quickly, it extends for the entire period the data remains valuable on dark web markets.
Set calendar reminders at 6 months and 12 months to check annualcreditreport.com for new accounts. New fraudulent accounts opened using breach data may not appear for months.
Re-check data broker profiles at 90 days. Data brokers re-ingest from public records every 60–180 days. Profiles you removed may reappear. Run a spot-check of TruePeopleSearch, FastPeopleSearch, and Whitepages 90 days after your initial opt-out pass.
Maintain your data broker opt-outs. A single pass is not permanent. Treat this as an annual maintenance task, not a one-time fix.
Frequently Asked Questions
How do I know if my data was included in a breach?
Check haveibeenpwned.com (tracks billions of breached records) and the breach notification from the company. US companies are legally required to notify affected individuals and disclose the categories of data exposed. The notification must come from the company, not just a third-party news report.
Do I need to act if only my email address was breached?
Yes. An email address enables highly targeted phishing attacks. The attacker knows which service you used and can craft convincing impersonation emails referencing that service. Change the email account password, enable 2FA, and watch for unexpected password reset requests across any account linked to that address.
How long do I have before breach data is exploited?
Breach data typically reaches dark web markets within days of a breach. Act on passwords and credit freezes within 48 hours. Tax fraud and government benefits fraud using SSNs can surface anywhere from 1 month to 24 months after a breach, these are slower-burn fraud types that require longer monitoring.
The breach notification says my data was "encrypted." Am I safe?
Encryption quality matters. Properly salted and hashed passwords are very difficult to crack. Poorly implemented encryption (e.g., MD5 hashing without salting) may be cracked within hours. Change the password anyway, if the company's encryption was weak, assume the password is now known.
Does a credit freeze affect my credit score?
No. A credit freeze has zero effect on your credit score, existing accounts, or ability to use current credit cards. It only blocks new credit applications until you temporarily lift the freeze.
Remove your data from 500+ brokers → | Identity theft statistics and risks → | How to freeze your credit →
Related Guides
Understand your privacy rights
Every removal request cites a specific statute. These plain-English explainers show what each law covers and how enforcement actually works.
Related Data Broker Removal Guides
Take back your privacy today
Remove your personal information from data brokers and platforms in seconds.
Remove Your Personal Data NowFrom $7.00 one-time · 546 data brokers · No subscription
