What to Do After a Data Breach: Your 48-Hour Action Plan

Most data breach guides tell you to monitor your credit. That is like locking the back door after someone has already walked through the front. Here is what actually matters in the first 48 hours — and the critical step most guides omit.

First, understand what was taken

The risk profile differs dramatically by category:

• Email + password only: Account takeover risk. Change the password everywhere you reused it.
• Email + name + phone: Profile enrichment. Fraudsters cross-reference with data broker records to build complete identity dossiers.
• Social Security number exposed: Credit fraud, tax fraud, government benefits fraud. Highest risk tier — freeze your credit immediately.
• Medical records exposed: Insurance fraud and medical identity theft. Contact your insurer and review your Explanation of Benefits statements.
• Financial account numbers: Account takeover. Contact the institution immediately.

Step 1: Change every password that touched the breached site (first 2 hours)

If you reused the breached password anywhere, it is now compromised everywhere. Use a password manager (1Password, Bitwarden, or iCloud Keychain) to generate unique passwords.

Priority order:

1. Email accounts — email is the master key to every other account's password recovery
2. Financial accounts (banking, brokerage, PayPal, Venmo)
3. Social media accounts
4. Any site where you stored payment information

Enable two-factor authentication using an authenticator app, not SMS. SIM-swap fraud defeats SMS 2FA by transferring your phone number to a SIM the attacker controls.

Step 2: Freeze your credit at all three bureaus (hours 2-4)

A security freeze prevents new credit accounts from being opened in your name. It is free under federal law, effective immediately, and does not affect your credit score or existing accounts.

• Equifax: equifax.com/personal/credit-report-services
• Experian: experian.com/freeze
• TransUnion: transunion.com/credit-freeze
• ChexSystems: chexsystems.com (controls new bank account openings)
• Innovis: innovis.com/freeze

See our complete credit freeze guide → for the full bureau list and step-by-step instructions.

Step 3: Remove yourself from data broker databases (hours 4-24)

Here is what happens after a breach: records circulate on dark web markets. Sophisticated fraudsters cross-reference breach data with people-search sites. If your record includes name and email, a fraudster can look you up on Spokeo or Radaris to get your current address, phone, employer, and relatives' names. That enriched profile — current address, employer, relatives — is what makes a raw breach record operationally useful for fraud.

If you prefer DIY, prioritize these ten brokers first — the most commonly queried:

1. Whitepages
2. Spokeo
3. BeenVerified
4. TruthFinder
5. Intelius
6. Radaris
7. MyLife
8. PeopleFinder
9. Nuwber
10. FastPeopleSearch

Each has an opt-out form. Allow 10-14 business days. Re-check in 30 days — these sites re-acquire data from public records continuously.

OfflistMe covers 300+ data brokers for $5 — no ongoing subscription required. Comparing services? See DeleteMe alternatives →

Step 4: File a report and set up monitoring (hours 24-48)

Report to the FTC. File an identity theft report at identitytheft.gov. This creates a legal record and generates a personalized recovery plan.

Set breach monitoring alerts. Visit haveibeenpwned.com and subscribe your email addresses. This service notifies you when your email appears in newly disclosed breaches.

Enable credit monitoring. Your bank or credit card may offer free monitoring. The purpose is detection — you have already done the preventive work in steps 1-3.

File a police report if fraud has already occurred. You will need the report number to dispute fraudulent accounts with credit bureaus.

Step 5: Long-term posture (ongoing)

Fraud from breach data can surface 12-24 months after the initial incident. Check your credit reports regularly at annualcreditreport.com.

If an SSN was exposed, request an IRS Identity Protection PIN at irs.gov/identity-theft-central. This six-digit PIN must be included on your tax return and prevents fraudulent returns from being filed in your name.

Maintain your data broker opt-outs. Brokers re-acquire data every 3-6 months from county records, voter rolls, court filings, and third-party data purchases. A single opt-out is not permanent — it is the start of an ongoing posture. OfflistMe's annual pass covers re-submissions for a 12-month window; alternatively, run a fresh pass yourself each time you move or notice new listings appearing.

Monitor for new accounts via annualcreditreport.com — each bureau provides one free report per year. Set calendar reminders for 6 and 12 months after the breach to check for new fraudulent accounts that may have taken months to open.

Frequently Asked Questions

How do I know if my data was included in a breach?

Check haveibeenpwned.com, which tracks billions of breached records. The company notifying you of a breach is legally required to disclose the categories of data exposed.

Do I need to act if only my email address was breached?

Yes. An email address enables phishing attacks tailored to your habits. Change your email password, enable 2FA, and watch for unexpected password reset emails for any account linked to that address.

How long do I have to act after a data breach?

Act within 48 hours on passwords and credit freezes. Breach data moves quickly on dark web markets. Fraud from a 2022 breach may still surface in 2026 — the data has a long exploitation tail.

Does a credit freeze affect my credit score?

No. A credit freeze has no effect on your existing credit score, open accounts, or ability to use current credit cards.

What if I cannot freeze my credit online?

Each bureau accepts freeze requests by mail with identity verification. Processing typically takes 5-10 business days.

Remove your data from 300+ brokers → | See the full identity theft guide → | Compare data removal services →