Skip to main content
Actionable Guides
10 min read

What to Do After a Data Breach: Your 48-Hour Action Plan

Most breach guides stop at credit monitoring. Here is the 48-hour action plan, including the step about data brokers that every other guide omits.

Rahul Kandoriya
Written byRahul Kandoriya·Last updated June 9, 2026
What to Do After a Data Breach: Your 48-Hour Action Plan
What to Do After a Data Breach: Your 48-Hour Action Plan

Most data breach guides lead with credit monitoring. Credit monitoring detects fraud after it has already occurred, it reports that someone opened a new account in your name three months after they did it. Here is what actually matters in the first 48 hours: the actions that prevent the fraud, not the ones that detect it after the fact.

The guide below is structured as a timed action plan. The most time-sensitive items come first.

Key Takeaways

  • If your SSN was exposed, go to Step 2 first: freeze credit at all six bureaus (Equifax, Experian, TransUnion, ChexSystems, Innovis, NCTUE) before doing anything else — it is free and blocks new accounts immediately.
  • Change passwords in priority order: email first, then financial accounts, then social media used for "Sign in with" — email is the master key to every other account's password reset.
  • Data broker opt-outs belong in your 48-hour action plan — fraudsters enrich breach data with people-search profiles to build complete identity dossiers; removing those profiles breaks the enrichment pipeline.
  • Breach data stays operationally useful for 18–24 months, so fraud risk does not expire quickly — set 6-month and 12-month reminders to check for new fraudulent accounts.
  • Get an IRS Identity Protection PIN at irs.gov if your SSN was exposed — this 6-digit PIN prevents fraudulent tax returns from being filed in your name.

The 2024–2025 Breach Landscape: Why This Guide Matters More Than Ever

The scale of data breaches has accelerated. In 2025 alone, 8,019 data breach notification filings were recorded, representing over 4,080 unique breach events affecting at least 375 million individuals. Several recent breaches directly relevant to this guide's advice:

National Public Data (2024): 2.9 billion records including Social Security Numbers, names, addresses, and phone numbers leaked from a background check company. For anyone in the US, there is a non-trivial probability your SSN is now in circulation. If you have not frozen your credit since 2024, do it today.

Gravy Analytics (2025): A major location data broker suffered unauthorized access to their AWS cloud storage, with consumer location data leaked. Location data can be used to infer home address, workplace, medical facilities visited, religious institutions attended, and political meetings.

Snowflake-connected breaches (2024): Several large companies experienced data exposure through their Snowflake cloud data warehouses. Affected companies included AT&T (73 million records), Ticketmaster (560 million records), and others. These breaches exposed names, phone numbers, addresses, and in some cases SSNs.

What this means for you: If you have received a breach notification in the past 18 months, your data is likely already in circulation on dark web markets. The actions in this guide — credit freeze, data broker opt-outs, IRS IP PIN — are not theoretical precautions; they are active defenses against exploitation of already-circulating breach data.


Step 0: Determine What Was Actually Exposed

The appropriate response depends entirely on what data was in the breach. Most breach notifications tell you the data categories involved, read this carefully before taking any action.

Data exposedPrimary riskFirst action
Email + passwordAccount takeover on sites where you reused the passwordChange password everywhere the password was reused
Email + name + phoneProfile enrichment for targeted fraudData broker opt-outs + password changes
Social Security numberCredit fraud, tax fraud, government benefits fraudCredit freeze at all 6 bureaus within 2 hours
Medical recordsInsurance fraud, medical identity theftContact insurer, review Explanation of Benefits
Financial account numbersDirect account takeoverContact financial institution immediately
Home address + phoneDoxxing risk, targeted scam callsData broker opt-outs
Date of birthSocial engineering ammunitionPassword changes + 2FA everywhere

If your SSN was exposed, skip to Step 2 first. The credit freeze is the single most protective action for SSN breaches and should be done before anything else.


Step 1: Change Every Compromised Password (First 2 Hours)

If the breached service stored your password in any form, assume it is compromised. If you reused that password anywhere else, every account using that password is also at risk.

Priority order:

  1. Email accounts, email is the master key that unlocks every other account's password reset
  2. Financial accounts (bank, brokerage, credit cards, PayPal, Venmo, Zelle)
  3. Social media accounts used for "Sign in with [platform]" on other services
  4. Any account where you stored payment information or personal documents

Enable two-factor authentication everywhere, using an authenticator app (not SMS). SMS-based 2FA is vulnerable to SIM-swap attacks, a fraudster who calls your carrier claiming to be you can redirect your texts to a new SIM within minutes. Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) generate codes on your device that cannot be redirected.

Use a password manager. If you are using the same password in multiple places, this breach is a forcing function to fix that. Bitwarden is free and open-source. 1Password and Dashlane are paid options. Generate unique 16+ character passwords for every account going forward.


Step 2: Freeze Your Credit at All Six Bureaus (Hours 2–4)

A security freeze prevents new credit accounts from being opened in your name even if a fraudster has your SSN, birthdate, and address. It is free under federal law and does not affect your existing accounts or credit score.

Freeze at all six:

BureauURLWhat it controls
Equifaxequifax.com/personal/credit-report-servicesStandard credit (all major lenders)
Experianexperian.com/freezeStandard credit (all major lenders)
TransUniontransunion.com/credit-freezeStandard credit (all major lenders)
ChexSystemschexsystems.com/security-freezeNew bank account openings
Innovisinnovis.com/personal/securityFreezeSpecialty lenders
NCTUEnctue.com/consumerNew utility and telecom accounts

Most of these can be completed online in under 5 minutes each. You will need your SSN and address. Each bureau will provide a PIN or code to use when you want to temporarily lift the freeze for a legitimate credit application.

See the complete credit freeze guide for the full process and what each bureau covers.


Step 3: Remove Yourself from Data Broker Databases (Hours 4–24)

This is the step most breach response guides omit, and it is one of the most impactful.

Here is the mechanism: after a breach, stolen records circulate on dark web marketplaces. Sophisticated fraudsters do not use raw breach data directly, they enrich it. A breach record containing your name and email is significantly more valuable when paired with your current home address, phone number, employer, and relatives' names. All of that enrichment data is available, for $1–$5, on people-search sites like Spokeo, Whitepages, and Radaris.

Removing yourself from data broker databases breaks the enrichment pipeline. A stolen email address without a correlatable physical address and phone is dramatically harder to operationalize for fraud, social engineering, or targeted scam calls.

Priority brokers to opt out of immediately:

SiteOpt-out URLProcessing time
Whitepageswhitepages.com/suppression-requests24–72 hours
Spokeospokeo.com/optout24–48 hours
BeenVerifiedbeenverified.com/app/optout/search24 hours
TruePeopleSearchtruepeoplesearch.com/removalSame day
FastPeopleSearchfastpeoplesearch.com/removal24 hours
Radarisradaris.com/page/privacy48–72 hours
Inteliusintelius.com/optout72 hours
MyLifemylife.com/optout or call 1-888-704-19005–14 days
Nuwbernuwber.com/optout24–48 hours
TruthFindertruthfinder.com/opt-out72 hours

OfflistMe covers 500+ data brokers for a one-time fee with no subscription. Requests send from your own email address, which bypasses the authorized agent verification friction that slows commercial services.


Step 4: File a Report and Set Up Monitoring (Hours 24–48)

File an FTC identity theft report at identitytheft.gov. This creates an official record, which is required documentation for disputing fraudulent accounts with credit bureaus and financial institutions. IdentityTheft.gov also generates a personalized recovery plan based on your specific situation.

Check haveibeenpwned.com and subscribe your email addresses. This free service tracks over 13 billion breached records across thousands of incidents. You will be notified automatically when your email address appears in any new breach that is added to the database.

Review your recent account activity. Log into financial accounts and check the last 30–60 days of transactions and account activity. Look for: unexpected new accounts, unusual transfers, changes to contact information or security settings, or login activity from unfamiliar locations.

File a police report if fraud has already occurred. If you find fraudulent accounts or transactions, a police report number is required to dispute fraudulent accounts with credit bureaus and to access certain consumer protections. Most jurisdictions accept online identity theft reports.


Step 5: Specific Actions by Breach Type

SSN Exposure

  1. Freeze credit at all 6 bureaus (Step 2), do this first
  2. Get an IRS Identity Protection PIN at irs.gov/identity-theft-central. This 6-digit PIN must be included on your tax return and prevents fraudulent returns in your name. Issue new PIN annually.
  3. Request a free annual credit report from annualcreditreport.com. Review for accounts you do not recognize.
  4. Consider placing a fraud alert (free, 1-year) as a supplement to the credit freeze

Medical Records Exposure

  1. Contact your health insurer and request a copy of your Explanation of Benefits (EOB) statements for the past 12 months. Look for services you did not receive.
  2. Request a copy of your medical records from your providers to verify accuracy.
  3. If fraudulent medical services appear in your name, contact the healthcare provider directly and file a police report.

Financial Account Numbers Exposure

  1. Contact the financial institution immediately and report the exposure.
  2. Request new account numbers and new cards.
  3. Review recent transactions for unauthorized charges.
  4. Update payment information on any services linked to the compromised accounts.

Password Exposure

  1. Change the password on the breached site immediately.
  2. Change the same password everywhere you reused it.
  3. If you used the same password on your email account, treat your email as fully compromised, change it first.

Step 6: Long-Term Posture (Ongoing)

Breach data stays operationally useful for 18–24 months. The fraud risk from a breach does not expire quickly, it extends for the entire period the data remains valuable on dark web markets.

Set calendar reminders at 6 months and 12 months to check annualcreditreport.com for new accounts. New fraudulent accounts opened using breach data may not appear for months.

Re-check data broker profiles at 90 days. Data brokers re-ingest from public records every 60–180 days. Profiles you removed may reappear. Run a spot-check of TruePeopleSearch, FastPeopleSearch, and Whitepages 90 days after your initial opt-out pass.

Maintain your data broker opt-outs. A single pass is not permanent. Treat this as an annual maintenance task, not a one-time fix.


Frequently Asked Questions

How do I know if my data was included in a breach?

Check haveibeenpwned.com (tracks billions of breached records) and the breach notification from the company. US companies are legally required to notify affected individuals and disclose the categories of data exposed. The notification must come from the company, not just a third-party news report.

Do I need to act if only my email address was breached?

Yes. An email address enables highly targeted phishing attacks. The attacker knows which service you used and can craft convincing impersonation emails referencing that service. Change the email account password, enable 2FA, and watch for unexpected password reset requests across any account linked to that address.

How long do I have before breach data is exploited?

Breach data typically reaches dark web markets within days of a breach. Act on passwords and credit freezes within 48 hours. Tax fraud and government benefits fraud using SSNs can surface anywhere from 1 month to 24 months after a breach, these are slower-burn fraud types that require longer monitoring.

The breach notification says my data was "encrypted." Am I safe?

Encryption quality matters. Properly salted and hashed passwords are very difficult to crack. Poorly implemented encryption (e.g., MD5 hashing without salting) may be cracked within hours. Change the password anyway, if the company's encryption was weak, assume the password is now known.

Does a credit freeze affect my credit score?

No. A credit freeze has zero effect on your credit score, existing accounts, or ability to use current credit cards. It only blocks new credit applications until you temporarily lift the freeze.


Remove your data from 500+ brokers → | Identity theft statistics and risks → | How to freeze your credit →


Related Guides

Take back your privacy today

Remove your personal information from data brokers and platforms in seconds.

Remove Your Personal Data Now

From $7.00 one-time · 546 data brokers · No subscription