Recommended + Security & Privacy
What to do after a data breach—and how to avoid getting hacked—in 9 easy steps
Posted on
by
Joshua Long and Jay Vrijenhoek
You’ve undoubtedly heard about some high-profile data breaches; some of the biggest companies in the world have had user login credentials or other sensitive account data stolen, from usernames and e-mail addresses to passwords, credit card details, home addresses, social security numbers, and more.
There’s only so much you can do to ensure that companies handle your data securely. But there are some things you can do to help avoid getting hacked whenever a new data breach comes to light. You’ll want to find out whether your data was exposed. And you’ll also want to verify that you use good password hygiene along with two-factor authentication.
Let’s explore how to prepare for—and recover from—a data breach. Here’s everything you need to know to get started developing your personal data breach response plan. (Note: If your Social Security Number has leaked, freeze your credit first.)
In this article:
- What is a data breach?
- How can I find out if my information was included in a data breach?
- Was my password leaked in a data breach? Should I change it?
- What can I do to recover from a data breach? 9 key steps
- 1. Register your e-mail addresses with Have I Been Pwned
- 2. Choose a password manager that comes with data breach monitoring
- 3. Use a long, unique password for each site; never reuse passwords
- 4. Enable two-factor authentication on all your accounts
- 5. Contact the breached company, if necessary
- 6. Beware of data breach-related phishing scams
- 7. Set up fraud alerts, and consider freezing your credit
- 8. Consider using an identity theft protection service
- 9. Whenever possible, avoid sharing personally identifiable information (PII)
- How can I learn more?
What is a data breach?
A data breach is an incident in which an attacker obtains unauthorized access to a company’s systems, resulting in the exposure of sensitive information. Data breaches are also called data leaks, security breaches, or unauthorized disclosures. Sometimes, leaks of sensitive data occur due to poor security controls on a company’s server; other times, they result from a broad or targeted attack against a company. Occasionally, the source of a leak is an “insider threat,” meaning a rogue employee or contractor.
Regardless of what you call it, or how unauthorized parties obtain access to the data, data breaches are a serious problem in the world today. Fortune 500 companies, banks, hospitals, and schools are being attacked every day, and many of these attacks result in system compromise and data exposure.
How can I find out if my information was included in a data breach?
When you hear about a specific data breach incident that might affect you, the first thing you’ll likely want to do is find out whether your personal information was leaked. Thankfully, there’s a tool for that.
Have I Been Pwned (HIBP) is a site that offers a free lookup and notification service for data breaches and data dumps. (“Pwned” is hacker lingo for “owned”—i.e. hacked, or compromised by a hacker.) The site was developed by Troy Hunt, a leading expert on data breaches. You can safely enter your e-mail address at HIBP to see a list of any notable breaches and dumps that contain your e-mail address. Of course, it’s important to note that not every data breach necessarily contains e-mail addresses.
Additionally, even if e-mail addresses were among the leaked data, it can sometimes take time before new breaches are added to HIBP; it may not happen the same day as the breach hits the news. But when you enter your e-mail address on the site, you can optionally subscribe to receive notifications about future dumps that contain your address.
Was my password leaked in a data breach? Should I change it?
You might be worried about whether your password was exposed. There are a couple of ways to determine whether one of your passwords may have leaked in a data breach.
Have I Been Pwned also has a “Pwned Passwords” lookup page where you can—brace yourself!—type in your passwords one by one and check to see if they’ve ever appeared in a password dump.
If the idea of typing your passwords into a third-party site makes you uncomfortable, that’s excellent—it should! You’d be perfectly justified in being suspicious. Hunt has taken precautions to safeguard passwords, and has cleverly engineered the page to not actually send any passwords typed on the page to his server.
If you’re still uncomfortable typing your passwords into HIBP’s Pwned Passwords site, it may give you some comfort to know that major password managers partner with HIBP to utilize the feature. So, if you prefer, you can have your password manager do the work for you. (This should also save you a lot of time.)
The popular password manager 1Password has partnered with HIBP to offer a feature called Watchtower; it can look up whether your passwords have appeared in a dump. Some other password managers may offer a similar feature; if yours doesn’t, you may wish to submit a feature request to the developer and point them to this page for details on how they can integrate with HIBP.
If you don’t currently use 1Password, and if your current password manager doesn’t offer a similar feature, there’s another option. You can export your passwords from your current password manager, and then import them into a 14-day trial of 1Password so you can try out Watchtower. (Note: 1Password isn’t a sponsor, and this is not an endorsement—but we do recommend using a trustworthy password manager.)
If your password has been found in a data breach, change it immediately. If you’re unable to find out for sure whether your password was exposed, it doesn’t hurt to change it anyway, just as a precaution. You’ll also want to follow the guide below.
What can I do to recover from a data breach? 9 key steps
Of course, there isn’t any way to expunge your personal information that has already been exposed on the Internet; data is infinitely copiable, so you have to assume that there will always be copies of it out there.
Generally speaking, you cannot change your social security number. This is unfortunate, because its exposure puts you at significant risk of identity theft.
So what can you do if any of your sensitive personal data has been exposed? Here are nine easy steps to protecting yourself.
1. Register your e-mail addresses with Have I Been Pwned
As mentioned earlier, Have I Been Pwned (HIBP) is a free service run by the trusted security researcher Troy Hunt. HIBP notifies you if your e-mail address appears in a publicly available data dump. The site also allows you to manually check whether individual passwords are known to have been exposed.
2. Choose a password manager that comes with data breach monitoring
Also mentioned earlier, 1Password’s Watchtower feature is integrated with Have I Been Pwned. This partnership means 1Password customers receive a notification if one of their passwords was leaked due to a data breach. Other reputable password managers may offer similar features.
3. Use a long, unique password for each site; never reuse passwords
This will help protect you from credential stuffing attacks, which are sometimes the source of data breaches. There are different schools of thought on what constitutes a “strong” password, but experts agree that having a long password (or passphrase) is crucial. Avoid using patterns that an attacker could use to guess your other passwords. Consider using a unique string of pseudorandom characters generated by your password manager, or by GRC’s Perfect Passwords generator; the latter creates new pseudorandom strings each time you reload the page.
4. Enable two-factor authentication on all your accounts
Two-factor authentication (also called multifactor authentication, or two-step verification) will help protect you in case your passwords leak, especially shortly after the breach occurs or after the data becomes widely available, before the company starts requiring password resets and often before HIBP notifies you that your information may have been exposed. The idea behind two-factor authentication is that if someone obtains your password (“something you know”), they’ll also need something else—typically a phone, an app, or a hardware token (“something you have”) or less commonly biometric data based on your unique physical characteristics (“something you are”). Unfortunately, not every site or service supports two-step verification, but you should definitely enable the additional layer of security where available. Whenever possible, try to avoid SMS text messages or a call to your mobile phone as your second step, since they’re hijackable via SIM swapping attacks—but if those are your only second-step options, they’re better than nothing, so use them.
5. Contact the breached company, if necessary
If you hear of a data breach at a company, service, or website with which you have an account, and HIBP doesn’t have information about the breach, you can try contacting the company to find out if your information was exposed. If so, they may offer services to help you monitor potential abuse of that data; for example, they may offer free identity theft monitoring for a period of time.
6. Beware of data breach-related phishing scams
Once word of data breaches hits mainstream news, scammers may begin to send texts, e-mails, or robocalls, or buy malicious ads in Google search results, to try to phish your data. If you need to contact the breached company, do so via a bookmark you’ve previously saved in your browser, or by calling a phone number from a known-valid past communication from the company.
7. Set up fraud alerts, and consider freezing your credit
You can set up free fraud alerts with credit bureaus such as Equifax, Experian, and TransUnion. The FTC explains that you can place a fraud alert “when you’re concerned about identity theft. It makes it harder for someone to open a new credit account in your name. It’s free and lasts 1 year.” After that year expires, you may want to renew it; consider adding an event to your calendar to ensure you don’t forget.
A step up from fraud alerts is a credit freeze (or security freeze). Data breaches are extremely common, and most adults’ Social Security Numbers have already leaked; therefore, freezing your credit is more important than ever to help prevent fraud. Note that you’ll need to remember to temporarily unfreeze your credit before applying for credit—and then remember to freeze it again afterward.
Here are the direct links to the pages for freezing (and unfreezing) your credit at Equifax, Experian, and TransUnion.
8. Consider using an identity theft protection service
After a breach becomes public knowledge, major companies typically offer a free year of credit monitoring to their customers. You can sign up for these services if you wish. Since big data breaches happen fairly often, you may be “lucky” enough to get free credit monitoring on an almost yearly basis. Alternatively, you can pay for a service on your own; Aura is a well-regarded service, but there are many out there. These services typically go beyond basic protections and can offer identity theft insurance, help you to resolve challenges resulting from identity theft or fraud, and more.
9. Whenever possible, avoid sharing personally identifiable information (PII)
Providing personally identifiable information is often a prerequisite for signing up for banking, a mobile phone, or other services. But whenever it’s optional, you can choose not to share such data. Do you really need to make your birth date or phone number available to everyone on Facebook? Probably not, so try to avoid oversharing. When filling out forms, look for optional fields, and leave them blank. Sometimes online forms aren’t clear about which fields are either required or optional until you try to continue. So here’s a pro tip: Try entering the minimum amount of information and then submitting the form, and only fill in only the fields that it tells you are required to continue.
And a related tip: Don’t answer “security questions” with real answers. The true answers to such questions can often be found online or social-engineered from you, so you’re better off answering with something entirely different; for example, use yet another unique password or passphrase, which you can also store in your password manager. Don’t use predictable answers to security questions; doing so can become the weak link in the chain that enables a hacker to break into your accounts.
How can I learn more?
For additional tips, check out these related articles:
- 8 Things to Do Right Now if You’ve Been Hacked
- How to Choose the Right Password Manager for You
- Two-Factor Authentication: How It Works and Why You Should Use It
- How to Choose and Answer Security Questions
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
