A data breach notification just landed in your inbox. Your personal information — maybe your email, password, SSN, or financial data — is in the hands of criminals. What you do in the next 24 hours can mean the difference between a minor inconvenience and months of identity theft recovery. Here is your hour-by-hour action plan.
Criminals send fake "data breach notification" emails designed to trick you into entering your credentials on phishing sites. Never click links in breach notification emails. Instead, go directly to the company's official website by typing the URL into your browser. Verify the breach through official channels before taking action.
Hour 1: Verify the Breach Is Real
Not every breach notification is legitimate, and not every real breach requires the same response. Start by confirming what actually happened:
- Check the company's official website: Go directly to the breached company's site (type the URL — do not click email links). Look for a dedicated breach notification page.
- Check Have I Been Pwned: Visit haveibeenpwned.com and enter your email address. This free service, run by security researcher Troy Hunt, tracks known breaches and will tell you which of your accounts have been compromised.
- Identify what data was exposed: There is a massive difference between an email-only leak and a breach that includes SSNs, financial data, or passwords. The breach notification should specify what was compromised.
- Check reputable news sources: Major breaches are covered by outlets like Krebs on Security, BleepingComputer, and The Verge. If you cannot find any reporting on the breach, the notification may be a phishing attempt.
- Low risk: Only email addresses exposed. Change passwords on affected accounts and enable 2FA.
- Medium risk: Email + passwords exposed. Change passwords immediately on the breached account AND any account where you reused that password.
- High risk: SSN, financial data, or government IDs exposed. Execute the full 24-hour plan below.
Hours 1-4: Secure Your Accounts
Once you have confirmed the breach and understand what was exposed, lock down your accounts immediately:
Change Passwords
- Start with the breached account. Create a new, unique password — at least 16 characters, randomly generated. Use a password manager like Bitwarden or 1Password.
- Change any account where you reused the same password. This is critical. Credential stuffing — where criminals try stolen username/password combinations on other sites — is one of the most common attack methods. If you used the same password on your email, banking, or social media accounts, change all of them.
- Prioritize your email account. Your email is the recovery key for almost every other account you own. If an attacker controls your email, they can reset passwords on everything. Secure your email first.
Enable Two-Factor Authentication (2FA)
- Enable 2FA on every account that supports it — especially email, banking, and social media.
- Use an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) rather than SMS-based 2FA when possible. SIM-swapping attacks can intercept SMS codes.
- Save backup codes in a secure location — not in your email. Print them out or store them in your password manager.
Check for Unauthorized Access
- Review recent login activity on the breached account. Most major services (Google, Microsoft, Apple, Facebook) show recent sign-in locations and devices.
- Revoke any sessions you do not recognize. Sign out all other sessions and sign back in with your new password.
- Check for forwarding rules in your email. A common attacker tactic is to set up email forwarding to silently copy your incoming mail. Check your email settings for any forwarding addresses you did not create.
Hours 4-8: Freeze Your Credit
If the breach exposed your Social Security number, date of birth, or other data that could be used to open new accounts, freeze your credit immediately. This is the most important defensive step you can take.
A credit freeze prevents anyone — including you — from opening new credit accounts until you unfreeze it. It is free by federal law and does not affect your credit score.
You must freeze at all three major bureaus:
- Equifax: equifax.com/personal/credit-report-services/credit-freeze/ or call 800-349-9960
- Experian: experian.com/freeze/center.html or call 888-397-3742
- TransUnion: transunion.com/credit-freeze or call 888-909-8872
For a detailed walkthrough, see our complete credit freeze guide.
A credit freeze blocks all new credit applications — it is the strongest protection. A fraud alert only asks creditors to verify your identity before opening accounts, but it does not prevent them from proceeding. We recommend a freeze. You can always temporarily unfreeze when you need to apply for credit.
Hours 8-24: File Reports and Establish a Paper Trail
If sensitive data (SSN, financial accounts, government IDs) was exposed, create an official record of the breach and your response:
File with the FTC
- Go to IdentityTheft.gov — the FTC's official identity theft reporting and recovery site.
- Create an Identity Theft Report. This is a critical document — creditors and credit bureaus are legally required to honor it when you dispute fraudulent accounts.
- The site will generate a personalized recovery plan based on the type of information that was compromised.
File a Police Report
- File a report with your local police department. While police rarely investigate individual identity theft cases, the report creates an official record that creditors and bureaus may require.
- Bring your FTC Identity Theft Report and any documentation of the breach.
- Get a copy of the police report and keep it with your records.
Notify Your State Attorney General
- Most states have an identity theft reporting mechanism through the AG's office.
- Find your state's AG at naag.org/find-my-ag/.
Contact Your Financial Institutions
- Call your bank and credit card issuers to alert them to the breach. They may issue new account numbers or cards proactively.
- Review recent transactions on all accounts for unauthorized activity.
- Set up transaction alerts if you have not already — get a notification for every transaction over $1.
After the First 24 Hours: Ongoing Vigilance
The first 24 hours are the most critical, but identity theft protection does not stop at day one:
- Monitor your credit reports weekly for the next 12 months. Free weekly reports are available at AnnualCreditReport.com.
- Watch your mail for bills, collection notices, or account statements for accounts you did not open.
- File your taxes early next season to prevent fraudulent tax return filing. Consider getting an IRS Identity Protection PIN.
- Check your health insurance statements for medical services you did not receive.
- Review your Social Security statement at ssa.gov/myaccount/ for unauthorized earnings reported under your SSN.
Set Up Continuous Monitoring
Manual monitoring is essential but limited. For comprehensive, real-time protection, consider an identity monitoring service that watches your credit, SSN, bank accounts, and the dark web around the clock. Aura's identity protection provides all-in-one monitoring with up to $5 million in identity theft insurance — giving you an early warning system and a financial safety net if something slips through.
For a complete recovery roadmap if you discover fraudulent accounts or unauthorized activity, see our Identity Theft Recovery Guide.
Quick Reference Checklist
- Verify the breach is real (official company site, haveibeenpwned.com, news sources)
- Identify what data was exposed (email only, passwords, SSN, financial data)
- Change passwords on affected accounts — use unique, strong passwords
- Enable 2FA on all critical accounts (email, banking, social media)
- Check for unauthorized access and revoke unrecognized sessions
- Freeze credit at all 3 bureaus (Equifax, Experian, TransUnion)
- File an Identity Theft Report at IdentityTheft.gov
- File a police report with your local department
- Notify your bank and credit card issuers
- Set up ongoing credit monitoring and identity protection