Involved in a data breach? Here’s what you need to know

If you’ve received a message from a company saying your data has been caught up in a breach, you might be unsure what to do next. We’ve put together some tips which should help you when the (more or less) inevitable happens.

1. Check the company’s advice

Every breach is different, so check the company’s official channels to find out what’s happened and what data has been breached. Organizations often put out a rolling statement on their website, blog, or X (Twitter). Follow any specific advice they offer first, and keep an eye out for any further communications.

2. Change your password

If your password has been caught up in a breach, you should immediately change it. If you’ve used the same password on another site or service then you also need to change that. Cybercriminals will often try one password on multiple sites because they know people reuse them, so make sure you use a different password for every single site you have an account on. If you don’t already use one, it’s worth considering a password manager, which will generate and store passwords for you so you don’t have to remember them all in your head.

3. Enable multi-factor authentication

Multi-factor authentication (MFA) adds an extra layer of security when logging in to your online accounts, and stops anyone from logging in with just your password. One of the most common ways of adding MFA to your online accounts is with an app—such as Google Authenticator, Authy, or Microsoft Authenticator—which generates a code that you enter into the site you’re logging into. You can also use SMS MFA, where you are sent a code via text that you then enter into the website, or a hardware key such as a YubiKey which you plug into your computer. 

It’s worth bearing in mind that a code can be phished as easily as a password so code-based MFA can’t protect you from phishing, but it’s still much better to have it turned on than not use it at all. Remember to never give an MFA code to anyone else, even if they pressure you into revealing it.

4. Freeze your credit report

If you’re in the US, a credit freeze stops new creditors and potential thieves from accessing your credit report. Credit freezes must be set (and removed) at each of the three bureaus.

5. Set up identity and credit monitoring

Identity monitoring alerts you if your personal information is found being illegally traded online, and helps you recover after. Credit monitoring tracks your credit report and borrowing behavior and alerts you if anything changes. A breached company may offer this as a service to you, but you can also get different levels of monitoring solutions, depending on your individual need.

6. Watch out for scammers

Scammers often try to take advantage of data breaches. They know that the breached company is likely to be contacting victims, and that the victims will be looking out for emails from the company. It’s easy to spoof an email to make it look like it comes from somewhere else, and then send someone malware or a link to a phishing site.

We suggest you monitor the company’s website for information about the breach and be very sceptical of messages that appear to come from that company. All the usual advice applies: Look for inconsistencies, odd email addresses, and strange links, and watch out for the two major red flags: urgency and a request for money or personal information.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

ABOUT THE AUTHOR

Anna Brading

Anna Brading is Editor in Chief at Malwarebytes Labs which means she writes, talks and lives all things cybersecurity. She’s interested in social media, privacy and helping people stay safe online.