Breaches happen every day. Nearly everyone’s data has been involved in a breach at this point (in fact, you can check if yours has been here). Security isn’t easy, and it often isn’t convenient.
What should I do?
1. Determine what information was compromised (and how sensitive it is).
Less Sensitive: Data like names and addresses. Anything that you can find with a quick google search probably isn't that sensitive.
Moderately Sensitive: Email addresses, birth dates, credit and debit card numbers, etc. Email addresses can result in phishing attempts or increases in spam emails. Birth dates, though they can usually be found with a google search, do not change as frequently as addresses and when combined with other pieces of information can be used to verify identity. Credit and debit card numbers can result in fraudulent charges, however usually those can be reported and usually the user is protected from liability.
Very Sensitive: Social Security numbers or national insurance/national id numbers (outside of the US), passwords, bank account numbers, card security codes. Social security numbers or national insurance numbers can be used to steal identities, while passwords can be used to fraudulently access and use online accounts. Bank account numbers or card security codes can permit hackers to view financial activity.
Often companies will report that only 'encrypted' data was stolen. This doesn't mean that your data is safe - often encryption can be broken (particularly if the company's encryption wasn't very strong). To be safe, you should assume that your data has been compromised.
2. Change any associated passwords (immediately).
If you have a password manager, that's awesome! You only need to change the password associated with this account. If you've re-used that password anywhere, those passwords should be changed as well (don't reuse passwords for multiple accounts and don't reuse old passwords!). If you haven't already, and the site offers it, enable 2 Factor Authentication.
3. Report the Incident.
If your credit or debit card was compromised, or other financial data was leaked, you should contact the relevant financial institution immediately. For credit cards, you can report a card lost or stolen at any time, but you only have 60 days from the date of a fraudulent charge on a monthly statement to dispute the charge. For debit cards, you only have 2 days from the date you learned of the fraud to report the incident to your bank (but the sooner the better!).
Place fraud alerts on your accounts with the three major credit agencies - Equifax, Experian, and TransUnion (you can either call them or visit their websites). For other countries, contact the local credit bureau and ask to place a similar alert on your account.
If your identity is stolen, you should contact your local government agency (in the United States, it is the Federal Trade Commission to report identity theft, or your local police department to get a police report).
Want to learn more? Check out these guides for the truly paranoid.
- My guide to Digital Security for family and friends
- The Motherboard Guide to Not Getting Hacked
- The WIRED Guide to Digital Security