A ‘data breach’ is an incident where customer data is stolen from a company, and is then in the hands of hackers or even released publicly.
If you had an account with a company that suffers a data breach, then some of your information is compromised; most often it is your email address and password, but sometimes address, credit card, or other information is involved. You might get an email from the company notifying you that your data was involved in the breach, or you might here about it in the news.
There is no way to undo the data breach; the data that has been stolen is in bad hands or is now public. Nothing will remove that data and you have to take action assuming that information is now public.
Here’s what you should do when one of your accounts has been breached:
Reset your password
Do this immediately. A data breach’s most common payoff is passwords and usually, hackers are looking to sell the data to any number of buyers. By resetting your password, you’re preventing any would-be buyer from getting into your account using data that password protects.
Reset any other accounts using that password
If the password on the breached account was also your password on any other accounts, reset those too. (And don’t use a duplicate password this time.) Hackers know how common password reuse is and will try leaked passwords and username combinations on any number of other services or accounts in hopes of getting in. Reset the password on every account that used the same password. There’s no reason to risk your accounts that way.
Upgrade the email/username on important accounts
The more data of yours hackers have, the larger your risk for an account take over. Your Username or email addresses may be one of those useful pieces of information. Let’s pretend the breached account was a streaming service or a messaging forum you hardly ever check – you get notified, reset the password, all done – right? But now the bad guys know your email and even if you didn’t use the same password on other accounts, they may try variations of it or a password cracker that can try thousands of them. To keep really important accounts safe, use a unique user name or email address too.
Watch out for phishing emails
Immediately after hackers get your email, they often start sending you phishing emails – pretending to be the company that was hacked or some other company – in an effort to get you to click through and give them even more personal data. They’ll acknowledge a breach occurred and likely link to a site or send an attachment that’s designed to steal your information or compromise your device.
So when you get an email announcing a hack, be suspicious. Always make sure these kinds of emails are legitimate: look at the sender address, the copy (are there any misspellings?), the layout. If anything looks off, consider it spam. Do not click any links, and if you want to visit the company, type the URL in yourself. Or find it via DuckDuckGo. Most companies will almost always only ask you to reset the password so if an email is asking for more information or promising a reward after you click a link, don’t fall for it.
Cancel your credit card
This step requires a little more research but is arguably the most important. If a data breach involved credit card information and your credit card details were held with the company, cancel that credit card. Credit card numbers are very desirable on the dark web and hackers don’t waste any time to try and use them for fraudulent purposes. As soon as you can, get a new number and keep an eye on your statements to make sure you have no suspicious activity on the account.
This action plan will help you avoid some of the most common consequences that can result from a data breach. To be sure if your account was part of a data breach (new and old), we recommend checking out haveibeenpwned.com, a data breach notification service.
Unfortunately, the effects of data breaches don’t always turn up so quickly so even after you take these steps, make sure you keep an eye on the account of the breached company and your communications, just to be sure a hacker isn’t trying something fishy.