What to Do After a Data Breach — Your 2025 Action Plan

You just got a data breach notification email — or you checked Have I Been Pwned and found your email in a breach. Your first instinct might be to ignore it or panic. Do neither. A data breach requires immediate, specific actions taken in a specific order. Miss the right steps or do them in the wrong order, and a breach that could have been contained can cascade into identity theft, financial fraud, and months of cleanup. This guide tells you exactly what to do, in priority order, in the first 24 hours and the days that follow.

What Actually Happens in a Data Breach

Before you can respond effectively, understand what was likely taken. Not all breaches are equal. When a company is breached, attackers typically steal a database containing user accounts. What that database contains — and how much risk you face — depends on what the company stored and how it was protected.

First 24 Hours — Priority Actions in Order

Do these in order. The order matters because password reuse makes a breach cascade — the faster you close each linked account, the smaller your exposure window.

Step 1: Change the Breached Account's Password (Do This First)

Navigate directly to the affected site (type the URL — do not click email links). Log in and immediately change your password. Use a password manager to generate a new unique password — at least 16 characters, entirely random. Do not choose a new password that resembles the old one. Attackers who crack your old password will try obvious variations first.

If you cannot log in because an attacker already changed your credentials: use the account recovery / "forgot password" flow to regain access, then immediately change your password and enable 2FA. Contact the company's support if recovery fails.

Step 2: Enable Two-Factor Authentication on the Breached Account

After changing your password, immediately enable 2FA on the account if it isn't already active. Even if an attacker has your new password (impossible if you just created it, but possible in future), 2FA prevents them from logging in without your phone. Use an authenticator app — not SMS if possible. See our 2FA complete guide for setup instructions on every major platform.

Step 3: Identify Every Account Using the Same Password

This is the most important step that most people skip. Password reuse is why a breach at one small company can compromise your bank account. Run a vault health report in your password manager (or manually check) to find every account using the same or similar password as the breached one. Change every single one immediately — starting with: your email accounts, your banking and financial accounts, your primary social media accounts, and any work accounts.

If you don't have a password manager yet, a data breach is the exact moment to start. Bitwarden Free takes 10 minutes to set up and will automatically flag all reused passwords in a health report.

Step 4: Check Your Email Account Security

Your email account is the master key to everything else — password reset links go to email. If an attacker controls your email, they can reset every other account. Check your email account's security immediately: review login history for unfamiliar locations or devices, check mail forwarding rules (attackers often set up forwarding to receive your emails silently), verify recovery phone number and backup email are still yours, and change your email password if it shared any similarity with the breached account's password.

Step 5: Review Active Sessions and Third-Party App Access

Most major platforms (Google, Facebook, Apple, Microsoft) show you a list of active sessions and third-party apps with account access. After a breach, check both: revoke any sessions from unfamiliar locations or devices, and remove any third-party app access you don't recognize or no longer use. Attackers who gained access may have authorized their own third-party app to maintain access even after a password change.

The Password Reuse Audit — Why This Step Saves You

Credential stuffing is the #1 follow-on attack after any breach. The moment a database of email-password pairs hits the dark web, automated bots start testing those exact credentials against hundreds of other services — your bank, Amazon, PayPal, your work email, your cloud storage. This happens within hours.

The only protection against credential stuffing is unique passwords on every account. If you use a password manager, run the built-in health report now. In 1Password, open Watchtower. In Bitwarden Premium, open Tools → Reports. Both will show you every account with a reused or compromised password, ranked by severity. Work through the list from the top, changing the highest-risk accounts first.

If you don't have a password manager: search your browser's saved passwords for the breached password or any variation of it. Change every match. Then get a password manager — this incident has demonstrated exactly why you need one.

Credit and Financial Protection Steps

If the breach included financial data, SSN, date of birth, or full name + address, take these steps immediately:

Place a Fraud Alert

Contact any one of the three major credit bureaus (Equifax, Experian, TransUnion) and request a fraud alert. By law, the bureau you contact must notify the other two. A fraud alert requires creditors to take extra verification steps before opening new credit in your name. It's free, lasts one year, and is renewable. Takes 5 minutes online or by phone.

Consider a Credit Freeze

A credit freeze (also called a security freeze) prevents any new credit from being opened in your name entirely — even by you. It's the strongest protection against identity theft. Contact all three bureaus individually to freeze your credit. It's free. You can lift the freeze temporarily when you need to apply for credit. For SSN breaches, a credit freeze is our strong recommendation over a fraud alert alone.

Review Your Credit Report

At AnnualCreditReport.com, you can view your credit report from all three bureaus. Review for any accounts you don't recognize — these may be fraudulently opened accounts. If you find unfamiliar accounts, dispute them immediately through the bureau's dispute process.

Contact Your Bank and Credit Card Companies

If financial account numbers, card numbers, or bank account details were exposed, contact the institution proactively. Request replacement cards with new numbers. Set up transaction alerts for amounts over $1. Ask about their fraud monitoring and dispute processes so you know how to escalate if unauthorized charges appear.

Identity Theft Monitoring

For serious breaches involving SSN or government ID, consider enrolling in an identity theft monitoring service. The FTC's IdentityTheft.gov provides free recovery plans and resources. Some states provide free monitoring services to residents affected by specific large breaches. If the breached company offers free identity monitoring as part of their notification, enroll in it immediately — it's genuinely useful and costs you nothing.

Signs of identity theft to watch for in the months following a breach: unfamiliar accounts on your credit report, unexpected mail from financial institutions, medical bills for care you didn't receive, IRS notices about duplicate tax returns, and calls from debt collectors about debts you don't recognize.

Check the Dark Web for Your Data

Use haveibeenpwned.com (free, operated by security researcher Troy Hunt) to check if your email addresses appear in known breach databases. Enter each email you use and review which breaches it has appeared in and what data was exposed. The site also offers free breach notifications — sign up to be emailed whenever a new breach database containing your email is added to the index.

Premium password managers like 1Password, Keeper, and Dashlane include continuous dark web monitoring that checks your stored credentials against breach databases automatically and pushes alerts to you within hours of a new breach. If you're managing many accounts, this automated monitoring is more reliable than manual checks.

The Week After — Complete Cleanup Checklist

• ☐ All accounts with the same password have been updated with unique ones
• ☐ 2FA enabled on all high-value accounts (email, banking, social media, work)
• ☐ Email account reviewed for forwarding rules and unfamiliar app access
• ☐ Fraud alert or credit freeze placed with all three bureaus (if PII was exposed)
• ☐ Credit report reviewed for unfamiliar accounts
• ☐ Dark web scan completed on all email addresses you use
• ☐ Password manager installed and vault health report run
• ☐ Bank and credit card companies notified (if financial data was exposed)
• ☐ Free identity monitoring enrolled (if offered by breached company)
• ☐ Active sessions reviewed and revoked on all major platforms

How to Prevent the Next Breach from Hurting You

You cannot prevent companies from being breached — that's outside your control. You can absolutely prevent a breach from becoming a personal disaster. The three-step defense:

1. Unique passwords on every account. A breach at one site exposes exactly one password that works on exactly one site. Credential stuffing attacks become completely ineffective. Use a password manager to generate and store these.

2. Two-factor authentication on every important account. Even if an attacker has your password, 2FA stops them at the door. Priority: email, banking, password manager itself, social media, work accounts.

3. Dark web monitoring. Know about breaches affecting your accounts within hours, not months. Set up monitoring through your password manager or Have I Been Pwned's free notification service.

With these three defenses in place, the next data breach notification you receive will be mildly inconvenient rather than a crisis. One password changed, verified by monitoring, done. That's the end state you're building toward.

What Was Exposed? — Quick Reference by Breach Type