What to do if your personal information is exposed in a security breach

This post has been modified to reflect new information since its original publication.

Nobody wants to get this email: “Your information may have been exposed in a security breach.” If you have received a similar message, you are not alone. Since 2005, 9,106 data breaches have exposed more than 10 billion records, containing Americans’ Social Security numbers, financial data, and account passwords.

If your personal information has been compromised by a data breach, you need to do three things right away:

1. Change all your passwords
2. Enable two-factor authentication on all your accounts
3. Monitor the Web for signs of someone using your information

In order to successfully complete these tasks, you’ll need to learn more about what happened in the breach. What items of personal information were exposed? When did the breach occur?

While all 50 states require companies to promptly notify individuals affected by a breach, there are circumstances that might delay this notification, sometimes for years. For example, a company might learn about a breach years after the fact or law enforcement agencies might request the company’s silence during an investigation.

Once you know what data has been exposed and how long it’s been out there, you can start doing damage control.

1. Change all your passwords

To secure all your private information, you’ll need to change both your email password and the passwords to all your other online accounts as quickly as possible after a breach.

Access to your email address is among the most valuable assets for hackers. This is because your email account is the key to finding and breaching many of your other online accounts, including your banking and credit accounts. Access to your email also allows the hacker to impersonate you in order to trick your contacts into revealing their sensitive information (a.k.a. “phishing”).

If you can’t log in to your email account, then someone has probably already taken it over. You’ll need to contact your email provider for instructions on getting back into your account—or deleting it if this isn’t possible.

After you’ve changed your email password, you need to protect all your other online accounts. This is because hackers who gain access—however temporarily—to your email address and password can easily get into some or all your other accounts using the account’s “forgot password?” feature.

As such, you need to lock out any intruders by changing the password for every account you have.

While doing so, make sure you create a unique password for every site. This way, if someone breaches one account, then that person can’t reuse those login credentials to access your other accounts.

To make this task easier, you can use a password manager, like 1Password, Dashlane, or Keeper. These tools store all your passwords in an encrypted vault that only you know the password to. They can also generate robust passwords and automatically enter them for you on websites and apps.

2. Enable two-factor authentication on all your accounts

This extra security step, which involves entering a special code sent to your phone whenever you log into an account, is one of the most effective ways to keep your private information safe. Not only does two-factor authentication prevent others from logging in as you, but it also notifies you (via the message on your phone) whenever this occurs.

If your service lets you use a two-factor authentication app, like Google Authenticator, you should do so. Apps like this are even more secure than text-message authentication.

3. Monitor the Web for signs of someone using your information

If your email address and password were exposed in a data breach, there’s a good chance that other vital information has been compromised. Therefore, you need to be vigilant about looking for evidence of ID theft and fraud.

A good way to do this is to monitor your financial statements for any charges that you didn’t make. If you find anything suspicious, you should alert your bank as soon as possible.

You should also closely monitor your credit reports for any new or unusual activity. Make sure that no one has opened any new accounts, credit cards, or loans in your name.

An easy way to check your credit history is to request a free report from Experian, Equifax, and TransUnion via annualcreditreport.com. You can receive one free report per year (and asking for a report doesn’t hurt your credit score.)

How to create strong passwords

Of course, the easiest route to creating strong and unique passwords for all your accounts is to use a password management tool. These tools’ password-generator features can quickly produce random, hacker-proof passwords like “6′(T@?8JWxutD6ws6YNp.” However, if you prefer to create your own passwords, there are a few simple best practices you should follow to make sure they are as strong as possible:

• Combine unrelated, nonsensical words to make stronger passwords: One-word passwords are too easy to guess. Therefore, it’s better to combine a string of non-related words that don’t make sense. For example, “Preachy Glutton Revise Shorter Typhoon Author.”

• Make passwords at least 12 to 15 characters long: For example, “Laundry7Zebra$TowelBlue.” Anything under 12 characters can easily be hacked.

• Use a combination of upper- and lowercase numbers, letters, and symbols: And don’t just add an exclamation mark (!) at the end. Use symbols throughout your passwords.

• Avoid using these words: Don’t use easily guessable words like pet names, notable dates (like your birthday), your children’s names, things related to your favorite sports team, the name of your significant other, your birthplace, or the word “password.”

Other ways to protect your online privacy

• Be cautious when using public Wi-Fi: Free public Wi-Fi can be tempting, but these networks are usually not secured or monitored. As a result, cybercriminals often use these networks to steal people’s private information. To reduce the risk of being hacked, make sure your phone or tablet isn’t set to auto-connect to Wi-Fi and avoid doing any mobile banking unless you’re sure the connection is encrypted. One way to check is to make sure that the URL says “https,” not just “http.” You can also install a virtual private network (VPN) on your device to create a protected connection between your device and the network. Lastly, make sure your email is encrypted. Large providers like Gmail and Outlook automatically encrypt everything, but if you are using a basic email service from your ISP, your messages might be unencrypted, and thus visible, on a public Wi-Fi network.

• Keep your software up to date: While it’s easy to ignore those little messages reminding you that new software updates are available for your device, you should always click “Update Now” because these updates are vital to your online security. Updates and patches repair security flaws that hackers use to gain access to your personal data. Thus, using the latest version of the software reduces your risk of being hacked.

• Keep your email address private: Don’t share your email address with anyone unless it’s required to use a service. And even then, you’ll need to weigh the need for convenience against the need for privacy. For example, if you are online shopping, you can choose to check out as a guest instead of creating an account with your email address. You can also use services like Nada or 10minutemail, which let you create a temporary email address.

• Watch out for phishing emails: A phishing email is an increasingly common scam in which hackers pretend to be a company or service you trust in order to get you to give them your private account information. Often, it can be hard to tell the difference between valid emails, like those from online shopping sites or your bank, and these clever fakes. These emails usually have a link that you are supposed to click on to “confirm your account details” or something similar. Never click on these links! They can install malware on your device or take you to a fake site that requires you to enter your login credentials. When in doubt, contact the company directly and verify that it sent you the email.

Resources

Locking down your online privacy can seem like an overwhelming task at first. However, it becomes easier once you understand what you need to do. Luckily, there are resources you can turn to for help.

ReputationDefender offers free advice 24/7 on the best ways to protect your privacy. We also have several privacy-related articles in our Resource Center, including:

• 11 smart ways to protect your email privacy
• How to remove yourself from the top people-search sites
• Top 5 social media privacy mistakes
• How to clean up your digital footprint