What To Do If Your Personal Information Has Been Compromised

If your personal information is compromised, verify the breach through official sources, then change passwords, enable 2FA, and freeze your credit. Monitor your accounts, check credit reports for fraud, and report identity theft to IdentityTheft.gov.

1. Verify That Your Information Has Been Leaked

Data breaches happen almost daily — making it nearly impossible to keep up with them. Unfortunately, scammers take advantage of this uncertainty. They send out fake Dark Web alerts containing malicious links, or they request payment for “removing” your Social Security Number (SSN), date of birth, or driver’s license number from a breach.

Earlier this year, Change Healthcare suffered one of the largest data breaches of U.S. health and medical data to date, affecting more than 100 million people. Their response was typical of a large breach.

Here’s how you can tell it was legitimate:

• They published a data breach disclosure on their official website. Change Healthcare confirmed the information hackers stole — including contact information, insurance information, medical records, bank account numbers, and more.
• They sent written notices in the mail. Most scams take place through phishing emails or text messages rather than via physical mail. Affected individuals received letters at their home addresses outlining exactly what personal data was compromised.
• The breached company offered free support. Victims can opt in to complimentary credit monitoring and identity protection services.‍
• Their breach appears on the Identity Theft Resource Center (ITRC) website. You can look it up by date, company name, and attack vector.

2. Change Your Passwords and Enable 2FA

The average person reuses passwords for over 50% of their accounts. Even when notified that their password has been compromised, less than a third of people change it. And those who do update their passwords don’t change them meaningfully enough to prevent future fraud.

Leaked passwords often end up in credential-stuffing lists or rainbow tables — tools hackers use to break into accounts. If any part of your old password is compromised, new variations are easier to crack. The best defense is using strong, unique passphrases from the start.

Follow National Institute of Standards and Technology (NIST) guidelines:

• Use unique passwords for every account. It’s worth repeating — don’t repeat passwords (or variations) across accounts. 
• Store your credentials in a secure password manager. Every Aura plan includes a password manager that stores and retrieves your passwords whenever you need them.
• “Hash and salt” passwords. Hashing converts your password into a short string of letters or numbers, and salting adds random pieces of data before the hash. Password managers, like the one Aura offers, do this automatically.‍
• Secure your account with two-factor authentication (2FA). 2FA and multi-factor authentication (MFA) help lock down your accounts by requiring second or third authentication methods in addition to your password. To unlock your account, thieves not only need to know your password — they must also intercept a code sent to your phone or try to mimic your fingerprint or facial scan.

3. Freeze Your Credit With All Three Credit Bureaus

A credit freeze prevents anyone from accessing your credit file and is one of the best methods to stop scammers from opening new credit accounts or taking out loans in your name. 

To freeze your credit, contact each of the three major credit reporting agencies. Each will ask you to prove your identity and will then provide you with a PIN that you can use to freeze your account (and later “thaw” it if you need to apply for new credit). 

To thaw your credit freeze:

• Go to AnnualCreditReport.com to see which bureaus still have an active freeze.
• Or, you can contact each of the bureaus. Be ready to share your PIN, SSN, and other identity information.
  
  • Call Experian at 888-397-3742 or log in to your Experian account.
  • Call TransUnion 800-916-8800 or log in to the TransUnion Service Center. 
  • Call Equifax at 888-298-0045 or log in to your myEquifax account. 

Cover your bases with a ChexSystems freeze:

Though credit freezes prevent lenders from accessing your credit file, they don’t protect your banking history, and scammers may try to open new accounts in your name. A ChexSystems freeze stops financial institutions from approving checking, savings, and other banking services without your consent.

To place a ChexSystems freeze:

• Call ChexSystems (800-428-9623) or order and manage your freeze through an online account. You’ll need to submit your name, date of birth, SSN, address, and driver's license or state or military ID number.
• Wait to receive a PIN code in the mail.
• Use your PIN to unfreeze your ChexSystems report.

4. Request a Free Credit Report and Check for Fraud

Checking your credit reports can help you identify signs that you’ve been the victim of identity theft — such as incorrect information or new accounts that you don’t recognize. Every U.S. citizen is entitled to request a free credit report each week from all three credit reporting bureaus at AnnualCreditReport.com. 

Here’s what you should look for on your credit reports:

• Accounts or charges you don’t recognize – such as those from stores or companies from which you don’t make purchases. 
• Hard inquiries you didn’t request — such as lenders checking your credit for loan or mortgage approvals.
• Lines of credit you don’t remember opening – including utilities such as cable or phone.
• Incorrect balance details or missing payments.
• Errors in your personal information — such as your name, address, and other contact details.
• Account status issues — such as open accounts that should be closed, or if another person’s name has been added to an account.

When requesting your credit reports, you’ll need to share your name, SSN, and date of birth to verify your identity. If you moved in the past two years, you may also need to provide current and previous addresses.

5. File an Official Report With the FTC

An official identity theft report from the Federal Trade Commission (FTC) can be helpful to recover from identity theft or a data breach. Fill out the online form at IdentityTheft.gov to receive your FTC Identity Theft Report and a personalized recovery plan.

In some cases, filing an Identity Theft Affidavit may help support your fraud claim. You can use this document to dispute multiple fraudulent debts at one time without having to fill out separate forms for every institution.

Note: Don’t confuse this Affidavit with Form 14039 which is only for victims of tax-related identity theft who have received additional documentation from the IRS.

Filing a police report can also help your case, but law enforcement will only act if you have evidence to support an investigation. Bring credit card statements, receipts, collection letters, and anything else to help them find the identity thief.

6. Contact Your Bank and Any Other Impacted Company

Immediately contact the fraud department of any company where your identity or personal information was misused. Explain that you’ve been the victim of identity theft — and that any debts or accounts opened in your name must be removed and wiped from your credit history.

You may also need to contact government agencies where your identity was fraudulently used. For example:

• The IRS for tax-related fraud, such as a stolen or fraudulent tax return. If the IRS identifies a suspicious tax return, it will send you Letter 5071C, which asks you to verify your identity online. If you’ve been a victim of a data breach, you may receive Letter 5747C and be asked to verify your identity in person.
• Your state’s Department of Motor Vehicles (DMV) for a stolen driver’s license.
• The Postal Inspector, if you think someone has filed a change of address request or stolen your mail.
• The Social Security Administration (SSA) if someone claimed unemployment or other benefits.
• Medicare, your insurance provider, and your doctor if you notice discrepancies between your Explanation of Benefits (EOB) and claims paid or incorrect descriptions of services provided.

7. Monitor Your Credit

Most breach-affected companies tend to offer credit monitoring services to victims. However, not all credit monitoring services have the same depth of fraud alerts. Plus, accepting these kinds of offers can limit your options for joining class-action lawsuits in the future or seeking further compensation.

Instead, consider a service that offers a wide range of alerts like Aura. Aura monitors:

• Up to 10 email addresses
• Your phone number, driver’s license number, passport number, health insurance IDs, and SSN
• Attempts to “verify your identity”
• Modifications to your home title
• Court records for use of your identity during traffic violations, misdemeanors, or felony offenses
• Credit file inquiries

8. Also Consider Identity Theft Protection

69% of general consumers have been victims of an identity crime more than once. Identity theft protection services like Aura track your most sensitive personal information and financial accounts for early signs of fraud. Every breach notification comes with suggested next steps, helping you shut down scammers as quickly as possible.

Aura also protects your data from being stolen in the first place with antivirus software, a secure password manager, a virtual private network (VPN), Safe Browsing tools, and parental controls.

If you have any questions, Aura's 24/7 Fraud Remediation team can guide you. They not only offer expert advice but can also help you take advantage of Aura’s $1 million insurance policy that covers eligible losses due to identity theft, such as:

• Credit report and dispute costs
• Phone and mail costs
• Application re-filing costs
• Notary fees
• Child, spousal, and elderly care
• Lost wages

📚 Related: What To Do If You Receive a Data Breach Alert →

Other Ways To Check If You’ve Been the Victim of a Breach

Most people don’t realize their personal information has been compromised until they receive a notification from a breached company — or when they get scammed. To preemptively find out if you’ve been the victim of a data breach, you can: 

• Check for leaked passwords by using Aura’s free Dark Web scanner. Aura uses your email address to scan recent and known data breaches to see if your credentials have been compromised. 
• Double-check by using HaveIBeenPwned. This is another free data breach scanner that has limited capacity to check if your phone number was leaked in larger breaches. 

But these free options only go so far. A Dark Web monitoring service like Aura scans for all forms of your sensitive information online, including:

• Passwords
• SSNs
• Passport numbers
• Driver’s license numbers
• Medical records
• Financial information
• Home titles

But Aura’s coverage doesn’t stop there. Aura also watches your credit score, bank accounts, social media, and public records for suspicious activity and lets you know about potential fraud up to 250x faster than competitors.³