You Got a Breach Notification. Now What?

Getting a data breach notification is unsettling. Your first instinct might be to panic, or to ignore it and hope for the best. Do neither.

Most breach damage happens not in the first minutes, but in the days and weeks after, when exposed credentials get sold, tested, and used. That window is where you have real power to act. This checklist covers exactly what to do in the first 24 hours.

Step 1: Find Out What Was Exposed

Before you do anything else, read the breach notification carefully. Companies are required to tell you what data was compromised. Look for:

  • Email address - almost always exposed
  • Password - hashed or plaintext matters; assume the worst
  • Phone number
  • Payment card details
  • Social Security number or government ID
  • Home address or date of birth

The more sensitive the data, the faster you need to move. A leaked email alone is manageable. A leaked SSN plus password is a different situation entirely.

If you're unsure whether your email appeared in a breach, check it at haveibeenpwned.com. It's free and reliable.

Step 2: Change Your Passwords Right Now

If your password was part of the breach, change it immediately on the affected site. Then check every other account where you used the same password and change those too.

This is where most people are most exposed. Reusing passwords across sites means 1 breach can compromise 10 accounts.

Going forward:

  • Use a unique password for every account
  • Make passwords long and random (a password manager handles this for you)
  • Enable two-factor authentication (2FA) on every account that supports it, especially email, banking, and social media

Step 3: Secure Your Email

Your email account is the master key to everything else. If someone gets into it, they can reset passwords on every other account you own.

Do this immediately:

  1. Change your email password to something new and unique
  2. Check your account's active sessions and sign out any you don't recognize
  3. Review your recovery options (backup email, phone number) and make sure they're still yours
  4. Turn on 2FA if it isn't already active

If your email address itself was exposed, consider using masked emails for future signups. A masked email forwards to your real inbox but keeps your actual address private. If one masked address gets breached, you disable it and create a new one. Your real email stays clean.

Step 4: Lock Down Your Payment Cards

If payment card details were part of the breach, contact your bank or card issuer immediately and request a new card number. Most banks will do this without question.

Even if cards weren't directly exposed, watch your statements closely for the next 30 days. Fraudsters often wait a few weeks before testing stolen card details.

A smarter long-term move: use virtual payment cards for online shopping. A virtual card is a temporary card number tied to your real account. You can set spending limits, restrict it to a single merchant, and cancel it instantly if something looks wrong. Your real card number never touches a merchant's database, so a breach at that merchant exposes nothing useful.

Step 5: Watch for Phishing Attempts

After a breach, expect phishing emails. Attackers buy breach data and immediately send targeted messages pretending to be the breached company, your bank, or a government agency.

These emails are more convincing than generic spam because they often include your real name, the company name, or partial account details from the breach.

Signs of a phishing email:

  • Urgency ("Your account will be suspended in 24 hours")
  • Links that don't match the sender's actual domain
  • Requests to verify your password or card number via email

Do not click links in any unexpected email right now. Go directly to the company's website by typing the address yourself.

Step 6: Consider a Credit Freeze

If your Social Security number, date of birth, or government ID was exposed, place a credit freeze with all 3 major bureaus: Equifax, Experian, and TransUnion. It's free and it stops anyone from opening new credit in your name.

A freeze doesn't affect your existing accounts or credit score. You can lift it temporarily when you need to apply for credit.

Prevent the Next Breach From Mattering

Here's the honest truth: breaches will keep happening. The companies you sign up with will get hit, and there's nothing you can do to stop that. What you can control is how much damage a breach can actually do to you.

That's the idea behind Ivy by IronVest. Ivy gives you masked emails, masked phone numbers, and virtual payment cards so your real identity never reaches the sites most likely to get breached. When a site gets hit, attackers get a disposable address and a cancelled card number. Nothing that leads back to you.

Ivy also blocks phishing sites in real time, before you click, so the follow-up attacks that come after a breach don't land either. And biometric authentication replaces passwords as your master key, so there's no single password to steal.

Ivy Pro starts at $39/year. One prevented fraud incident covers years of that cost. Learn more at getivy.ai.

FAQs

How do I know if my data was actually exposed in a breach? Check your email address at haveibeenpwned.com. You'll see a list of known breaches that included your address. Also read the official notification from the company carefully. They're legally required to tell you what categories of data were involved.

Should I change all my passwords after a breach, or just the one for the affected site? Change the password on the affected site immediately. Then change it anywhere else you used the same password. If you've been reusing passwords across sites, treat this as the moment to stop and start using unique ones everywhere.

What is a credit freeze and does it hurt my credit score? A credit freeze prevents lenders from accessing your credit report to open new accounts. It does not affect your credit score. It's free to place and lift at each of the 3 major bureaus, and it's one of the most effective steps you can take if your SSN was exposed.

How do virtual payment cards protect me after a breach? Virtual cards generate a temporary card number for each transaction or merchant. If a merchant gets breached, the attackers only get that temporary number, not your real card details. You cancel the virtual card and create a new one. Your actual account is untouched.

What is a masked email and why does it help? A masked email is a disposable address that forwards to your real inbox. You give it to websites instead of your real email. If that site gets breached or starts sending spam, you disable the masked address. Your real email address stays private and clean.

How quickly do I need to act after receiving a breach notification? Act within 24 hours on the high-priority steps: change the compromised password, check for reuse on other accounts, secure your email, and alert your bank if payment data was involved. The faster you move, the smaller your exposure window.

Is it worth paying for a privacy app if I've already been breached? The breach already happened, but future ones are coming. A tool like Ivy limits what future breaches can expose by replacing your real email, phone, and card details with disposable ones. You're not fixing the past. You're making the next breach irrelevant.

You can't stop companies from getting breached. You can stop those breaches from becoming your problem. Start with the steps above, and build habits that make your real information harder to reach in the first place.