It seems like there’s a new data breach every week. Whether it’s an insurance company with millions of customers or a major credit bureau with data on everyone, your personal devices don’t even have to be breached for your data to get lost. But then, every time you overshare on social media or use the same password for more than one account, you up your chances. Even worse, once your data is in the wild, a hacker could access your email or drain your bank account before you even notice the damage. So what do you do if the worst happens?
Have You Already Been Hacked?
Last year, National Public Data leaked billions of personal information records, including social security numbers. Regulators punished the company with a $46,000 fine, but those records remain exposed. More targeted breaches exposed data for Home Depot employees, and for teachers and students connected with PowerSchool online education.
When a major hack attack or data breach occurs, it’s all over the news. Frequently, the affected service spins up a web page where you can check whether you were a victim. And you will be a victim, if not this time, then the next. The only upside is that you’re one among possibly millions, so the hackers might never get around to weaponizing your details.
Don’t imagine that you can prevent a breach. The antivirus running on your computer is utterly powerless against a security attack on a remote server. If you lost a crypto fortune in the hack attack on Atomic Wallet, there’s nothing any software on your local computer could have done about it.
Not every hack starts with a well-publicized data breach. A shady online merchant, a credit card skimmer, or even a dishonest waiter in a high-end restaurant could compromise your credit card. The first clue may be unexpected charges appearing on your credit card bill. Always read those bills and determine what every line means, even the small charges. Card thieves occasionally make a few small purchases to ensure the card is “live” before making a big purchase. You can use a personal finance service, like NerdWallet or Quicken Classic, to monitor all your credit card transactions from one place.
Banks are good at fraud detection these days. There’s a good chance you won’t learn about a compromised card until after the bank declines the charges and starts the process of issuing a new card. Getting a new card is a pain, as any automatic payments you’ve configured need the new card number. Still, it’s better than letting hackers buy something expensive with your credit.
Credit card numbers aren’t the only kind of data that hackers can misuse. Scammers can use a compromised email account to broadcast spam or to send targeted email scams to your contacts. Your first clue might be worried phone calls from friends asking if you’re truly stuck in a Dubai airport with no cash or irate messages from those “you” have spammed with annoying ads.
The antivirus running on your computer is utterly powerless against a security attack on a remote server.
An identity thief can also use your personal information to open credit accounts, accounts you know nothing about. You might only find out about those accounts when a merchant slams the door on your request to open a new line of credit yourself. Cagey consumers use AnnualCreditReport.com to request a free report from Equifax, Experian, and TransUnion once per year, spreading the requests out at four-month intervals. Yes, Equifax experienced a major breach in 2017 and had to pay $650 million in damages for its negligence, including free credit monitoring or a $125 minimum payout for anyone affected. But you were affected regardless of whether you checked your credit with Equifax.
We appreciate Credit Karma’s ability to pull your credit from TransUnion and Equifax weekly so you can keep an eye on your credit. These are “soft” inquiries, not the “hard” inquiries that companies make when you apply for more credit. Hard inquiries can erode your credit score; soft inquiries do no damage.
It’s Surprisingly Easy to Be More Secure Online
A change in your credit score is like a ripple in a pond, where the actual misuse of your credit is the rock that made the ripple. Services like Bitdefender Digital Identity Protection and IDX Complete aim their sights at those rocks. They regularly monitor the dark web to ensure your personal data isn’t for sale. Norton 360 Deluxe includes a similar scan, partly powered by the company’s LifeLock identity theft remediation technology.
Breach monitoring is also a bonus in some password manager tools, notably Keeper and Bitwarden. The connection makes sense because the first thing to do when a site suffers a breach is to change your password for that site. With the password manager’s help, you can change it to a strong, unguessable password you don’t use for anything else.
How to Recover When Your Data Leaks
A compromised credit card may be the easiest hack to overcome. You’re not responsible for the fraudulent charges, and once the bank issues a new card, the problem is solved—well, except for the need to update your payment information anywhere you saved the old card.
Regaining control of a hacked email account can be trickier. You have to contact the email provider to prove you’re the account holder. Of course, if the hacker changes your password, you can’t use your regular email to contact the provider. It’s important to have multiple email addresses and make each the alternate contact address for the other. Just be very sure you don’t use the same password for both.
Many websites force you to use your email address as the username for your account. That’s certainly easier than making you choose (and remember) a unique username and a unique password for every site. But if you used the password from your hacked email account at any other sites, those accounts are now compromised too. A hacker who gets hold of your login credentials for one site will invariably try the same username and password pair on dozens of other popular sites.
Our Favorite Password Managers
A compromised email account can still be a huge problem, even if you don’t use duplicate passwords. Think about this: If you forget a website password, what do you do? Right—you click to get a password reset link sent to your email address. A smart hacker who has control of the email account will quickly seek your other accounts, social media, perhaps, or worse, shopping and banking accounts. After a simple password reset, the hacker owns those accounts, too.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
After recovering from an email account takeover, you should visit every site associated with that email address and change your password. A powerful password manager is an absolute must.
How to Protect Yourself From Identity Theft
Full-on identity theft can be a nightmare. Victims often spend thousands of dollars over weeks and months trying to get their online identities and lives back in their control. The Federal Trade Commission offers an excellent advice site with full details on how to proceed with recovery. Among other things, the site suggests that you order your credit reports so you can see what’s happened and make an official identity theft report with the FTC.
The site then specifies absolutely everything you need to do, step-by-step. It includes checklists to ensure you didn’t miss any tasks, as well as sample letters and forms. You won’t go wrong relying on this helpful resource.
The Best Identity Theft Protection Software
You’ve seen the ads for third-party identity theft remediation services. These can help, but only if you have their protection in place before something drastic happens. It’s not unlike an insurance policy—you pay for the protection but hope you’ll never have to use it. Adding such a service to your monthly bills won’t clean up the breach you suffered, but it should help the next time. And the best ones bundle a security suite or similar device-level protection.
How to Protect Yourself From Future Breaches
According to expert surveys, all too many victims of exposure in a data breach do nothing at all. Of those who do take action, the majority just change their password on the hacked site. Simply reacting (or not reacting) like this won’t change anything. How can you proactively make sure you don’t get hacked or don’t get hacked again?
Recommended by Our Editors
Each major breach triggers a spate of articles exhorting you to freeze your credit, set up a fraud alert (meaning that you’ll need to go through extra verification steps to open a new account), and so forth. You should consider such modifications to your credit-using life as permanent. After all, the next big breach is just around the corner; in fact, it may have already happened. The actual breach in the Equifax case occurred months before it was discovered.
Regarding credit cards, there’s not much you can do other than avoid shopping at shady retailers, real-world or online. Modern chipped credit cards secure in-person transactions thoroughly, but they can’t help with card-not-present online transactions. In theory, all merchants should have switched to chipped cards in 2015, but you’ll still find some that use swipe-only card readers.
Mobile-based payment systems, such as Apple Pay and Google Pay, are more secure than physical credit cards. Each transaction uses a unique number, so hackers gain nothing by stealing existing transaction data. You can also use the mobile payment system for online purchases. Just protect your mobile device with a fingerprint or a strong passcode, and always keep it with you.
Poorly secured websites can expose your email address and perfectly strong password to hackers, but using a bad password leaves your account open to a simple brute-force attack. Use a strong password for your email account and a different strong password for every other account or secure site. Yes, you need a password manager to manage all that, but you don’t have to pay. The best free password managers are quite effective.
Simple Tricks to Remember Insanely Secure Passwords
On some sites, you can request a password reset by answering a few simple security questions. The problem is, in most cases, the bad guys can find the answers to those questions online in seconds. If you’re allowed to define your own security questions, do so, and choose strong questions—ones only you could answer.
If you’re forced to choose from lame questions like your mother’s maiden name, don’t use a truthful answer. Pick a false answer that you’ll remember: My mother’s maiden name is Obama. I graduated from Communist Martyrs High School. That sort of thing. I’d suggest storing your false answers in your password manager’s notes field. Of course, if you were using a password manager, you wouldn’t have needed a password reset in the first place.
The Best Personal Data Removal Services
Sometimes, your personal data is out there for all to see, with no chance to hide it. Real estate transactions, for example, are a matter of public record. Data brokers scour the web for public information and create a profile they can sell to advertisers—or identity thieves. Gathering data and aggregating it into profiles is perfectly legal, but the brokers are also legally bound to remove your data if you ask. Optery is a service that checks hundreds of brokers for your information and explains how to remove it. For a fee, Optery handles removal for you. Privacy Bee checks even more sites than Optery and takes care of removals automatically.
As for protecting against full-scale identity theft, there are some things you can do to stymie identity thieves. Never fill out any information on web forms beyond what is absolutely necessary. If something is required but irrelevant, like your street address on a site that doesn’t ship things to you, make something up! Get an inexpensive shredder for paper bills and statements. Review all account statements, and make use of your free credit reports. Support all your efforts by installing a powerful security suite. And consider the possibility of upgrading to a security suite that has identity theft protection features.
Don’t Wait for a Breach—Act Now
Minimizing the fallout from those inevitable data breaches isn’t effortless. You need to take what steps you can and remain vigilant. That said, the effort involved is vastly less than the Herculean task of picking up the pieces after hackers manage to steal your identity.
About Neil J. Rubenking
Principal Writer, Security
