What to Do After a Data Breach (2026)
Immediate steps
- Find out what was exposed (passwords, SSN, card numbers, address) — risk depends on the data type.
- Change the password on the breached account and anywhere you reused it; enable 2FA (prefer an authenticator app).
- If a password was exposed, treat it as compromised everywhere you reused it.
- Place a fraud alert and consider a credit freeze if SSN/financial data was exposed.
- Watch for phishing that references the breach.
Evidence preservation
Keep the breach notification letter/email and note the date and what data was involved. Save records of any fraudulent activity for disputes.
Where to report
| Entity | Contact | What to report |
|---|---|---|
| FTC IdentityTheft.gov | https://www.identitytheft.gov | If breached data is actually used to commit fraud (creates a recovery plan / Identity Theft Report) |
| Affected company | Company's breach response / fraud line | Account compromise; request account lock or reset |
| FBI IC3 | https://www.ic3.gov | If money moved, an account was taken over, or a crime is underway |
Removal actions
- Check exposure at Have I Been Pwned (haveibeenpwned.com) and sign up for breach alerts.
- Rotate credentials and close unused old accounts that may carry your data.
Prevention and follow-up
- Freeze your credit at all three bureaus (free under federal law).
- Use unique passwords via a password manager; enable 2FA broadly.
- Be skeptical of paid 'dark web removal' offers — you generally cannot delete leaked data; focus on credential rotation, freezes, and broker removal.
- Reduce future exposure by removing yourself from data brokers.
Legal context
Federal law makes credit freezes and fraud alerts free at all three nationwide credit bureaus, and the FTC's IdentityTheft.gov generates an Identity Theft Report that carries legal weight (including the right to have fraudulent accounts blocked from your credit file). State breach-notification laws require companies to notify affected consumers. This is general information, not legal advice.
Key mistakes to avoid
- Reusing the breached password elsewhere.
- Ignoring a breach notice because 'nothing happened yet.'
- Paying scammy services that promise to 'erase' your data from the dark web.
- Skipping a credit freeze when your SSN was exposed.
How Delist helps
Breached data becomes far more dangerous when it can be linked to your current address, phone, and relatives — exactly what people-search sites publish. Removing yourself from data brokers makes leaked records harder to weaponize. delist.ai handles those removals continuously.
Find out what personal data is exposed about you online.
Run a free scan →Frequently asked questions
Is this illegal?
How do I prevent this from happening again?
Should I contact the police?
Can Delist help with this?
Sources
- FTC identity-theft recovery process and rights
- Free credit freeze rights and bureau timelines
- How HIBP breach checking works
This guide provides general information for informational purposes only and is not a substitute for professional legal, medical, or safety advice. If you are in danger, contact emergency services immediately.