It happened again. Another major web service lost control of its database, and now you’re scrambling to stay ahead of the bad guys. As much as we hate them, data breaches are here to stay. The good news is they don’t have to elicit full-blown panic no matter how sensitive the pilfered data might be. There are usually some very simple steps you can take to minimize your exposure to the potential threat.
Update 9/24/2018: Credit freezes are now free in the US (as is temporarily lifting them); we've updated Step 4 of our guide to reflect the new law.
Step 1: Determine the damage
The first thing to figure out is what the hackers took. If they got your username and password, for example, there’s little point in alerting your credit card company.
News articles and company statements should make it very clear what leaked. Was it just your email address, or was it your password data too? What about credit cards (if applicable) or personal data like private messages?
This is the first step in creating an effective recovery plan, but before you take any action there’s a critical follow-up question to ask.
Step 2: Can the bad guys use your data?
Hackers take data all the time, but many times the stolen data is unusable thanks to security practices that include terms like “hashed,” “salted,” and “encrypted.” If the data is in the form of “cleartext,” that means no cryptography has been used, and it’s just as easy to read and manipulate as a Word document or a regular email message.
Hashed data, on the other hand, is data that has been scrambled in a such a way that you cannot decode it back to plain text. Hashing is often used for password databases, for example.
Not all hashing methods are equal, however, and sometimes they are reversible. As a second line of defense, a company may add what’s called a salt—random data—to make decoding harder. The bottom line with hashing is that you’ll need to probe a bit further to see whether the company believes the data is usable or not.
Finally, encryption is supposed to be a two-way scrambling process that only allows someone with the “key” (usually a password or password file) capable of decoding the data.
Even if hackers took data that is hashed or encrypted, sometimes companies will advise changing your password regardless, just to be safe.
Step 3: Change that password
If you need to change your password then be proactive. Change your password right away, and don’t wait for a warning email or message from the company, if possible.
If you’ve been using that same password on other sites change it there as well. A single data breach can easily take down other accounts if you’re reusing passwords. Don’t do that.
Step 3a: Start using a password manager
Now is a great time to start using a password manager if you aren’t already. These programs can create new, hard-to-guess passwords and save them for every online account you have. They also protect your passwords with encryption, and (typically for a fee) make them available across all your devices.
Step 3b: Put an extra lock on your accounts with 2FA
Passwords just aren’t enough anymore, which is why it’s also a good idea to enable two-factor authentication (2FA) on any of your accounts that support it. Two-factor authentication means your web service will require a secondary, six-digit code before permitting access to your account—even with the right password.
This is a great way to slow down the bad guys. Unfortunately, it also has the same effect on you. Most services only require a 2FA code every 30 days per device, or in some cases just once on a single browser from a single device. So it’s not too terrible.
The best way to use two-factor authentication is with an app or device dedicated to generating these codes. Receiving SMS codes is not advised, because they are vulnerable to a variety of relatively trivial attacks.
If you need help picking a two-factor authentication app check out our roundup of the best 2FA apps.
Step 3c: Create a dedicated password recovery email
Many websites allow you to set a specific recovery email address that is separate from your main account email. This is the email address where you get links to reset your password after clicking the “Forgot password?” link on a website.
It is best to have a specific email address that is only for account recovery emails and is not connected to your identity—if your Gmail is JAndrews don’t use JAndrews@outlook.com, for example. If you use your regular email for account recovery, hackers can target that email address, and, if they compromise it, take over your online life.
As with any other email account, make sure your recovery mail is protected with a hard to guess password and two-factor authentication.
Step 4: Contact your credit card provider
If your credit card number was compromised then you need to alert your bank or credit card provider. If it was a particularly large breach, there’s a good chance your bank already knows about it, but it’s still a good idea to let them know you were hit.
You want to make sure you talk to a representative, and tell them what’s happened. The company will likely cancel your card and issue a new one.
Don’t wait on this one. Notify your bank or credit card company right away to ensure you aren’t held responsible for any fraudulent charges. If a debit card number was stolen, this step is doubly important. Not only because that means cash will be leaving your account with every bad charge, but also because debit cards don’t have the same recovery protections as credit cards.
Step 4a: Take action with the credit bureaus
Get a fraud alert on your credit record with the three major credit bureaus: Equifax, Experian, and TransUnion. You can also go a step further and put a free credit freeze on your records, which prevents anyone from opening an account using your name and social security number. (That includes you as well—but you can temporarily lift the freezes with no charge, too.)
Take advantage of your right to an annual free credit report from each of the three reporting companies. By staggering the reports, doing one every four months, you can keep an eye on your credit rating throughout the year.
Step 5: Consider burner cards
Another good move is to go with limited-use burner debit cards that are connected to your actual bank account, but aren’t your actual debit cards. Privacy.com allows you to do this, and it’s a great way to protect yourself. Instead of using your actual card number, you can use burner cards with all kinds of limits on them such as a card that’s only for Netflix, or cards limited to a maximum of $100. You can even create a one-time-use card for a major purchase. It’s a very handy service, and if your burner card ever leaks you can just delete it and start over.
Major database breaches suck, but they are a regular occurrence, meaning it’s not a matter of if you’ll get hit, but when. The good news is that being a little bit proactive can help avoid the headaches that come from identity theft.