
The letter usually opens the same way: “We are writing to inform you of a security incident that may have involved your personal information.” Somewhere below that sentence is the part that matters, a list of exactly what was exposed. Name and email? Annoying. Social Security number, date of birth, or bank account details? That deserves two days of focused attention, and almost everything worth doing costs nothing.
The stakes are not theoretical. Americans reported losing more than $12.5 billion to fraud in 2024, a 25 percent jump over the prior year, according to the Federal Trade Commission, and the same year brought more than a million identity theft reports through the agency’s reporting site. Stolen breach data feeds much of that. Here is how to spend the first 48 hours after the envelope arrives.
Hour one: read the letter like a claims adjuster
Identify three things: what data was taken, when the breach happened (it is often months before the notice), and what the company is offering, typically free credit monitoring. Keep the letter. It is your proof of exposure if you later need to dispute fraudulent accounts, and the enrollment code for the free monitoring usually expires.
One caution before you act on anything in it: criminals send fake breach notices too, by mail, email, and text, hoping you will call their number and “verify” your Social Security number. If a notice asks you to provide personal information or payment to receive protection, stop. Look up the company’s official website yourself rather than using links or phone numbers in the message, and check the FTC’s guidance at IdentityTheft.gov, the government’s one-stop identity theft site.
Same day: freeze your credit at all three bureaus
If your Social Security number or date of birth was exposed, the single most protective step is a credit freeze, which blocks lenders from pulling your file and therefore blocks most new accounts from being opened in your name. Under federal law, freezes are free at all three bureaus, Equifax, Experian, and TransUnion, and you can place, lift, and remove them online in minutes. A freeze does not touch your credit score, your existing cards, or your ability to use credit you already have. You simply thaw the file, also free, when you genuinely apply for something.
A lighter alternative is a fraud alert, which is free, lasts one year, and requires only one bureau (it must notify the other two). An alert tells lenders to verify your identity before extending credit, but it does not block the pull the way a freeze does. For an exposed Social Security number, the freeze is the stronger tool, and there is no rule against using both.
Day one: change the passwords that matter, in order
Start with the breached account itself, then any account that shared the same password, then the accounts a thief would want most: your email (because password resets flow through it), your bank and brokerage, and your phone carrier account (because SIM swaps intercept the texted codes that protect everything else). Turn on two-factor authentication everywhere it is offered, preferring an authenticator app over text messages where you can. If the breach included financial account numbers, call the bank, ask for new card or account numbers, and set up transaction alerts while you are on the phone.
Day two: pull your reports and set a watch schedule
You do not need to buy monitoring to monitor. Everyone is entitled to free credit reports every week from all three bureaus through AnnualCreditReport.com, the only source authorized by federal law. Pull all three and read them for accounts you do not recognize, hard inquiries you did not trigger, and addresses that are not yours. Then put a recurring reminder on the calendar, monthly is plenty for most people, and keep doing it, because breach data is often sold and used long after the headlines fade.
If the exposed data included your Social Security number, take one more free step: request an Identity Protection PIN from the IRS. An IP PIN is a six-digit code that prevents anyone else from filing a federal tax return under your number, which is one of the most common and slowest-to-unwind forms of identity theft.
If you find actual fraud
Go straight to IdentityTheft.gov and file a report. The site generates a personal recovery plan and an official FTC Identity Theft Report, which is the document that gives you legal leverage: it entitles you to have fraudulent accounts blocked from your credit reports and debts you did not incur removed from collection. Dispute unauthorized charges with the bank or card issuer promptly, in writing, and keep copies of everything, with dates.
What not to bother with
Do not panic-buy an identity protection subscription in the first 48 hours; the breached company is usually offering monitoring free, and the freeze you placed yourself does more than most paid products. Do not close old credit cards in a burst of caution, which can dent your credit score without adding safety. And do not assume silence means safety. The absence of fraud this month is not evidence the data was never used; it is evidence your watch schedule matters.
A breach notice is a chore list, not a catastrophe. Freeze, change, watch, document. Two focused days now beat two chaotic years later.
This article was produced with AI assistance and reviewed by a human editor. Figures are linked to their primary sources; where a claim could not be verified from the public record, we say so.

Leave a Reply