Data Breaches, Part II: Find out if you’ve been breached – and what to do about it
Recently, we explored data breaches – what they are, how they happen, and what kinds of information get exposed. As we mentioned then, it’s likely some of your own information has been caught in one of those data breaches. (If you somehow evaded the Experian credit bureau breach that caught 147 million Americans, the Target breach that caught 110 million shoppers, the Adobe breach of 156 million accounts, and the Home Depot breach of information on 56 million payment cards, you’re one lucky person – would you buy some lottery tickets for us?)
Seriously, though: the breaches are huge, and if you haven’t been caught yet, it’s probably just a matter of time. You should be notified if you’re caught in one, but sometimes notifications go astray, get buried in other messages, or simply get forgotten. So Step #1 is to check whether your data has been compromised.
Where to start
The best way we know: visit Troy Hunt’s website, haveibeenpwned.com. He’s been storing databases of compromised records for years – information he carefully verifies after receiving it from sources including the dark web, security researchers, news reporters, and occasionally the hackers themselves.
Enter your email address. If any of your accounts are listed as having been hacked, the site will list them, along with some details to help you determine how dangerous the breach was. (For example, a data breach that compromises your credit card or social security number is far more dangerous than one that simply provides a street address anyone could find in an old-fashioned phone book.)
If you don’t show up at all, you’ve escaped many of the worst data breaches. But that doesn’t mean you’re completely safe: there are obviously stolen databases Hunt doesn’t have. Conversely, you might find yourself listed several times, and he might report that you’re on some spam lists which aren’t related to any site you ever visited.
Separately, Hunt offers a page where you can enter passwords you use to see if they appear in the half-billion-plus passwords he’s found exposed in data breaches. For security reasons, he won’t tell you what breaches your passwords were part of. But if you’re still using those passwords anywhere, change them now: they’re definitely vulnerable.
When in doubt, change your password
In fact, change your password on any account you know has been hacked – whether you learned about it through haveibeenpwned.com, a formal notification, a news story, or any other way. While you’re changing your password, follow any other steps the site recommends to protect yourself. If they let you change your username, do that, too.
(Now’s a good time to remind you not to use the same password on multiple sites. Consider a password manager to handle all those new passwords we’re telling you to create – and if you use one, create a very strong master password that doesn’t show up on haveibeenpwned.com, and keep it safe!)
What if I’ve been compromised?
If you’ve been compromised on a financial services or e-commerce site, you may qualify for a year or more of free credit monitoring. On rare occasions, if a site has settled a lawsuit related to the data breach, you might be eligible for additional compensation. For example, some consumers hurt by the Equifax breach can grab a tiny piece of the $300,000,000 the company has set aside to compensate them.
If your credit card number has been stolen, request credit freezes with the Equifax, Experian, and Transunion credit bureaus to make it harder for criminals to open new credit accounts in your name. If possible, close and replace compromised credit or debit card accounts – and closely watch any new statements to make sure no unauthorized transactions appear. Consider filing a police report, too.
If your child’s personal information has been stolen, freeze their credit, too – criminals will try to open new accounts in their name. (This is no joke: according to Javelin Strategy & Research, over 1 million children fell victim to identity theft or fraud last year, and two-thirds were seven years old or younger.)
Finally, if your social security number has been compromised, notify the IRS and Federal Trade Commission as well as the three aforementioned credit bureaus. And if possible, file your taxes early, before a cybercriminal has time to impersonate you.
These steps are a royal pain. The alternative – getting your accounts drained and your identity stolen – is a bigger one.