I got a data breach alert. What next?

By alatalo

So you received a data breach alert from a monitoring service such as Have I Been Pwned or Badrap.io and are wondering what to do next? Look no further, let’s sort it out together!

First things first: Log in to the service that leaked the data and change your password. Even if you’re not certain that passwords were leaked in this particular breach, it’s is a safe and reasonable first step.

Start digging up more information about the data breach. Try to find answers for the following questions:

  • What data was leaked?
  • Were passwords or usernames leaked?
  • Were security questions and answers leaked?
  • When did the data breach happen?
  • How old was the data?

Now you have a rough idea of the extent of the breach. Try to think what another person could do with that information.

Try to think what the perpetrator could do with the leaked information.
Data breach email alerts may look intimidating. Calm down, grab a cup of coffee or tea and sort out your thoughts before jumping to action.

If your email account password was the same as the password in the data breach, change it now.

With access to your email inbox, the perpetrator can reset and change your passwords to all the other online services you use, including Facebook, Netflix and Google. They will be able to take control of your entire online life, conveniently from a single place. This is why your email inbox is the Crown Jewel and needs strong protection.

Add a strong, unique password to your email account. More and more services offer two factor authentication, often shortened as 2FA. Enable it whenever possible — See e.g. Google’s and Facebook’s instructions. Add emergency contact information so that you can get your account back, should something happen.

With access to your email inbox, the perpetrator is able to take full control of your online life.
When someone gains access to your email inbox, you may end up losing access to all your online accounts.

If you use only a handful of different passwords or they are very similar to each other, you need to start changing all of them now. Start from the services having the same exact password that was leaked.

Next, change all the other passwords too, even if they were not involved in this data breach. Leaving them be is a disaster waiting to happen. It’s a tedious job, but worth it in the end and will get easier after the initial plunge.

From now on, start practicing better password practice. Take a Password Manager software into use. These include Chrome’s and Firefox’s built-in password managers and Mac OS X KeyChain Access. Also Apps such as 1Password, LastPass, KeePass are as good as any. Generate strong, hard-to-guess and unique passwords for each service. Add two factor authentication wherever possible.

Recycling is not for passwords. Use a unique password for each online service.

If your work user account or work email had the same password as the breached service, contact your company’s IT support for assistance. They may want to monitor your account for any unauthorised access attempts and review whether the account was accessed suspiciously.

Don’t hesitate or be embarrassed, just ring them up! It’s not your fault if an online service had a data breach and your password happened to leak out. Best of all — Now that you know passwords can leak, you know better next time and can start using unique passwords for all the services.

Don’t forget to change your work password to a unique and strong one.

Contact your company IT if your work email password leaked.

Practicing good online hygiene when giving any personal information to a service is a good idea. Give as little as possible and be conscious whenever entering information. Try to be aware in what data you are providing at all times. Ask yourself: “What could happen if this data would leak?”

  • What kind of information had you given to the service? Personal details, photos, credit card numbers..
  • What kind of data had the service collected from you?
  • Was there data about other people than you? Your kids, friends, their email addresses, photos?

Remove unnecessary personal details such as your birthday and home address. Ask yourself why the service needs to have it? For age verification? Birthday notifications? “January 1st, 1900" will do just fine in many cases.

If credit card details were involved, contact your bank. The bank will probably want to cancel the card as a precaution. There might be a small fee involved, but that’s better than the alternative. In the future, do not give out your credit card details to individual services to store in their databases. Instead, use a commonly known payment transaction service with a good reputation whenever the service supports it. These include PayPal, Stripe and Amazon Pay.

Inform your loved ones if any of their personal details were involved. Remove such data if possible and avoid giving it in the future.

Start practicing strict online hygiene. Try to be aware what data you are providing at all times.

Educate others. Tell the story and get them onboard with better password practices and online hygiene. Get them to monitor for data breaches. Be a mentor.

Tell the story and be a mentor in online hygiene.

With Badrap.io you can monitor data breaches for multiple email addresses such as your personal and work emails from a single Badrap.io account. Add in the emails of your loved ones; e.g. kids and mom to get notified if their emails are involved in a data breach.

Badrap.io also sends automatic notifications if your network IP addresses can be found from Internet security researchers’ lists of vulnerable devices.