Your Data Leaked? What to Do After a Data Breach (A 7-Step Guide)

That sinking feeling in your stomach is unmistakable. You’ve received an email, seen a news headline, or logged into a service only to be greeted by a notification: your data has been compromised in a breach. In an era where our lives are digitally intertwined, this news can feel like a digital home invasion.

Panic is a common first reaction, but a clear, methodical response is your strongest defense. The actions you take in the immediate aftermath can significantly mitigate the potential damage, from financial fraud to identity theft. This guide is your emergency action plan. Follow these seven steps to regain control and secure your digital identity.

Step 1: Verify the Breach (But Don’t Click the Link)

Before you do anything else, confirm the data breach is real. Scammers often exploit the news of a large breach by sending out fake notification emails—a practice known as phishing. These fraudulent emails are designed to trick you into clicking malicious links or “verifying” your credentials on a fake website, which only worsens the problem.

Never click on links within a potential breach notification email. Instead, open a new browser window and navigate directly to the company’s official website. Look for an official statement on their homepage, blog, or a dedicated security announcements page. You can also search for the company’s name plus “data breach” in a trusted search engine to find reports from reputable news sources.

Step 2: Change Your Password Immediately

Once you’ve confirmed the breach, your first tactical move is to change your password on the affected service. If the breached account is high-value—like your primary email, banking, or a major social media platform—this step is non-negotiable and time-sensitive.

When creating a new password, ensure it is both long (at least 12-16 characters) and complex, using a mix of uppercase letters, lowercase letters, numbers, and symbols. Avoid using personal information like birthdays or family names. Better yet, use a password manager to generate and store a unique, randomized password for every single one of your accounts.

Step 3: Enable Multi-Factor Authentication (MFA)

A strong password is a lock, but Multi-Factor Authentication (MFA) is the deadbolt. MFA requires a second piece of information to log in, such as a code sent to your phone or generated by an authenticator app. This means that even if a criminal has your password, they cannot access your account without physical access to your second factor (e.g., your phone).

If you haven’t already, enable MFA on every critical account that offers it, especially your email, financial accounts, and social media. This single action is one of the most effective ways to protect your accounts from unauthorized access.

Step 4: Review Financial Statements and Credit Reports

Your data is a commodity for criminals, often sold on the dark web to be used for financial fraud. Proactively scan your bank and credit card statements for any transactions you don’t recognize, no matter how small. Scammers sometimes test stolen card details with tiny purchases before making larger ones.

You should also obtain a copy of your credit report. In Canada, you can request free copies from the two national credit bureaus, Equifax and TransUnion. The Government of Canada provides a central resource on how to order your credit report. Review it carefully for any new accounts, loans, or credit inquiries that you did not authorize.

Step 5: Place a Fraud Alert or Credit Freeze

To add a powerful layer of proactive defense, consider placing a fraud alert or a credit freeze on your file by contacting Equifax Canada and TransUnion Canada.

Fraud Alert: This requires potential lenders to take extra steps to verify your identity before issuing new credit in your name. A fraud alert is free and typically lasts for one year. You only need to contact one of the national credit bureaus, and they are required to notify the other.
Credit Freeze: This is a more drastic measure that restricts access to your credit report entirely, making it very difficult for anyone—including you—to open a new line of credit. A freeze remains in place until you temporarily or permanently lift it.

Step 6: Be Vigilant About Targeted Phishing (Spear Phishing)

After a breach, criminals have more than just your password; they may have your name, email, phone number, and home address. They will use this information to craft highly convincing and personalized phishing emails, known as spear phishing.

Be extra suspicious of any unsolicited email or text message that uses your personal information to create a sense of urgency or legitimacy. They might reference the breach itself, pretending to be from the compromised company and offering help. Remember the rule from Step 1: never click on links or download attachments from an unexpected source.

Step 7: Audit Your “Digital Blast Radius”

This is the most crucial, and often overlooked, step. Do you reuse passwords? If the password for the breached service was used on any other site, you must assume those accounts are now compromised as well.

Systematically go through all of your online accounts. Use the “Forgot Password” feature on sites if you can’t remember if you have an account. Prioritize changing passwords on accounts with sensitive personal or financial information. This is a tedious process, but it’s the only way to contain the damage and prevent a single breach from becoming a cascade of compromised accounts. A password manager is an invaluable tool for this audit.

From Reactive to Proactive

Experiencing a data breach is a stressful but powerful learning opportunity. Use it as a catalyst to transform your approach to personal cybersecurity. By adopting tools like a password manager, enabling MFA everywhere, and regularly monitoring your accounts, you can move from a state of reactive panic to one of proactive, confident control over your digital life.