First: Assess What Was Exposed

Not all data breaches are equal. Your response should match the severity of what was compromised. Here's the threat hierarchy, based on FTC recovery case data:

Data point: A record 3,332 data compromises were identified in 2025, a 79% increase over the past five years. Two-thirds of those breaches involved Social Security numbers, and a third disclosed bank account numbers or driver's license numbers (ITRC 2025 Annual Data Breach Report).

The breach notification letter (or email) should tell you what was exposed. If it doesn't, assume the worst and execute the full protocol. According to the Identity Theft Resource Center, the average data breach exposes 3+ data types — it's rarely just one piece of information.

Key stat: the average American's personal data has been exposed in multiple separate breaches. With 232.7 million victim notices sent from 2025 breaches alone — plus 16 billion records in 2 massive incidents with no known notices — your SSN is almost certainly already in criminal databases. The question isn't whether your data is out there — it's whether you've built the defenses to make it unusable. Your risk level varies significantly by geography — check our identity theft rates by state to see where your state ranks.

Hours 0-4: Stop the Bleeding

Speed matters. FTC data shows that victims who take action within 48 hours of discovering identity theft lose 4x less on average than those who wait a week or more. Here's your first 4 hours:

Step 1: Freeze Your Credit (15 minutes)

If you don't already have credit freezes in place, do this first. It blocks the single most damaging category of fraud — new account openings.

• Equifax: equifax.com/personal/credit-report-services/credit-freeze/ or call 888-378-4329
• Experian: experian.com/freeze/center.html or call 888-397-3742
• TransUnion: transunion.com/credit-freeze or call 888-909-8872

Already frozen? Good — verify all three are still active. Our credit freeze guide has the full process for all 5 agencies including Innovis and NCTUE.

Step 2: Change Compromised Passwords (20 minutes)

Start with email — it's the master key that resets everything else. Then financial accounts, then everything sharing the same password as the breached service.

• Use your password manager to identify reused passwords
• Enable 2FA on everything you touch during this process — use authenticator apps, not SMS
• If you don't have a password manager, this is the emergency that justifies getting one today (Bitwarden is free)

Step 3: Contact Financial Institutions (30 minutes)

If financial account numbers were exposed:

• Call each bank and credit card issuer
• Request new account numbers and cards
• Set up transaction alerts for any amount over $0
• Ask about their fraud monitoring and zero-liability policies

Step 4: Check Your Credit Reports (15 minutes)

Pull your reports from AnnualCreditReport.com (free, all three bureaus, available weekly). Look for:

• Accounts you don't recognize
• Hard inquiries you didn't authorize
• Addresses that aren't yours
• Names or aliases you don't recognize

Step 5: Set a SIM Lock (5 minutes)

Contact your mobile carrier and set a port-out PIN or SIM lock. This prevents criminals from transferring your phone number to their SIM card — which would let them intercept SMS verification codes for your bank accounts. T-Mobile, AT&T, and Verizon all offer this feature through their apps or customer service.

Hours 4-24: Documentation

Once the immediate bleeding is stopped, documentation becomes critical. Everything from here on requires a paper trail.

Step 6: File at IdentityTheft.gov

The FTC's IdentityTheft.gov is genuinely one of the best government websites. It generates:

• An official FTC Identity Theft Report (this is your golden ticket for disputes)
• A personalized recovery plan with step-by-step instructions
• Pre-filled letters for creditors, bureaus, and debt collectors

The FTC report is legally significant — it triggers specific rights under the FCRA, including the right to have fraudulent information blocked from your credit report within 4 business days (vs. 30 days for standard disputes). This dramatically accelerates your recovery timeline.

Step 7: Place a Fraud Alert

In addition to your freeze, place an initial fraud alert. You only need to contact one bureau — they're legally required to notify the other two. A fraud alert lasts one year and requires creditors to verify your identity before opening accounts.

If you have an FTC Identity Theft Report, you qualify for an extended fraud alert lasting 7 years.

Step 8: Request Free Credit Monitoring

Most breach notifications come with an offer of free credit monitoring (typically 1-2 years). Take it — it's free data. But don't consider it sufficient protection on its own. Breach-offered monitoring is typically single-bureau and limited in scope. Layer it with your existing monitoring.

Step 9: Warn Your Contacts

If the breach exposed your email or social media accounts, alert your contacts that they may receive suspicious messages appearing to be from you. Phishing attacks that impersonate breached individuals are common in the days following a major breach.

Days 2-7: Containment

Step 10: Dispute Fraudulent Items

If you found unauthorized items on your credit reports, file disputes with each bureau. With an FTC Identity Theft Report, you have enhanced dispute rights:

• Bureaus must block fraudulent items within 4 business days (vs. 30 days for standard disputes)
• The burden of proof shifts to the creditor, not you
• Blocked items cannot be re-inserted without the creditor certifying the debt is valid

Use the pre-filled letters from IdentityTheft.gov. Send them via certified mail, return receipt requested. Keep copies of everything.

Step 11: Contact Fraudulent Creditors Directly

For each unauthorized account:

1. Call the creditor's fraud department
2. Inform them the account is fraudulent
3. Request they close the account and stop reporting it
4. Ask for a fraud affidavit form (or use the FTC's Identity Theft Affidavit)
5. Request written confirmation that the account has been closed and the balance zeroed

Step 12: Additional Security Measures

• IRS Identity Protection PIN: Request one at irs.gov/identity-protection-pin to prevent tax identity theft
• SSA Account: Create or review your my Social Security account at ssa.gov — check for unfamiliar employment
• USPS Informed Delivery: Sign up to monitor mail (stolen mail is still a major vector)
• OptOutPrescreen.com: Opt out of pre-approved credit offers to reduce mail-based fraud opportunities
• Check haveibeenpwned.com: Enter your email to see all known breaches associated with it

Days 8-30: Disputes and Repair

This is the grind phase. Disputes take time, and you'll need to follow up.

Tracking Your Disputes

Create a simple tracking document:

• Date filed, bureau/creditor, item disputed, reference number, response deadline, result
• Bureaus have 30 days to respond to standard disputes, 4 business days for identity theft disputes with an FTC report
• If they don't respond within the deadline, the item must be removed by law

What to Do If Disputes Are Denied

If a bureau refuses to remove a fraudulent item:

1. Re-dispute with additional evidence — include your FTC report, police report, and any creditor correspondence
2. File a CFPB complaint at consumerfinance.gov — bureaus respond to CFPB complaints with remarkable speed (median resolution: 15 days). The CFPB receives over 600,000 credit reporting complaints annually — this is a well-worn path
3. Send a direct dispute to the creditor (not the bureau) — this triggers a separate investigation obligation under the FCRA
4. Consult a consumer law attorney — FCRA violations can result in statutory damages of $100-$1,000 per violation, plus actual damages and attorney's fees. Many consumer attorneys work on contingency

Credit Score During Recovery

Expect your score to be volatile during this period. As fraudulent items get removed, your score should recover. The timeline depends on the type of fraud. Read more in our why your score dropped guide and our credit scores overview.

Month 2-12: Long-Term Monitoring

Identity theft doesn't always surface immediately. The FTC recommends monitoring for at least 12-24 months after a breach. Here's your ongoing checklist:

Monthly

• Check all three credit reports (free weekly at AnnualCreditReport.com)
• Review bank and credit card statements line by line
• Check your credit score for unexplained changes

Quarterly

• Review your SSA earnings statement at ssa.gov
• Check for unfamiliar medical bills or EOBs
• Verify credit freezes are still active at all bureaus
• Run a search on haveibeenpwned.com for any new breaches

Annually

• Renew your fraud alert (if not using an extended alert)
• Review and update your IRS Identity Protection PIN
• Run a data broker search on yourself to see what's available publicly
• Request free reports from specialty bureaus: LexisNexis, ChexSystems, NCTUE

Data point: About 25% of identity theft victims are re-victimized within two years (FTC data). Post-breach monitoring is not optional — it's essential for the full 24-month window, especially if your SSN was exposed.

Consider a paid identity protection service for this monitoring period if you don't have one already. The insurance component alone (covering legal fees and lost wages) can be worth the $10-25/month during the high-risk post-breach window. See our best identity theft protection services review for recommendations.

Using IdentityTheft.gov: A Walkthrough

The FTC's recovery site deserves its own section because it's that useful.

1. Visit IdentityTheft.gov and click "Get Started"
2. Answer the questionnaire about what happened — what type of fraud, what accounts were affected, what information was compromised
3. Receive your personalized recovery plan — this is customized to your specific situation, not generic advice
4. Print your FTC Identity Theft Report — this document is key for all disputes and has legal weight under the FCRA
5. Use the pre-filled letters — the site generates dispute letters addressed to specific creditors and bureaus, pre-filled with your case details
6. Track your progress — you can log back in to update your plan as you complete steps

The entire process takes about 20-30 minutes and is available 24/7. It's one of the few government tools we genuinely recommend without reservation.

Important: The FTC Identity Theft Report is different from a standard FTC complaint. The Identity Theft Report provides enhanced rights under the FCRA — including the 4-business-day blocking requirement and 7-year extended fraud alerts. Make sure you're using IdentityTheft.gov, not the general complaint portal.

When to File a Police Report

Not every data breach requires a police report, but you should file one if:

• You have evidence of actual fraud (unauthorized accounts opened, money stolen)
• A creditor or bureau requires it for dispute resolution
• You need documentation for insurance claims (including identity theft protection service insurance)
• The fraud involves physical theft (stolen wallet, mail theft)
• Total losses exceed $500 (some jurisdictions have higher thresholds for investigation)

What to bring to the police station:

• Your FTC Identity Theft Report (from IdentityTheft.gov)
• Copies of fraudulent accounts or transactions
• Your credit reports with fraudulent items highlighted
• Government-issued ID

Reality check: many police departments lack the resources to investigate identity theft. The report is primarily documentation for your disputes and insurance claims. Don't expect active investigation unless the losses are significant (typically $5,000+). However, having a police report strengthens your position in disputes with creditors and bureaus.

Class Action Lawsuits and Settlements

Major data breaches almost always result in class-action lawsuits. Recent settlements provide context for what victims can expect:

If you're affected by a major breach, check whether a class action exists before filing individually. Websites like classaction.org and topclassactions.com track active settlements. Document your losses and time spent on recovery — these are reimbursable in many settlements.

Credit Score Recovery Timeline

Here's what the data shows about score recovery after identity theft, based on our analysis of credit repair outcomes:

The key insight: score recovery begins only after fraudulent items are removed. Speed of dispute resolution is the bottleneck. Using an FTC Identity Theft Report (4-day blocking timeline) instead of standard disputes (30-day investigation) can cut recovery time dramatically. For a detailed breakdown of point losses by fraud type and projected recovery timelines, see our guide to how identity theft damages your credit score.

Data point: The average identity theft victim spends 200+ hours and $202 in out-of-pocket costs resolving fraud (Identity Theft Resource Center). Using IdentityTheft.gov's pre-filled letters and enhanced dispute rights can reduce both the time and cost significantly.

For more on understanding your credit score factors and recovery strategies, visit our credit scores hub.

Frequently Asked Questions

I got a breach notification but nothing bad has happened yet. Should I still follow these steps?

Yes — at minimum, freeze your credit and change passwords. The delay between a breach and fraud can be months or years. Criminal marketplaces often sit on stolen data before using it. Proactive protection now costs nothing; reactive recovery later costs time, money, and credit score damage.

How do I know if my data was in a specific breach?

Check haveibeenpwned.com (for email/password breaches) and the breached company's notification site. For SSN-level breaches, you'll typically receive a mailed notification. If you're unsure, assume exposure and act accordingly — the protective measures (freezes, monitoring) are free.

Should I accept the free credit monitoring offered in breach notifications?

Yes, always take it — it's free data. But don't consider it sufficient protection. Breach-offered monitoring is typically single-bureau and limited in scope. Layer it with your existing monitoring and credit freezes. The monitoring offer does not replace the need for freezes.

How long should I monitor after a breach?

The FTC recommends at least 12 months. We recommend 24 months for SSN-level breaches, because stolen SSNs have indefinite value — they don't expire like credit card numbers. About 25% of identity theft victims are re-victimized within 2 years, making extended vigilance essential. Keep your freezes in place permanently; they cost nothing to maintain.

Can I sue the company that was breached?

Potentially, but it depends on circumstances. Most major breaches result in class-action lawsuits and settlements. Recent settlements (Equifax: $700M, T-Mobile: $350M, Capital One: $190M) have provided affected consumers with free monitoring, direct payments, and reimbursement for documented losses. Check if a class action exists for your breach before filing individually.

What if the identity thief opened accounts in my child's name?

Child identity theft follows the same response protocol, with the addition that you should freeze your child's credit at all three bureaus going forward. Children shouldn't have credit reports — if they do, it's almost certainly fraud. Contact each bureau's fraud department and file at IdentityTheft.gov. See our protect your credit guide for prevention details. About 1 million children per year are affected by identity-related fraud.