Are you active online? If you’re sloppy with your passwords or if you post too much personal information on social media, you’re increasing your risk of being hacked. But even if you keep your data locked up tight, hackers might well acquire your information through a data breach. Once they get a toehold, they can use it to expand the attack, perhaps gaining access to your email or even your bank, before you even get a whiff of the danger. What can you do once you realize that you’ve been hacked?
Have You Already Been Hacked?
A breach at PayPal exposed the personal data of 35,000 users. Hackers got hold of private info about 170,000 members of a Washington DC medical exchange—even senators were affected. When a major hack attack or data breach occurs, it’s all over the news. Frequently the affected service spins up a web page where you can check whether you were affected. And you will be affected, if not this time, then the next. The only upside is that you're one among possibly millions, so the hackers may never get around to weaponizing your details.
Don’t imagine that you can prevent a breach. The antivirus running on your computer is utterly powerless against a security attack on a remote server. If you lost a crypto fortune in the recent hack attack on Atomic Wallet, there’s nothing an antivirus on your local computer could have done about it.
Not every hack starts with a well-publicized data breach. A shady online merchant, a card skimmer, or even a dishonest waiter in a high-end restaurant could compromise your credit card. The first clue may be the appearance of unexpected items on the credit card bill. Always read those bills and figure out what every line means, even the small charges. Card thieves will occasionally put through a few small purchases, just to make sure the card is “live,” before making a big purchase. You can use a personal finance service, such as Mint or Quicken Deluxe, to keep an eye on all your credit card transactions from one place.
The Top Antivirus We've Tested
Bitdefender Antivirus Plus Review
5.0 Exemplary Check Price (Opens in a new window)McAfee AntiVirus Plus Review
4.0 Excellent Check Price (Opens in a new window)Avast One Essential Review
4.5 Outstanding From $2.50/Month at AVAST See It (Opens in a new window)AVG AntiVirus Free Review
4.0 Excellent $0.00 at AVG See It (Opens in a new window) See all (4 items)Banks are good at fraud detection these days. There’s a good chance you won’t learn about a compromised card until after the bank declines the charges and starts the process of issuing a new card. Getting a new card is a pain, as any automatic payments you've configured will need the new card number. Still, it's better than letting hackers buy a 98-inch TV with your credit.
Credit card numbers aren’t the only kind of data that hackers can misuse. Scammers can use a compromised email account to broadcast spam or to send targeted email scams to your contacts. Your first clue may be worried phone calls from friends asking if you're truly stuck in a Dubai airport with no cash or irate messages from those "you" have spammed.
An identity thief can also use your personal information to open credit accounts, accounts you know nothing about. You might only find out about those accounts when a merchant slams the door on your request to open a new line of credit yourself. Cagey consumers use AnnualCreditReport.com to request a free report from Equifax, Experian, and TransUnion once per year, spreading the requests out at four-month intervals. Yes, Equifax experienced a major breach back in 2017 and had to pay $650 million in damages for its negligence, including free credit monitoring or a $125 minimum payout for anyone affected. But you were affected regardless of whether you checked credit with Equifax.
PCMag thinks highly of the Credit Karma service, which automatically pulls your credit from TransUnion and Equifax every week to keep an eye on your credit. These are "soft" inquiries, not the “hard” inquiries that companies make when you apply for more credit. Hard inquiries can erode your credit score; soft inquiries have no effect.
It's Surprisingly Easy to Be More Secure OnlineA change in your credit score is like a ripple in a pond, where the actual misuse of your credit is the rock that made the ripple. Services like Avast BreachGuard and IDX Complete aim their sights at those rocks. They regularly monitor the Dark Web to make sure your personal data hasn’t come up for sale. Norton 360 Deluxe includes a similar scan, powered in part by the company’s LifeLock identity theft remediation technology.
Breach monitoring is also a bonus in some password manager tools, notably Keeper and Bitwarden. The connection makes sense because the first thing to do when a site gets breached is to change your password for that site. With the password manager’s help, you can change it to a strong, unique password that you don’t use for any other site.
How to Recover When Your Data Is Leaked
A compromised credit card may be the easiest hack to get over. You're not responsible for the fraudulent charges, and once the bank has issued a new card the problem is solved. Well, except for the need to update your payment information anywhere the old card was saved.
Regaining control of a hacked email account can be tougher. You'll have to contact the email provider and prove that you're the true account holder. Of course, if the hacker changes your password, you can't use your regular email to contact the provider. It's important to have more than one email address and make each the alternate contact address for the other. Just be very sure you don’t use the same password for both.
Many websites force you to use your email address as the username for your account. That’s certainly easier than making you choose (and remember) a unique username and a unique password for every site. But if you used the password from your hacked email account at any other sites, those accounts are now compromised too. A hacker who gets hold of your login credentials for one site will invariably try the same username and password pair on dozens of other popular sites.
Our Top Password Manager Picks
Bitwarden Review
5.0 ExemplaryDashlane Review
4.5 Outstanding Check Price (Opens in a new window)Zoho Vault Review
4.5 Outstanding Check Price (Opens in a new window)1Password
Free 14 Day Trial of a 1Password Individual Account! at 1Password See It (Opens in a new window) See all (4 items)Even if you don’t use any duplicate passwords, compromise of your email account can still be a huge problem. Think about this: If you forget a website password, what do you do? Right—you click to get a password reset link sent to your email address. A smart hacker who has control of the email account will quickly seek your other accounts, social media, perhaps, or worse, shopping and banking accounts. After a simple password reset, the hacker owns those accounts too.
After recovering from an email account takeover, you absolutely should visit every site that's associated with that email address and change your password. A powerful password manager will be a great help here.
How to Protect Yourself From Identity Theft
Full-on identity theft can be a nightmare. Victims can spend thousands of dollars over weeks and months trying to get their online identities and lives back in their control. The Federal Trade Commission offers an excellent advice site with full details on how you can proceed. Among other things, the site suggests that you order your credit reports, so you can see what's happened, and make an official identity theft report with the FTC.
The site goes on to specify absolutely everything you need to do, step-by-step. It includes checklists so you can make sure you didn't miss any tasks, as well as sample letters and forms. You won't go wrong relying on this useful resource.
The Best Identity Theft Remediation Services
Norton 360 With LifeLock Select Review
4.5 Outstanding Check Price (Opens in a new window)Bitdefender Ultimate Security Review
4.5 Outstanding $89.99 for 10 devices for 1st Year at Bitdefender See It (Opens in a new window)Avast One Platinum Review
4.0 Excellent $119.88 Per Year at AVAST See It (Opens in a new window)McAfee+ Review
4.0 Excellent Starts at $49.99 Per Year at McAfee See It (Opens in a new window) See all (4 items)You’ve seen the ads for third-party identity theft remediation services. These can help, but only if you have their protection in place before something drastic happens. It’s not unlike an insurance policy—you pay for the protection, but hope you’ll never have to use it. Adding such a service to your monthly bills won’t clean up the breach you just suffered, but it should help the next time around. And the best ones come with a security suite or similar device-level protection.
How to Protect Yourself From Future Breaches
According to expert surveys, all too many victims of exposure in a data breach do nothing at all. Of those that take any action, the majority just change their password on the hacked site. Simply reacting (or not reacting) like this isn’t going to change anything. How can you proactively make sure you don't get hacked, or don't get hacked again?
Each major breach triggers a spate of articles exhorting you to freeze your credit, set up a fraud alert (meaning that you’ll need to go through extra verification steps to open a new account), and so forth. You should consider such modifications to your credit-using life as permanent. After all, the next big breach is just around the corner; in fact, it may have already happened. The actual breach in the Equifax case happened months before it was discovered.
As far as credit cards go, there’s not much you can do, other than avoiding shopping at shady retailers, real-world or online. Modern chipped credit cards secure in-person transactions thoroughly, but they can’t help with card-not-present online transactions. In theory, all merchants should have switched to chipped cards in 2015, but you’ll still find plenty using swipe-only card readers.
Mobile-based payment systems like Apple Pay and Google Pay are more secure than physical credit cards. Each transaction uses a unique number, so hackers gain nothing by stealing existing transaction data. And you can use the mobile payment system for online purchases as well. Just protect your mobile device with a fingerprint or a strong passcode, and always keep it with you.
Poorly secured websites can expose your email address and perfectly strong password to hackers, but using a bad password leaves your account wide open to a simple brute-force attack. Use a strong password for your email account, and a different strong password for every other account or secure site. Yes, you’ll need a password manager, but you don’t have to pay. The best free password managers are quite effective.
On some sites, you can request a password reset by answering a few simple security questions. The problem is, in most cases the bad guys can find the answers to those questions online in seconds. If you’re allowed to define your own security questions, do so, and choose strong questions—ones only you could answer. If you’re forced to choose from lame questions like your mother’s maiden name, don’t use a truthful answer. Pick a false answer that you’ll remember. And don’t use the same question/answer pairs on multiple sites. I’d suggest storing your false answers in your password manager’s notes field…but if you were using a password manager you wouldn’t have needed a password reset in the first place.
The Top Data Broker Opt-Out Services
Optery Review
4.5 Outstanding $99/Per Year at Optery See It (Opens in a new window)Privacy Bee Review
4.5 Outstanding Visit Site at Privacy Bee See It (Opens in a new window)Surfshark Incogni Review
4.0 Excellent Visit Site at Surfshark See It (Opens in a new window)Kanary Review
4.0 Excellent See all (4 items)Sometimes your personal data is out there for all to see, with no chance to hide it. Real estate transactions, for example, are a matter of public record. Data brokers scour the web for public information and put together a profile that they can then sell to advertisers…or to identity thieves. It’s perfectly legal to gathering data and aggregate it into profiles, but the brokers are also legally required to remove your data if you ask. Optery is a service that checks hundreds of brokers for your information and helps you remove it or, for a fee, handles removal for you. Privacy Bee checks even more sites than Optery and takes care of removals automatically.
As for protecting against full-scale identity theft, there are some things you can do to stymie identity thieves. Never fill out any information on web forms beyond what is absolutely required. If something is required but not relevant, like your street address on a site that doesn’t ship things to you, make something up! Get an inexpensive shredder for paper bills and statements. Review all account statements, and make use of your free credit reports. Support all your efforts by installing a powerful security suite. And consider the possibility of upgrading to a security suite that has identity theft protection built in.
Don't Wait for a Breach—Act Now
Minimizing the fallout from those inevitable data breaches isn’t effortless. You need to take what steps you can and remain vigilant. That said, the effort involved is vastly less than the Herculean task of recovering after hackers manage to steal your identity.