So your data has been leaked. Now what?
So you've entered your email into haveibeenpwned.com and your information has been compromised.
How do you fix the problem?
Let's be clear - there is now nothing you can do to prevent your already leaked personal data being used by others.
There is no way to prevent already leaked data from being used.
Your intention should now be to reduce the impact of the data that has been released, and prevent future leaks.
This breakdown aims to give you more context on each type of breached data means for you.
Your finances are at major risk. You should immediately close your bank account and open a new one. If this is impossible, at the very least you should change all your banking logins and replace your leaked cards.
Dates of birth
Dates of birth are a common way to help you identify who you are. If this information is leaked, then you can't really do anything, except avoid using services that ask you for your birthdate (where possible). You can also use fake birthdates with most services that won't check for valid identification, but require a birthdate for signup, for instance.
Email addresses, Phone numbers
Email addresses are the most annoying thing to have exposed, as it makes you more likely to be spammed, and they are often used in place of usernames for logins, making some services easier to attack.
With emails, it is quite easy to fix - new emails can be created quickly and for free - changing it is annoying, but you can use email forwarding during the transition period to a new email address.
With phone numbers, you may want to get a new number. Make sure to keep the old SIM card (for login verfication using your old phone number) update everyone in your contacts with your new one. Burner numbers may be something to explore.
Genders are fortunately not used in many methods of identification. An attacker with knowledge of your gender may find it easier to give a passable impersonation on phone calls.
Geographic locations, Physical addresses
Together with banking details, this is probably the information you want breached least. Simply put, if you are an individual who doesn't want to be found by someone in particular (witness/victim of a crime, for example) and this gets leaked, you should relocate. The information is available to anyone determined enough.
An IP address is available to any website you visit. The owner of the website may be able to identify more about who you are by cross-referencing your IP address with other leaked data. An IP can be masked using VPN services.
Names don't make for a great unique identifier (as names are not unique) - meaning they're rarely used in login forms, but are occasionally used when resetting a forgotten password. An attacker with knowledge of your name will find it much easier to give a passable impersonation on phone calls.
If your password is available in plaintext, a person will find it much easier to login to your account. Even if it was leaked in a form that has a special one way encoding (called a hash), it makes it a lot easier to guess your password. If the hacker knows the hash function and the inputs, they can check millions of passwords quickly. Use howsecureismypassword.org to give you an estimate of how long it would take a normal computer to guess it in this (very common) scenario.
If you use a password that has been sensibly hashed (which it is the majority of the time), and the howsecureismypassword.org website says your password would take 1000+ years to solve, your password is still very safe.
Social media profiles
This allows hackers to immediately have accounts to target for login attacks - a successful attack can also be used to log into other applications that use single sign on with that account (i.e. accounts that you registered using Sign Up With Facebook/Google etc). Facebook Payments may allow a hacker to send your money to them (though only to a friend, so beware of random friend requests).
Same as emails, with the exception of being sent spam. A lot of spam is a good sign that your email was leaked, but there's no way to see this with usernames, so using different ones for different services is advisable.
Websites will be hacked. It is hard to protect a website from all possible hacks, and there are thousands of websites that can contain our sensitive data. It should be expected that some websites containing our data to be hacked.
The best protection we can have therefore is to ensure that any data we have on a hacked website cannot be used to hack us on other websites.
The way to do this is, in highest priority to lowest priority, is to:
Ensure that services holding the most important data use strong passwords not used elsewhere.
At minimum, update the following:
- Financial services (banks, electronic payment services (e.g. PayPal))
- Google (contains your entire location history, your address, your work address, your current location, plus much more)
- Facebook (payments, impersonation, identity fraud)
- Phone network service provider (incl. any PINs) (to ensure the effectiveness of 2 Factor Authentication, i.e. when you get a text to confirm a login)
An example of a strong password is 4 random dictionary words.
You should check your password's strength at howsecureismypassword.net.
Use a password manager to store and change all passwords to randomly generated passwords. This will help keep logging into things a straightforward process, and remember all your weird random passwords for you.
My personal recommendation is Bitwarden (free) and Bitwarden Premium (pretty cheap) tells you when a password has been leaked. https://bitwarden.com
Dashlane is probably the best money-no-object option, but is very expensive. https://www.dashlane.com