Data breaches are a common headache for companies and individuals. Last month a notorious ransomware gang hacked a unit of insurance giant UnitedHealth Group, causing chaos for pharmacies and patients, some of whom temporarily lost coverage for lifesaving medicine. According to the Identity Theft Resource Center, there were over 3,000 data breaches last year, an all-time high for data compromises in the United States.
Sometimes companies scramble to hide the extent of a breach, leaving customers in the dark about how to safeguard their information after a hack.
AmEx recommended that cardholders regularly monitor their accounts for unsuspected charges for the next one to two years. You can also sign up to be alerted to suspicious activity by turning on notifications in the American Express app or at americanexpress.com/accountalerts. The company didn’t immediately respond to questions from The Washington Post about the extent of the breach.
Here are other steps you can take to protect yourself if you’re a possible victim of a hack.
Pick new passwords as soon as you’ve spotted sketchy behavior, or the moment you’ve confirmed that you’ve been hacked. It’s not uncommon for people to reuse the same password across multiple sites and services — if that sounds like you, move fast.
Ideally, you should use different, strong passwords every time, and password manager apps like Dashlane and 1Password can be a huge help. Once they’re installed, you can use them to create secure passwords that they save for later use — all you have to do is remember the single master password that gets into those apps.
Thankfully, it can be pretty easy to tell if one of your passwords has been compromised. Web browsers like Google Chrome and Apple’s Safari can automatically detect when one of your saved passwords was previously exposed in a hack or data breach, and will suggest you change your log-in credentials to something new and more secure. Apple’s iOS and iPadOS software also offers a security recommendations tool (Go to Settings -> Passwords -> Security Recommendations) that shows you all your vulnerable online passwords in one place.
Use the right kind of two-factor authentication
Fixing your passwords is just the start — you’ll also want to add another layer of protection: two-factor authentication.
The most common form of two-factor authentication — or 2FA — relies on text messages. If you’ve ever been prompted to punch in a code that gets texted to your phone when logging into a website or service, you already have some experience with 2FA.
This kind of authentication is better than nothing, but it isn’t unbreakable — if someone was able to access your account with your wireless carrier, they could perform what’s known as a SIM-swap attack. Once that happens, every text message that would normally be delivered to your phone would instead be directed to the hacker’s, security code included. If possible, use an app like Authy or Google Authenticator instead. Rather than relying on text messages, these apps can generate single-use codes to help you securely log into your accounts.
Start recovering your accounts
Once you’ve locked down your other accounts, start trying to recover ones you may have lost control of. Many commonly used services offer tools to help you verify your identity and regain access to your accounts, but some make it easier than others. Here’s how recovery works on some of the services you might be using.
Google: The company will let you verify yourself by contacting other devices connected to that account. On Android phones, you’ll get a notification that you can tap “yes” on to prove you’re the account owner. If you’re using an iPhone or iPad, Google makes that verification message available in the Gmail app. If none of that works, Google will send a recovery email to a backup email address if you’ve specified one in the past. To start, click here.
Apple: If someone has taken control of your Apple ID, start by visiting iforgot.apple.com. From there, Apple will ask you to verify your phone number and then sends notifications to your other Apple devices to help you reset your password — but only after you’ve confirmed your identity by punching in your Mac’s password, or your iPad’s or iPhone’s passcode.
Amazon: To start, Amazon will attempt to confirm your identity by sending a verification code to your phone. If that isn’t an option — say, if someone else has control of your phone number — your best bet is to call Amazon customer service. As part of the process, you may be asked to upload a scan of your driver’s license, state ID card or a voter registration card to verify your identity.
Microsoft: Visit the company’s account recovery site and type in the email address associated with your Microsoft account. You’ll be prompted to give Microsoft an account recovery code if you’ve already made one; if not, you’ll have to fill out a short form that — among other things — asks you to provide an alternate email. The company will send a four-digit code to that email address. Once you’ve verified the code, you’ll fill out another short form to start the recovery process.
When in doubt, call a company’s customer service line. Unfortunately, in some cases, it’s nearly impossible to get a human on the phone to work through your problem. That’s especially true of social media services, like Facebook and Instagram — but when we tried calling, a prerecorded voice message told us to instead visit Facebook’s Help Center to begin the recovery process.
Consider freezing your credit
Some hacks do more than expose your usernames and passwords — they also reveal deeply personal information, like your Social Security number. The biggest high-profile example is T-Mobile, which confirmed that personal data including SSNs, driver’s license information and dates of birth belonging to millions of past and present customers were exposed in a hack.
If you have reason to believe someone has obtained your Social Security number in a data breach, take a deep breath and act quickly. The best thing to do is to immediately freeze your credit reports, a process that basically prevents anyone — including yourself — from opening new lines of credit without “thawing” it first.
Thankfully, this process is less daunting than it may seem: You can visit the Equifax, Experian and TransUnion websites to get started, and it should only take about 10 minutes with each service.
You’ll also want to make sure all the gadgets you use — even the ones you pick up infrequently — are running the most up-to-date software. Gadget makers like Apple, Google and Samsung routinely release updates meant to fix security flaws.
Apple, for instance, released a security patch in September intended to fix vulnerabilities that allowed NSO Group to install its Pegasus spyware on targets’ phones. This week, Apple rolled out security tweaks in iOS 17.4 and iPadOS 17.4.