If you suspect a break-in, speed matters. A stolen password can turn into a full account takeover in minutes, because attackers use your email to reset everything else. Think of your inbox like the master key to your house. If it’s copied, every other lock becomes easier to pick.
This data breach checklist is a calm, 30-minute action plan for everyday people and small-business owners. Use it even if you’re not sure yet, the goal is to contain damage and stop new logins.
Safety note: This is general information, not legal or financial advice. If money is leaving an account right now, call your bank’s fraud line immediately.
Minutes 0 to 10: Contain the breach and secure your email first
Most account recoveries flow through email. Start here, even if the breach “looks like” a social app problem.
- Get onto a safer device and connection. If your phone or laptop is acting strange, switch to another device you trust. Avoid public Wi-Fi.
- Change your email password now. Use a long, unique password (a password manager can generate one). Don’t “tweak” an old password.
- Revoke active sessions and devices. Look for “devices,” “sessions,” or “where you’re signed in.” Sign out everything you don’t recognize, or sign out all.
- Check recovery options and reset them. Verify recovery email(s) and phone number. Remove anything you don’t own. Update security questions if your provider uses them.
- Hunt for silent takeovers inside email. Check:
- Mail forwarding rules and filters (attackers hide confirmations).
- Connected third-party apps (remove anything unknown).
- “Sent” and “Trash” for messages you didn’t send or delete.
- Turn on strong MFA, not SMS if you can avoid it. Prefer an authenticator app or, best, a hardware security key. SMS codes can be stolen with SIM swaps, and push prompts can be abused with “MFA bombing.” For quick carrier protections that reduce SIM-swap risk, follow Consumer Reports’ SIM-swap prevention steps.
- Save backup codes and recovery keys safely. Store them in a password manager secure note, and also offline (printed and locked up).
If you’re coordinating for a small business, treat your main email and any shared inbox (billing, support, payroll) as top priority. The general flow mirrors “contain, assess, and prevent repeat access” guidance like OAIC’s breach-response steps.
Minutes 10 to 20: Protect your bank accounts and stop transactions fast
Now protect money and credit. The goal is to block transfers, stop new payees, and create a paper trail.
- Call the bank fraud number (use the number on your card or official site). Ask them to lock online access while you reset credentials.
- Freeze what you can immediately. If your bank app has “lock card,” “freeze card,” or “disable transfers,” use it now.
- Change online banking passwords and revoke devices. Do this after the fraud call if the bank asks you to wait, otherwise do it right away.
- Review recent activity with a narrow lens. Look for:
- New payees or transfer recipients
- New external accounts linked
- Address, email, or phone changes
- Statements delivery switched to paperless (a common cover-up)
- Stop payments. Cancel scheduled transfers, bill pays, wires, and P2P payments if you can. Ask the bank to place blocks where appropriate.
- Turn on alerts. Enable notifications for logins, new payees, transfers, and card-not-present charges.
- If cards might be exposed, replace them. New card number, new digital wallet tokens if your issuer supports it.
For a more detailed banking-focused breakdown, see Discover’s guide on hacked bank accounts.
Here’s a short script you can read to a bank rep:
“Hi, I think my online banking was compromised. I need you to lock down my account access, review recent logins and transfers, and stop any pending payments. I also want to confirm my contact details haven’t been changed. Please note a fraud case number and tell me the next steps to dispute anything unauthorized.”
Minutes 20 to 30: Secure social accounts, then switch to passkeys and a password manager
Social accounts are often used for scams, fake ads, or to message your customers. Treat them like financial assets.
- Change passwords for social accounts (and anywhere you reused them). If you reused the same password on multiple sites, assume they’re all exposed.
- Log out unknown devices and revoke sessions. Most platforms show active devices. Sign out of anything you don’t recognize.
- Remove suspicious connected apps. Look for “Apps and websites,” “Connected accounts,” “Authorized apps,” or “API tokens.”
- Check ad accounts and payment methods. Attackers love running ads on your dime. Remove unknown cards, billing profiles, or admins.
- Review profile changes. Watch for changed email, phone, username, bio links, and private messages you didn’t send.
- Upgrade to stronger sign-in methods.
- Passkeys: If the platform supports it, add a passkey. Passkeys resist phishing because there’s no code to type into a fake page. A clear explainer is PCMag’s passkey overview.
- Password manager: Use one to generate unique passwords and store recovery codes. In 2026, many managers also store and sync passkeys, which is convenient, but it makes account recovery planning even more important.
Quick documentation you’ll be glad you kept
Before you forget details, capture proof. It helps with banks, platforms, and insurance claims.
| What to record | Examples |
|---|---|
| Timestamp and timezone | “Jan 21, 2026, 9:14 pm ET” |
| What you saw | “Password reset email,” “new payee added” |
| Evidence | Screenshots of alerts, transactions, device list |
| Actions taken | “Signed out all sessions,” “froze card,” “case #12345” |
Email template for support (edit the brackets):
Subject: Urgent, account takeover and recovery request
Hello Support Team,
My account appears compromised. Please help me regain control and secure it.
Account: [username/email]
Approx. time of compromise: [date/time/timezone]
Signs noticed: [unknown login, profile change, ads created, messages sent]
Actions I took: [password change, MFA enabled, sessions revoked]
Please: confirm current email/phone on file, revoke active sessions, remove unauthorized apps, and share any next verification steps.
Thank you,
[name] [best contact method]
What not to do after a suspected breach (even if you’re stressed)
- Don’t click “support” links from DMs, texts, or random emails. Use official channels you find yourself.
- Don’t reuse passwords or “rotate” a pattern (Summer2025 to Summer2026).
- Don’t approve unexpected MFA prompts, even once.
- Don’t share one-time codes, recovery codes, or remote-access control of your device with anyone claiming to help.
- Don’t post sensitive proof publicly (screenshots with full card numbers, addresses, or IDs).
Conclusion
A breach can feel personal, but the response doesn’t have to be messy. In 30 minutes, you can lock down email, stop bank fraud, secure social accounts, and create a clean record of what happened. Treat this data breach checklist like a fire drill, run it fast, then follow up with deeper cleanup (credit monitoring, device scans, and password resets for lower-priority sites) once the immediate risk is contained.
