You are here

Password breaches – What to do

Share this page

With hundreds of millions of usernames and passwords exposed by breaches recently in the news, you may be wondering how to keep your information safe. Whether you’ve been part of a breach or not, it’s a good time to take steps to protect your usernames and passwords.

Here are some valuable reminders for everyone: 

  • Use multi-factor authentication, when it’s available. Multi-factor authentication adds another layer of protection against attacks. What’s multi-factor authentication? To log in, you must combine something you know (like a password), with an additional factor, which is usually something you have (like a code texted to a mobile phone) or something you are (like a fingerprint). More and more companies are offering it.
  • Make your password long, strong and complex. That means at least twelve characters, with three different “character classes” (uppercase, lowercase, numbers, symbols). It’s best to put non-lowercase letters in the middle of your password. Also, avoid common words, phrases or information in your passwords. And if you’re not sure if you’ve been affected by recent breaches (such as LinkedIn, Myspace and Tumblr), it’s safest to change your passwords.
  • Select security questions where only you know the answer. Don’t use questions whose answers can be found through online public records searches – like your birthplace or your mother’s maiden name. Don’t use questions with a limited number of responses that an attacker can easily guess – like the color of your first car.

If your username and password have been exposed in a breach, take these steps right away:

  • Change your password. If possible, also change your username. If you can’t login, contact the company. Ask them how you can recover or shut down the account.
  • If you use the same (or similar) password for other accounts, change them too.
  • Check your accounts. If the password and username were for a financial site – or even if a credit card number was stored on the site – look for charges you don’t recognize.

For more tips, check out the FTC’s advanced password tips and tricks and our guidance on computer security. If your personal information is misused, visit to report identity theft and get a personal recovery plan.


how can i get annual credit

This FTC article explains your free annual credit reports and how to order them.

You do not have to answer these "security" questions truthfully. :) The login server doesn't care if you lie on the security questions. These servers only check that your responses match.

What do I do if I have done all the steps and someone is still having my accounts? I have already obtained police reports.

You can report identity theft and misuse of your personal information at You can get pre-filled letters and forms to send to businesses and creditors. You could contact the business or email service that gave you the accounts that have been hacked.

It really sounds good the things you suggest, I've done everything everyone said to do. Read every article, contacted every listed merchant, contacted every agency yet Google still gets larger by destroying my life. What people need to be told is that if you are not aware you have a Google wallet your Gmail password drains your bank. Google introduces persistent sign on after combining accounts makes me lose everything I own to refund half of what was stolen from the bank alone towards their judgement for purchases by a minor! I have been living a nightmare to still not have any answers. So when you state file the report tell everyone make sure that's all then need. Make sure that it's not on going when they beg for help, listen! No website will fix what's been done to me. I need someone to for one second to think hey they are doing this to my family member so maybe your personally affected then maybe I'll matter. I've been alone in this and get emails daily asking for my bank statements because nobody has records and my accounts are still compromused. Kicker to it all every charge was from a phone that was in t-mobile possession but hey they feel the early terms owed! Too bad all three flagged an unemployment account over 13 times did not notify me yet I didn't tell them what was concealed from me in time. Yet first statements received two months after bofa denied fraud claims. If it sounds confusing well welcome to my world it's daily! I cry daily, no website will fix when they've been allowed to do! Nobody protected me!

You may want to talk to a lawyer about your situation. To find a lawyer in your area, you could use this state-by-state list from the American Bar Association or visit this site from the State Bar Associations.

I just saw your post. No lawyer will touch this. I have complaints with every agency possible. Google deleted 4000 in charges the bank has. I dont understand why this has been allowed. Please help me.

I totally understand this.I am victimized by this because of uncalled for credit issues..denies me a real network.. pre-paid..premiums? Single line ..becomes a party streaming extension if you can't access...if you cancel...get affirmations even if the account continues in your name or rather assisned portal IP at least you canceled..tell google by sending feedback..until you can truly find the core reason to your personal issue...if you have no attachments to your personal email accounts ...turn them over to authorities..wait to create a new email until your network clears up with malware ..don't be stuck paying for scammers damages and net reversed tactics..close up your banks online..turn charges in with your complaint..FTC...Keep in touch! . . .

I received a call from a company thatvi had a cellphone account on my old name of almost 20 years ago there wasn't cellphones in south Africa then

changing my internet ID would be very damaging for me as it includes the name of and nature of what we do in the name. We have every blocking device we have found yet the problem continues and increases This has led to appx. 25 junk calls and 50+ junk emails. I was told to tell the caller to take us off their list....they have learned to talk over you as soon as they hear any key words they have been trained to listen for and then hang up. Then call again the next day ad infinitum....any advise?

This FTC article has information about ways to block unwanted calls.

I am so thankful for the work you do for all Americans, and for all the information you give us for Free. I will share the Good news!


I applied for a loan and the company is asking me for my asking me for user name and password I don't want to give it to them having trust issue. Help

I find it interesting and confusing that the FTC would state the #1 recommendation for consumers to "Use multi-factor authentication, when it’s available.", and yet, the FTC does not state anywhere that Companies should implement MFA for their customer facing services. Why is this the case?

The FTC should have some sort of statement somewhere like this:
"In response to global credential theft issues and the fact that 67% of all breaches result from exploiting weak or stolen credentials, the FTC recommends that companies and organizations implement Multi-Factor Authentication to comply with “reasonable and necessary measures” to protect sensitive consumer data."

I can keep all my information safe and secure

I want to change my password

It doesn't always work even if you know the preventions especially when they copycat a legitimate company such as Microsoft or even internet companies

It doesn't always work even if you know the preventions especially when they copycat a legitimate company such as Microsoft or even internet companies

Can't find where to change my password?

I have problem of password login with Cvs app

Leave a Comment