149M passwords exposed: what to do after a data leak

If you feel like your privacy online is constantly being threatened, your worries are not baseless. News of a large-scale privacy breach or a new data security incident seems to hit the headlines every week, leaving millions of us wondering: “Is it my turn to be a victim?“

How and why did a 149M password leak happen?

Recently, a security researcher discovered a massive, unsecured database containing a staggering 149 million stolen usernames and passwords. This wasn’t some small-scale data leak — the records were collected from victims all over the world and included almost every type of account you can think of.

We are talking about major online services and platforms like Facebook, Instagram, TikTok, and X (formerly Twitter), as well as entertainment giants like Netflix, Disney+, and HBO Max. Even credentials for gaming platforms like Roblox and niche services like OnlyFans were part of this mess.

This wasn’t a direct hack of any of these services. Instead, the researcher believes this data was harvested using infosealing malware — software that infects a device and uses a keylogging technique to record everything a user types, including those exposed online credentials as they log in to their accounts.

This 96 GB database of stolen records was left completely unprotected on the open web, accessible to anyone with a browser. Consequences of a data breach of this size can be dire, fueling a wave of identity theft, financial fraud, and targeted phishing. After all, if such data is leaked, a cybercriminal doesn’t even need to hack into your accounts; they can simply use your password to log in unnoticed.

“Data breaches are a constant threat, and your data is likely already exposed. Our focus must shift from simply reacting to incidents to changing our habits more broadly, for example, using personal data in ways that minimize the risk of loss or limit harm to us.”

– Tomas Stamulis, Chief Security Officer at Surfshark

If you’re wondering whether your data is part of this breach, or simply want to prepare and have a post-data breach response plan, read along.

Here are the main steps to take after a data breach to secure your accounts and online presence:

1. Check if your data was exposed

The first step in any data leak recovery is knowing where you stand: was your data exposed at all? If yes, you’ll need to verify which exact details were included in the data security incident. You can start with a trusted data leak checker to check if any of your emails are associated with a breach.

For a more comprehensive investigation, as well as monitoring future data leaks, use a reliable tool like Surfshark Alert. It checks whether your email addresses, along with related passwords, credit cards, and your ID or Social Security Number (SSN), appear in recent leaks.

Also, look out for official emails like an Instagram security email or notifications from other services. However, be cautious, as hackers may exploit large-scale leaks to send fake breach alerts that trick you into clicking malicious links. If you received such an email, it’s better to navigate directly to the website instead of clicking a link in the email.

Most importantly, you need to understand the scope of your exposed data: was it just your email address, or did a password get compromised? Did the privacy breach include more sensitive data like your home address or credit card details? This will help you prioritize your next steps.

2. Change your passwords

If you find that your passwords were involved in a data breach, you need to act fast, especially if you’ve reused them for multiple accounts — a password compromised in one place can be a threat to every other account using the same login credentials:

• Prioritize affected accounts. Your immediate response should be changing the password for the specific service mentioned in the leak. For example, if it was a Facebook password breach, start there;
• Cut the password chain. If you use the same password for Facebook, your bank, and other important accounts, a single Facebook breach can give a hacker an in to your entire online life. Change them all;
• Make your new passwords strong and unique. A strong password should be at least 12 characters long, use a mix of letters, numbers, and symbols, and not be reused for multiple accounts;
• Use a password manager. You don’t need to try to memorize dozens of complex passwords. To make your life easier, consider a secure password manager to generate and store them safely.

3. Enable multi-factor authentication

If there is one essential safeguard in data breach security, it’s two- or multi-factor authentication (2FA or MFA). Let’s say a hacker found your Facebook data leak credentials. Depending on which MFA option you choose, they won’t be able to get in without an additional security step. It can be a temporary code sent to your secure device (either via a message or generated by an app), a fingerprint or face scan, or a physical security key.

Consider setting up MFA everywhere it’s available: social media, banking, and even your shopping and gaming accounts, to secure them from potential future incidents.

4. Track your bank accounts

When an information breach happens, the end goal for most criminals is money. Even if your banking password wasn’t part of a cyberleak, hackers can use the pieces of your personal info scattered online to try and talk their way into your financial accounts.

Here’s what you should do:

• Set up alerts. Enable real-time notifications for every transaction on your debit and credit cards;
• Review statements. If you see a charge you didn’t make, even as small as $1.00, report it immediately — hackers often test a card with small amounts before going big;
• Report fraud fast. If you see something suspicious, call your financial institutions immediately. The faster you report the credit card fraud, the better your chances of getting the stolen money back.

5. Monitor your credit report

Your data leaked online can lead to identity theft. Sounds threatening, but it’s true — criminals can use the exposed information to open new accounts, credit cards, or take loans in your name. This is why a post-data leak action plan must include credit monitoring.

Pro tip: You are entitled to free credit reports from major credit bureaus (Equifax, Experian, and TransUnion). Request them and look for any accounts or inquiries you don’t recognize.

If you believe your accounts may be compromised, consider placing a credit freeze — it’s one of the most effective ways to prevent anyone from opening new credit in your name. Keep in mind that this includes you, too, until you unfreeze it.

If a credit freeze feels too extreme, you could place a fraud alert on your credit report, which tells businesses they must verify your identity before issuing credit.

Bottom line: secure your digital life

Data leaks are a reality of our modern, connected world, but they don’t have to result in a digital disaster. While you can’t control whether a major company has a data security incident, you can control how you respond and protect your own devices.

By following this incident response plan, you can turn a potentially devastating breach into a minor inconvenience. Tools like Surfshark Alert can add an extra layer of protection by notifying you the second your data hits the dark web.

Don’t wait for the next data breach to take action

Protect your digital life with a comprehensive cybersecurity suite today

Get Surfshark