Your Online Account May Have Been Breached? Don’t Just Sit There. Do Something.
Summary
Too many people respond with a shrug and maybe change their password. That’s asking for trouble.How do consumers respond when their online accounts are exposed to hackers? Many of them simply don’t.
Data breaches at major firms have become all too common, with more than 110 million user accounts exposed in just the second quarter of 2023. Yet our research found that nearly two-thirds of U.S. consumers would return to a site after they were notified of a breach—with only the bare minimum of precautions, like changing their passwords.
Almost a quarter of the roughly 200 people we surveyed said they would return to the compromised website with no changes to their behavior at all. Only 10% said they wouldn’t go back.
Even people who had cybersecurity training within the past 90 days—in other words, people who should be primed to protect themselves—took risks. In this subsequent study, over a quarter of roughly 500 people said they would return to the breached website while taking the absolute minimum security measures, and only about 9% would take more-complicated steps such as setting up two-factor authentication. And they would do that only if they experienced real financial consequences, like fraudulent charges on their credit cards.
Why wouldn’t people protect themselves? Many of the consumers we surveyed believed that there were few—if any—alternatives to the websites they used frequently, and all websites seemed to be affected by data breaches. Why bother beefing up security? Likewise, some people said they would stick with a compromised site because they had put so much time and effort into their presence on it—a classic sunk-cost fallacy.
Since doing nothing may put your finances and personal information at risk, what should you do in case of a breach? Based on my experience as a researcher in this domain and guided by input from customers recovering from data breaches, I recommend the following actions.
The first steps
Take each data-breach notification seriously. Immediately change passwords on the affected sites and sign up to follow the updates from the breached firm. This is also a good time to ensure your passwords are unique and not being used across several sites.
Find out what kind of breach it is. Some breaches violate your privacy—such as stealing your playlist or viewing preferences—but may not be as damaging as other hacks. So they may just require a simple password change on the affected site. Even the breach of encrypted password data, such as in the LastPass data breach, while serious, isn’t an immediate threat.
On the other hand, things like compromised credit-card numbers, financial data and personally identifiable information need stronger attention. Even seemingly innocuous breaches of social-media networks may reveal data that can be used to impersonate you and perhaps be used to invade the privacy of those around you. For instance, hackers might be able to figure out your “forgot password" questions on websites by learning where you grew up, the names of your pets and more.
The next steps
Set up push notifications for financial data. When you’re notified of data breaches that involve credit cards or payment information, review the transactions on the affected accounts, going back to the previous payment period. Whether or not there has been unusual activity, protect yourself by adding mobile push notifications for credit-card transactions—an option offered by most credit cards, online-payment mechanisms and banks. Most notifications happen in real time, so consumers affected by data breaches can quickly identify and contest improper charges.
Use free credit monitoring. Some credit cards and banking firms such as Discover and Chase provide free monitoring of consumer credit and provide monthly updates of noteworthy events and changes. Some go further and provide benefits such as removal of your personally identifiable information found on public sites, including data brokers. Using these services is an easy way to identify and report fraudulent activity, as well as protect against identity theft—so review this data regularly if your information has been exposed.
Enable dual-factor authentication on all of your accounts. This is a good practice in general but is especially important for anyone affected by data breaches. With dual-factor authentication, you enter your password as usual but then confirm your identity using a personal device, typically a mobile phone. This limits someone from logging into the account with a stolen password.
If your social-media platform has been breached
Along with enabling dual-factor authentication, there are a number of steps you should take in the event of a social-media breach.
First, change the password and log in with the new one. Check the login-activity page to see if anyone other than you has logged in, and then look for the option to delete all other active sessions—so every other device that is currently logged in is effectively logged out.
Also review all direct messages, posts, and comment activity on the account, and report anything suspicious. If it affects other people, let them know. Finally, pause or temporarily deactivate the account, if that is an option, to make it even tougher for hackers to get access.
Rajendran Murthy is the J. Warren McClure Research Professor of Marketing at the Rochester Institute of Technology’s Saunders College of Business. He can be reached at reports@wsj.com.
