"Your Data Was Leaked"

TL;DR

• A data breach is when a company that holds information about you loses control of it — through an attacker, a misconfiguration, or an insider. Some are small; some affect hundreds of millions of people.
• The first step is to find out what was actually exposed. Not all breaches are equal: a leaked email address is annoying; a leaked password is urgent; a leaked ID document is a long road.
• The bigger the breach, the more it shows up later as phishing personalised with details from your old life — because attackers buy and combine leak datasets.
• You can check whether your email or phone number appears in known breaches using free, reputable services. Use them once now, then once a year.
• If a critical piece of identity information was leaked (passport number, national ID number, full bank details), this is no longer a "data breach" response — it shades into identity-theft prevention. Move faster, document everything.

What it is

A data breach happens when information about people — usually customers, employees, members, or patients — leaves the control of the organisation that was supposed to keep it. The causes are mundane more often than dramatic:

• An attacker exploits a vulnerability in the company's website or one of its vendors.
• An employee clicks a phishing email and the attacker uses their credentials to download a customer database.
• A cloud storage bucket was left exposed to the internet by mistake.
• A backup tape was lost, a laptop was stolen, a USB drive was left on a train.
• A disgruntled employee took the database on their way out.
• A third-party supplier (the payment processor, the marketing platform, the analytics provider) was breached, taking the company's data with it.

What gets exposed varies enormously. Common categories:

• Just an email address — embarrassing but mostly low risk on its own.
• Email plus a password (often "hashed" but sometimes plain) — high risk, especially if you've reused that password anywhere.
• Email, password, name, date of birth, address, phone number — significant risk; this is the dataset that powers convincing phishing for years.
• Financial details — card numbers, bank account numbers — usually trigger card reissue.
• Identity documents — passport, national ID, driving licence — long-term identity theft risk.
• Sensitive categories — health, sexual orientation, religion, political views, biometrics — under GDPR these have additional protections and notification requirements.

How you find out

A few common ways:

• The company emails you. "We are writing to inform you of an incident that may have affected your information." Read it carefully; don't click links inside; verify what was exposed against the company's official press release.
• A news headline names a company you've used. Search the company's name plus "data breach" and read at least two independent sources.
• A regulator publishes a notice. In the EU, large breaches are reported to data-protection authorities and often disclosed.
• A free breach-monitoring service alerts you. Have I Been Pwned (haveibeenpwned.com) is the most respected — it lets you check any email address against known public breaches, and you can subscribe to be notified for free.
• A password manager flags reused or breached credentials.
• A surge of personalised phishing arrives — emails that know your old address, your dog's name, the company you worked for in 2017. That is leaked data being put to work.

What to do

Step 1 — confirm what was exposed.

Read the company's official disclosure carefully. They are required, in most jurisdictions, to tell you the categories of information affected. Was it just your email, or also a password, or also a payment card, or also your ID? The response is different for each.

If the disclosure is vague — "some account information" — search for independent reporting (security journalists, the national data-protection authority's notice). Don't rely on the company's own framing alone.

Step 2 — act on what was actually exposed.

• Email only. Mostly an annoyance. Expect more spam and possibly more phishing. Nothing else needed.
• Password. Change it on the breached site immediately. If you've reused it anywhere else, change it everywhere else too. This is the moment to adopt a password manager if you don't have one.
• Email plus password. Same as above, plus turn on 2FA on the breached account and on email if not already enabled.
• Address, date of birth, phone number. Expect personalised phishing for months. Be slower than usual when responding to messages that "know" details about you.
• Card details. Call the card issuer; request a new card and number. Watch statements closely for the next month.
• Bank account details. Notify the bank, flag the account. Watch for small "test" transactions before big ones.
• Identity documents. This is now an identity-theft prevention scenario, not just a breach response. See Identity Theft Recovery; place a credit freeze; consider replacing the document if your country allows it.
• Sensitive personal data (health, sexual orientation, religion, etc.). Under GDPR you may have specific rights to redress and compensation. Speak to your national data-protection authority; you may also have a claim against the company.

Step 3 — exercise your rights.

In the EU, UK, Switzerland, and many other jurisdictions you have the right to:

• Know what data the company holds on you (data-subject access request).
• Delete data the company no longer needs (right to erasure / right to be forgotten).
• Object to certain processing.
• Complain to your national data-protection authority.
• Claim compensation if you suffered harm.

The complaint is free, often online, and the authority will investigate even if you don't fully understand the technical detail.

What NOT to do

• Don't ignore the disclosure email because it looks like marketing. It is rarely a scam — but if you're unsure, go directly to the company's website rather than clicking the link in the email.
• Don't reply to follow-up messages offering "data recovery" or "credit protection" that you didn't ask for. These are often opportunistic scams targeting breach victims with personalised pitches.
• Don't accept the company's free credit-monitoring offer without reading the terms — some require you to waive the right to sue.
• Don't change the password on a public Wi-Fi network if you have any choice. Wait until you are at home.
• Don't assume "they only got the hashed password" means the password is safe. Hash quality varies; some hashes are crackable in hours for weak passwords. Change it.
• Don't blame yourself. The breach was not your fault. You gave the company your data in good faith; they failed to protect it.

Use AI to help you

Triage the disclosure:

"I received a data-breach notification from [company]. Below is the message they sent and any details about the breach I've found in the news. Please help me (a) understand what categories of my data were likely exposed, (b) list the highest-priority actions for me to take in the next 24 hours, (c) identify the categories of follow-on attacks I should be alert for over the next three months, and (d) tell me whether my country's data-protection law gives me specific rights or remedies I should consider.

[paste notification + news summary]"

Drafting a data-subject request:

"I want to ask [company] for a copy of all the data they hold on me, exercising my right under [GDPR / UK DPA / Swiss FADP / etc., depending on jurisdiction]. Please draft a formal letter in [language], including the legal basis, the scope of the request, and a reasonable deadline for response. Keep the tone professional and firm."

Who to call

• The company itself, through their official channel — but read independent sources first to know what to ask for.
• Your bank or card issuer if financial data was exposed.
• Your national data-protection authority to file a complaint and check whether they have published guidance for the specific breach.

Find the latest contacts for your country with AI:

"I'm in [your country]. List the official channels I should contact after a company has breached my personal data — the national data-protection authority (where I can file a complaint), the relevant sectoral regulator (financial, health, telecoms) if the breached company operates in a regulated sector, and any class-action or collective-redress mechanism that may apply. For each, give the official website, public phone number, and what specifically they can help with. Tell me the legal basis for my complaint (e.g. GDPR Article 77 for the EU, equivalent provisions elsewhere) and the deadline by which I should file. Cite each official source. Flag anything that might be outdated."

A short curated list, by language (for the very latest, prefer the AI prompt above):

• English: UK — ICO (ico.org.uk). Ireland — DPC (dataprotection.ie). US — FTC and state attorneys general; many states have specific notification rules. Canada — OPC (priv.gc.ca). Australia — OAIC (oaic.gov.au).
• German: Germany — federal BfDI plus a per-Land DPA. Austria — DSB (dsb.gv.at). Switzerland — FDPIC / EDÖB (edoeb.admin.ch).
• French: France — CNIL (cnil.fr). Belgium — APD-GBA (autoriteprotectiondonnees.be). Switzerland (FR) — PFPDT.
• Italian: Italy — Garante per la protezione dei dati personali (garanteprivacy.it).
• Spanish: Spain — AEPD (aepd.es). Mexico — INAI (home.inai.org.mx).
• Portuguese: Portugal — CNPD (cnpd.pt). Brazil — ANPD (gov.br/anpd).

For the EU, complaints can be filed with any member-state DPA where you live, work, or where the violation took place.

When to escalate beyond chat

• A breach involves identity documents or sensitive special-category data and you live in the EU/UK/CH — file a formal complaint with your data-protection authority. The investigation is free; if material harm has occurred, you may have a damages claim.
• The breach was at your bank, your insurer, or a critical health provider — speak to a lawyer if you cannot get clear answers from them about scope and timeline. There are class-action mechanisms for some breaches under various national laws.
• You start receiving extortion — "we have your data, pay us to delete it" — don't pay; report to police; the data is already public.
• A child's data was exposed — children's data receives heightened protection in most jurisdictions; raise this directly with the regulator. Watch for accounts being opened in the child's name long after the breach.
• Your employer was breached and your work credentials may be exposed — tell IT immediately; the same credentials may give access to internal systems.

Related topics

• "I've Been Hacked" — the recovery flow if the breach led to your specific account being taken over.
• Identity Theft Recovery — when the breach included identity documents.
• Passwords & Two-Factor — the protection that limits damage from any single breach.
• Phishing & Scam Emails — the form most breach follow-up attacks take.

Sources & references (internal — not rendered to the live page):

• Have I Been Pwned — public breach database
• EU GDPR — Articles 33, 34 (breach notification), 82 (compensation)
• Swiss FADP / nDSG — current rules on processor obligations
• ENISA — annual data-breach trend reports
• State of the Phish reports — phishing follow-up vectors after major breaches