The personal information of 143 million people was accessed by hackers in an attack on Equifax, one of the largest data breaches in U.S. history. If you’re one of the people affected, your first question might be: What do I do now?
First, it helps to know what information might be out in the wild. Equifax says the hackers primarily appeared interested in names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. For about 209,000 consumers, credit card numbers were also taken.
Second, it’s worth noting that the attacks happened between mid-May and July, meaning the information may well already be on the black market. So you’ll want to act quickly.
Step one: Check your accounts for fraudulent activity. Most Americans don’t keep close tabs on their checking and saving balances and don’t examine every item on their credit card bill—and hackers count on that.
“This is reason Number 10,000 to check your online bank statements and credit card statements on a regular basis, ideally weekly,” said Matt Schulz, senior industry analyst for CreditCards.com. “We think nothing of checking Facebook or Instagram 10 times a day, but many think it is too much to ask to check your bank statements once a week. It’s not. It’s easy to do, doesn’t take long and can help you spot problems before they get out of control.”
Step two: Set up credit monitoring to ensure no one is using your personal information. Equifax is offering this protection on a website it set up to help you determine if you were affected by the breach. However, it’s worth noting that the site asks for some very personal information and signing up for the service may waive your right to future legal action against the company.
That said, you’ll definitely want some form of monitoring. Equifax’s service is called TrustedID Premier, but others include LifeLock, Credit Karma, and MyFico.
“The information has been in the hands of criminals for more than six weeks already, so time is not on your side,” says Chester Wisniewski, principal research scientist at network security company Sophos, in an emailed statement to Fortune. “While the monitoring is often of little value, it is worth signing up for. Consumers should take note of whether the service has an automated renewal requirement to avoid unexpected charges once the free year is complete.”
Step three: If you’re especially worried about identity theft, there’s another option: A credit freeze, which prevents new credit from being issued without your direct permission.
“Your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring,” notes the U.S. Public Interest Research Group.
Step four: You’ve probably heard this one before, but it’s time to change your passwords again.
Sophos recommends not using any password you already use on any other account, noting: “Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.”