Marriott International says as many as 500 million customer records might have been compromised, with data ranging from address and phone numbers to passport numbers.

If you’ve been a Marriott customer in the last several years, what should you do?

First, if you stayed at a hotel with the Marriott name, you’re okay, since those systems were on a separate network.

Affected hotels include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest program, as well as Starwood-branded timeshare properties.

If you stayed at one of those hotels, you should:

Step one: Check your accounts for fraudulent activity. Most Americans don’t keep close tabs on their checking and savings balances and don’t examine every item on their credit card bill—and hackers count on that.

Step two: Set up credit monitoring to ensure no one is using your personal information. Marriott is offering guests a free one-year subscription to WebWatcher, which monitors internet sites where personal information is shared and alerts consumers when their information is detected.

It’s also not a bad idea to sign up for a credit monitoring service, such as Equifax’s TrustedID Premier (though Equifax had a notable data breach of its own in 2017) or CreditKarma.

Step three: If you’re especially worried about identity theft, consider a credit freeze, which prevents new credit from being issued without your direct permission.

“Your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring,” notes the U.S. Public Interest Research Group.

Step four: Keep an eye on non-financial accounts, like your Starwood Preferred Guest membership, for any suspicious activity, such as reward points being used. Alert Marriott immediately if you see this occurring.

Step five: Consider applying for a new passport, especially if you’ve stayed at one of the affected hotels while traveling internationally. This could take several weeks (a routine processing time is 4-6 weeks; expedited processing is 2-3 weeks). Also, be aware that once you report your passport as lost or stolen (or, in this case, potentially compromised), it will immediately become invalid and can’t be used for international travel.

Step six (and this is crucial): It’s time to change your passwords again. Yes, it’s a pain, but it’s a critical step, especially if you’re using the same password on multiple sites.