You get the letter in the mail. Maybe it is an email from a company you barely remember creating an account with. “We regret to inform you that your personal information, including your Social Security number, may have been compromised in a recent data breach.” Your stomach drops. Now what?
This is not a hypothetical scenario. According to the Identity Theft Resource Center, there were over 3,200 data compromises reported in the United States in 2023, affecting more than 353 million victim notices. If your SSN has been exposed, you are far from alone. But you do need to act fast and act smart.
This guide walks you through every step of the recovery process. No vague advice, no filler. Just practical actions you can take today to protect yourself and start rebuilding your financial safety.
Recognizing the Signs That Your SSN Has Been Compromised
Sometimes you find out through an official breach notification. Other times, the signs are more subtle. Here is what to watch for:
Credit report surprises. You pull your free annual report from AnnualCreditReport.com and see accounts you never opened. Maybe a credit card from a bank you have never used, or an auto loan in a city you have never visited. These are red flags that someone is using your SSN to open new lines of credit.
IRS letters about taxes you did not file. The IRS sends you a notice saying they received a return under your Social Security number, but you have not filed yet. This is a textbook sign of tax-related identity theft. Criminals file early using stolen SSNs to claim refunds before the real taxpayer does.
Debt collection calls for debts you do not owe. A collector calls about a medical bill, utility account, or credit card balance that has nothing to do with you. This means someone used your SSN to rack up charges and then disappeared.
Denied credit or insurance for no clear reason. You apply for a mortgage or car loan and get rejected even though your finances are solid. The lender tells you there is derogatory information on your credit file. That information belongs to the thief, not you.
Missing mail or redirected correspondence. You stop receiving bank statements, bills, or other financial mail. An identity thief may have filed a change of address with the USPS to intercept your mail and collect information.
Any one of these situations warrants immediate action. If you notice two or more, treat it as a confirmed compromise and begin the recovery steps below without delay.
Step 1: Place a Fraud Alert on Your Credit Reports
The first thing you should do is place an initial fraud alert with one of the three major credit bureaus. Under the Fair Credit Reporting Act, you only need to contact one bureau and that bureau is legally required to notify the other two.
Here is how to contact each one directly:
- Equifax: Call 1-800-525-6285 or visit equifax.com/personal/credit-report-services/credit-fraud-alerts/
- Experian: Call 1-888-397-3742 or visit experian.com/fraud/center.html
- TransUnion: Call 1-800-680-7289 or visit transunion.com/fraud-alerts
An initial fraud alert lasts one year. It requires creditors to take reasonable steps to verify your identity before opening new accounts. This does not freeze your credit. It adds a speed bump that makes it harder for thieves to open accounts in your name.
If you can prove you are a victim of identity theft (with a police report or FTC Identity Theft Report), you can place an extended fraud alert that lasts seven years. We will cover how to get those documents in the next steps.
Step 2: Pull Your Credit Reports from All Three Bureaus
Go to AnnualCreditReport.com. This is the only federally authorized source for free credit reports. You are entitled to one free report from each bureau every 12 months, and during periods of heightened breach activity, the bureaus have offered weekly free reports.
Download all three reports: Equifax, Experian, and TransUnion. Review each one line by line. Look for:
- Accounts you did not open
- Addresses where you have never lived
- Employers you have never worked for
- Hard inquiries from lenders you did not contact
- Balances on accounts you do not recognize
Write down every suspicious item. Note the creditor name, account number (even partial), date opened, and balance. You will need this information for disputes and for your FTC report.
Do not use third-party “free credit score” sites for this purpose. They often show incomplete data and some are lead generators for credit repair services. Stick with AnnualCreditReport.com for the official reports.
Step 3: File an Identity Theft Report with the FTC
Go to IdentityTheft.gov. This is the Federal Trade Commission’s dedicated identity theft recovery portal. Fill out the online form describing what happened. Be specific. Include dates you noticed the fraud, which accounts were affected, and any communications you have received.
When you complete the form, the FTC will generate a personalized recovery plan and provide you with an FTC Identity Theft Report. This document is important. It serves as your official proof of identity theft for use with creditors, credit bureaus, and law enforcement.
Print the report and save a digital copy. You will reference it multiple times throughout the recovery process. The FTC report also gives you specific legal rights under the Fair Credit Reporting Act, including the ability to get fraudulent accounts removed more quickly.
Step 4: File a Police Report
Contact your local police department and file a report about the identity theft. Bring your FTC Identity Theft Report, copies of your credit reports with the fraudulent items highlighted, and any other evidence you have collected.
Some police departments are more receptive to identity theft reports than others. If the officer is not familiar with the process, explain that federal law (the Fair and Accurate Credit Transactions Act of 2003) gives identity theft victims the right to file police reports and use them to dispute fraudulent debts.
Get a copy of the police report with the case number. This document, combined with your FTC report, forms the foundation of your legal standing as a victim. You will use it to place extended fraud alerts, request credit freezes be expedited, and dispute fraudulent accounts with creditors who want official documentation.
Step 5: Freeze Your Credit at All Three Bureaus
A credit freeze is different from a fraud alert. While a fraud alert tells creditors to verify your identity, a credit freeze blocks access to your credit file entirely. No one can pull your credit report while the freeze is active, which means no one can open new accounts in your name.
Since September 2018, credit freezes are free for all consumers thanks to the Economic Growth, Regulatory Relief, and Consumer Protection Act. Contact each bureau to place the freeze:
- Equifax: 1-800-685-1111 or equifax.com/personal/credit-report-services/credit-freeze/
- Experian: 1-888-397-3742 or experian.com/freeze/center.html
- TransUnion: 1-888-909-8872 or transunion.com/credit-freeze
Each bureau will give you a PIN or password to lift the freeze later. Store these PINs somewhere secure. If you need to apply for credit in the future, you can temporarily lift the freeze for a specific creditor or for a set time period, then refreeze.
Also consider freezing your file with the lesser-known bureaus: Innovis (1-800-540-2505), the National Consumer Telecom and Utilities Exchange (NCTUE), and ChexSystems (if bank account fraud is involved). Thieves sometimes target these smaller bureaus because consumers forget about them.
Step 6: Dispute Fraudulent Accounts and Charges
Now you need to clean up the damage. Contact each creditor where a fraudulent account was opened. Call their fraud department directly. Explain that the account was opened using a stolen Social Security number and that you have an FTC Identity Theft Report and police report to back up your claim.
Request that the account be closed and that the creditor send you written confirmation that the account was fraudulent and that you owe nothing. Under the Fair Credit Reporting Act Section 605B, once you provide an identity theft report to the credit bureaus, they must block the fraudulent information within four business days.
File disputes with each credit bureau for every fraudulent item on your reports. You can do this online, by mail, or by phone. Mail provides the best paper trail. Send disputes via certified mail with return receipt requested to:
- Equifax: P.O. Box 740256, Atlanta, GA 30348
- Experian: P.O. Box 4500, Allen, TX 75013
- TransUnion: P.O. Box 2000, Chester, PA 19016
Include copies (not originals) of your FTC report, police report, and any supporting documentation. The bureaus have 30 days to investigate and respond.
Step 7: Protect Yourself from Tax Identity Theft
Tax-related identity theft is one of the most common consequences of SSN compromise. Here is how to get ahead of it:
File your taxes as early as possible. If your return is already in the system, a thief’s fraudulent return will be rejected. Do not wait until April.
Get an IRS Identity Protection PIN (IP PIN). Visit irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin and request a six-digit PIN. Starting in 2024, all taxpayers can request an IP PIN, not just confirmed identity theft victims. This PIN is required on your tax return and prevents anyone else from filing under your SSN.
File IRS Form 14039 (Identity Theft Affidavit). If you believe a fraudulent return has already been filed under your SSN, submit this form to the IRS. You can file it online through IdentityTheft.gov or mail it to the IRS directly. The IRS will assign your case to their Identity Protection Specialized Unit.
Monitor your IRS account. Create an account at irs.gov to track your tax transcripts and see any returns filed under your SSN. Check this periodically, especially during tax season.
Step 8: Secure Your Financial Accounts and Online Presence
With your credit reports locked down and disputes in progress, turn your attention to your existing accounts.
Change passwords on all financial accounts. Use unique passwords for each account. A password manager like Bitwarden, 1Password, or KeePass makes this manageable. Never reuse passwords across sites.
Enable two-factor authentication (2FA) everywhere. Use an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA when possible. SIM-swapping attacks can intercept text message codes.
Check your bank and credit card statements. Review the last 90 days of transactions on every account. Report any unauthorized charges to your bank immediately. Under Regulation E (for debit cards) and the Fair Credit Billing Act (for credit cards), your liability for unauthorized charges is limited if you report them promptly.
Review your Social Security statement. Create an account at ssa.gov/myaccount and check your earnings record. If you see income reported from an employer you have never worked for, someone may be using your SSN for employment. Report this to the SSA and to the IRS.
Check for medical identity theft. Request an accounting of disclosures from your health insurance provider and any medical facilities you use. Under HIPAA, you have the right to see who has accessed your medical records. Medical identity theft can result in incorrect medical records that could affect your care.
Step 9: Set Up Ongoing Monitoring
Recovery is not a one-time event. You need to monitor your identity going forward because once your SSN is out there, it stays out there.
Stagger your free credit reports. Instead of pulling all three at once, pull one bureau every four months. Equifax in January, Experian in May, TransUnion in September. This gives you year-round monitoring at no cost.
Sign up for free credit monitoring. Many breach notifications come with free monitoring through services like Experian IdentityWorks or similar programs. Take advantage of these offers. They will alert you to new accounts or inquiries on your credit file.
Set up bank alerts. Most banks offer free text or email alerts for transactions above a certain dollar amount, login attempts from new devices, and changes to your account information. Turn all of these on.
Use the SSA’s earnings monitoring. Check your Social Security earnings statement at least once a year at ssa.gov/myaccount to ensure no one is reporting wages under your number.
Consider a dark web monitoring service. Some legitimate services scan dark web marketplaces and forums for your personal information. These are not foolproof, but they can provide early warning if your data appears in a new breach or is being sold.
Understanding Your Legal Rights as a Victim
Federal law provides real protections for identity theft victims. Knowing your rights helps you push back when creditors or bureaus drag their feet.
Fair Credit Reporting Act (FCRA). Gives you the right to dispute inaccurate information, requires bureaus to investigate within 30 days, and mandates removal of fraudulent accounts once an identity theft report is provided.
Fair and Accurate Credit Transactions Act (FACTA). Entitles you to free fraud alerts and credit freezes. Also gives you the right to file police reports for identity theft.
Privacy Act of 1974. Protects your Social Security number from unnecessary disclosure by government agencies. If a government entity exposed your SSN through negligence, you may have grounds for a claim.
Electronic Fund Transfer Act (EFTA) / Regulation E. Limits your liability for unauthorized debit card transactions to $50 if reported within two business days, $500 if reported within 60 days.
Fair Credit Billing Act (FCBA). Caps your liability for unauthorized credit card charges at $50, and most card issuers waive even that amount.
Identity Theft and Assumption Deterrence Act. Makes identity theft a federal crime with penalties up to 15 years in prison. If you can identify the person who stole your information, you can refer the case to federal law enforcement.
If creditors refuse to cooperate or bureaus fail to remove fraudulent information, you can file complaints with the Consumer Financial Protection Bureau (CFPB) at consumerfinance.gov/complaint or with your state attorney general’s office.
What Not to Do After SSN Compromise
In the panic after discovering your SSN is compromised, some actions can make things worse. Avoid these common mistakes:
Do not pay debts that are not yours. Making even a small payment on a fraudulent account can be interpreted as acknowledgment that the debt is yours. Dispute it. Do not pay it.
Do not ignore the situation. The damage from identity theft compounds over time. Unpaid fraudulent debts go to collections, damage your credit score, and can result in lawsuits. Address it now.
Do not rely solely on the company that breached your data. Their “free monitoring” offer is a minimum response, not a comprehensive solution. Take all the steps outlined in this guide regardless of what the breaching company offers.
Do not share your SSN unnecessarily. Going forward, question every request for your full Social Security number. Many businesses ask for it out of habit but do not legally require it. Offer the last four digits first and ask if that is sufficient.
Do not fall for recovery scams. After a breach, scammers often pose as identity theft recovery services, government agencies, or credit bureaus. They call or email asking you to “verify” your SSN or pay a fee for protection. Legitimate agencies will never call you and demand your SSN over the phone.
Building Long-Term Protection for Your Identity
Once you have handled the immediate crisis, shift your thinking to prevention. Your SSN cannot be changed in most cases (the SSA will only issue a new one under very limited circumstances), so you need to build a wall of protection around the one you have.
Keep your credit frozen as default. A credit freeze costs nothing and blocks most forms of new account fraud. Keep it in place permanently and only lift it temporarily when you need to apply for credit.
Use an IRS IP PIN every year. Request a new one annually. This blocks tax fraud completely.
Store sensitive documents securely. Your Social Security card should be in a safe deposit box or fire-rated safe at home, not in your wallet. Shred any documents that contain your full SSN before discarding them.
Be cautious with your information online. Use different email addresses for financial accounts versus social media. Never provide your SSN through email. Verify that any website asking for sensitive information uses HTTPS encryption.
Review your credit reports every four months. Make this a calendar appointment. The few minutes it takes can save you months of recovery work if fraud is caught early.
Talk to your family. Children and elderly parents are prime targets for SSN theft. Children’s SSNs are especially valuable because they have clean credit files and the fraud may go undetected for years. Freeze your children’s credit files and check elderly family members’ credit reports regularly.
30 Most Common Questions About SSN Compromise and Recovery
1. How do I know if my Social Security number has been stolen?
Check your credit reports at AnnualCreditReport.com for unfamiliar accounts or inquiries. Watch for IRS notices about duplicate tax returns, unexpected debt collection calls, or denial of credit when your finances should be in good standing. Any of these can signal that someone is using your SSN.
2. Should I get a new Social Security number after identity theft?
The Social Security Administration rarely issues new numbers. They will only consider it if you have done everything possible to resolve the fraud and continue to experience problems. Even with a new number, your old number stays linked to your credit history, so it is not a clean slate.
3. How much does it cost to freeze my credit?
Credit freezes are completely free at all three major bureaus since September 2018. The Economic Growth, Regulatory Relief, and Consumer Protection Act made it federal law that consumers cannot be charged for placing, lifting, or removing a credit freeze.
4. Can someone open a bank account with my Social Security number?
Yes. Identity thieves can use your SSN to open checking accounts, savings accounts, and even investment accounts. Banks verify identity through SSN, so a stolen number combined with basic personal information is often enough to pass their checks.
5. How long does it take to recover from SSN identity theft?
According to the Identity Theft Resource Center, most victims spend between 100 and 200 hours over six months resolving identity theft. Complex cases involving tax fraud, medical identity theft, or criminal identity theft can take over a year to fully resolve.
6. Is the FTC identity theft report the same as a police report?
No. The FTC Identity Theft Report is a federal document generated through IdentityTheft.gov. A police report is filed with your local law enforcement. You should have both. Together, they give you the strongest legal foundation for disputing fraudulent accounts and placing extended fraud alerts.
7. What is the difference between a fraud alert and a credit freeze?
A fraud alert tells creditors to take extra steps to verify your identity before opening new accounts, but it does not block access to your credit file. A credit freeze blocks all access to your credit report, preventing anyone from opening new accounts entirely. A freeze provides stronger protection.
8. Can I still use my credit cards if I freeze my credit?
Yes. A credit freeze only affects new credit applications. Your existing credit cards, loans, and bank accounts continue to function normally. Current creditors can still access your file for account management purposes.
9. How do I report SSN theft to the Social Security Administration?
Call the SSA’s fraud hotline at 1-800-269-0271 or visit oig.ssa.gov to file a report online. You can also create a my Social Security account at ssa.gov/myaccount to monitor your earnings record and check for unauthorized employment activity.
10. What is an IRS Identity Protection PIN and how do I get one?
An IP PIN is a six-digit number that the IRS assigns to verified taxpayers. It must be included on your tax return and prevents anyone else from filing under your SSN. Request one at irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin. A new PIN is issued each year.
11. Can someone use my SSN to get a job?
Yes. Employment identity theft is common. The thief uses your SSN to pass employment verification, and the wages they earn get reported to the IRS under your number. This can create tax problems and may affect your Social Security benefits down the line.
12. Will identity theft affect my credit score?
Yes. Fraudulent accounts with late payments, high balances, or collections will lower your credit score. However, once you dispute and remove the fraudulent items, your score should recover. The timeline depends on how quickly the bureaus process your disputes.
13. Should I pay for identity theft protection services?
You can do everything the paid services do on your own for free. Credit freezes, fraud alerts, credit report monitoring, and dispute filing all cost nothing. Paid services add convenience by automating some monitoring, but they cannot prevent identity theft. They can only detect it and help you respond.
14. How do I dispute a fraudulent account on my credit report?
File a dispute online at each bureau’s website or send a written dispute via certified mail. Include copies of your FTC Identity Theft Report, police report, and any evidence that the account is fraudulent. The bureau must investigate within 30 days and remove the item if it cannot be verified.
15. Can a child’s Social Security number be stolen?
Children are frequent targets because their credit files are blank and fraud can go undetected for years. Check if your child has a credit file by contacting each bureau. If a file exists but should not, it means fraud has occurred. You can freeze a minor’s credit in most states.
16. What is synthetic identity theft?
Synthetic identity theft occurs when a criminal combines your real SSN with fake information like a different name, address, or date of birth to create a new identity. This is one of the fastest-growing forms of fraud and can be harder to detect because the fraudulent accounts do not show up on your credit report directly.
17. How do I check if someone filed taxes using my SSN?
Create an account at irs.gov and check your tax transcripts. If a return was filed under your SSN before you filed yours, the IRS will reject your return with a specific error code. File IRS Form 14039 (Identity Theft Affidavit) and submit your return by mail with the form attached.
18. Can I sue the company that leaked my Social Security number?
You may be able to join a class action lawsuit or file an individual lawsuit if you can demonstrate damages. Consult with an attorney who specializes in data breach litigation. Many large breaches result in settlements that provide compensation to affected individuals.
19. What is the dark web and is my SSN on it?
The dark web is a hidden part of the internet accessible through specialized software like Tor. Stolen personal information, including SSNs, is frequently bought and sold on dark web marketplaces. Some credit monitoring services include dark web scanning, though no service can monitor the entire dark web.
20. How do I remove my SSN from data broker sites?
Data brokers like Spokeo, BeenVerified, and Whitepages collect and sell personal information. Visit each site’s opt-out page to request removal. Services like DeleteMe or Privacy Duck automate this process for a fee. Removing your information reduces your exposure but does not eliminate it completely.
21. What should I do if I get a call from someone claiming to be the SSA?
Hang up. The Social Security Administration will never call you unsolicited to threaten you with arrest or demand immediate payment. Scammers impersonate the SSA to trick people into revealing their SSN or sending money. If you are concerned, call the real SSA at 1-800-772-1213.
22. Can my SSN be changed if it has been compromised?
The SSA may assign a new SSN in extreme cases where you have exhausted all remedies and continue to be disadvantaged by the misuse. You need to provide evidence of ongoing harm. However, a new SSN creates complications because credit history and government records are tied to your old number.
23. How does SSN compromise affect my medical records?
Medical identity theft occurs when someone uses your SSN to receive healthcare. This can corrupt your medical records with the thief’s medical history, allergies, and blood type, which could lead to dangerous treatment decisions. Contact your health providers and request an accounting of disclosures under HIPAA.
24. What is the Consumer Financial Protection Bureau and how can they help?
The CFPB is a federal agency that oversees financial companies and enforces consumer protection laws. If a creditor or credit bureau is not cooperating with your identity theft dispute, file a complaint at consumerfinance.gov/complaint. The CFPB requires companies to respond within 15 days.
25. Should I close my bank accounts if my SSN is compromised?
Not necessarily. If there is no fraudulent activity on your existing bank accounts, changing passwords and adding additional security measures is usually sufficient. If unauthorized transactions have occurred, work with your bank’s fraud department. They may recommend closing the account and opening a new one with a different account number.
26. How do I freeze my child’s credit report?
Contact each of the three major credit bureaus and request a freeze for your minor child. You will need to provide proof of your identity, proof of your relationship to the child, and the child’s personal information. Each bureau has specific documentation requirements listed on their websites.
27. What is a fraud alert extension and how long does it last?
An extended fraud alert lasts seven years, compared to one year for an initial fraud alert. To qualify, you must provide an identity theft report (from either the FTC or law enforcement). During the extended alert period, creditors must contact you directly or take other specified steps before opening any new accounts.
28. Can identity thieves access my Social Security benefits?
Yes. If someone gains access to your my Social Security account at ssa.gov, they could potentially redirect your benefits. Secure your SSA account with a strong password and two-factor authentication. Review your benefit statements annually for any unauthorized changes.
29. How do I report identity theft to the three credit bureaus?
Contact each bureau’s fraud department: Equifax at 1-800-525-6285, Experian at 1-888-397-3742, and TransUnion at 1-800-680-7289. Provide them with your FTC Identity Theft Report. Request that fraudulent accounts be blocked under FCRA Section 605B, which requires removal within four business days.
30. What government resources are available for identity theft victims?
Start with IdentityTheft.gov (FTC’s recovery portal). The IRS has an Identity Protection Specialized Unit at 1-800-908-4490. The SSA fraud line is 1-800-269-0271. The CFPB handles financial complaints at consumerfinance.gov. Your state attorney general’s office may also have an identity theft division with additional local resources.
Need expert guidance on protecting your credit and financial identity?
Visit CreditPrivacyNumber.com or call 800-597-2560 to speak with a specialist who can walk you through your options.