Loading

▲ Your report will be sent directly to your email.

Open Report Sample

What to Do If Your Personal Information Is Leaked Online

When your personal information is exposed online, act quickly: secure accounts, preserve evidence, remove what you can, and monitor for misuse.

Start With the Risk, Not the Panic

Finding your personal information online can feel invasive and urgent. It may be your email address, phone number, home address, date of birth, passwords, government ID, bank details, photos, medical records, family information, or private documents.

The right response depends on what was leaked.

A public phone number on a people-search site is risky, but it is not the same as a leaked passport number, Social Security number, tax file number, bank login, or intimate image. A leak involving your home address, children, workplace, threats, stalking, or extortion needs faster escalation.

Your goal is simple: reduce visibility, secure your accounts, protect your identity, document what happened, report serious misuse, and keep monitoring because leaked data can reappear.

If There Is Immediate Danger, Act First

Some personal information leaks are more than privacy problems. They can become safety issues.

Contact local emergency services or law enforcement immediately if:

  • Your address was posted with threats
  • Someone is stalking, harassing, or blackmailing you
  • Intimate images were shared or threatened
  • A child’s information or images were exposed
  • Someone is impersonating you to cause harm
  • You are being pressured to pay money
  • You believe someone may come to your home, school, or workplace

Do not argue with the person posting your information. Do not threaten them back. Preserve evidence and report through the proper channels.

Identify Exactly What Was Leaked

Before trying to remove anything, make a quick inventory. This helps you prioritize the most urgent risks first.

Type of leaked informationMain riskFirst response
Email address or phone numberPhishing, spam, account targeting, SIM swap attemptsEnable multi-factor authentication and watch for scams
Password or usernameAccount takeoverChange the password immediately everywhere it was reused
Home addressDoxxing, harassment, stalking, identity verification abuseSave evidence, request removal, review physical safety risks
Date of birth, family names, old addressesIdentity verification abuseMonitor accounts and credit files
Government ID numberIdentity theft, credit fraud, account fraudContact the issuing agency and consider credit protection
Bank, card, or payment detailsUnauthorized transactionsContact your bank or payment provider immediately
Medical, legal, or intimate informationBlackmail, reputational harm, discrimination, abusePreserve evidence and request urgent removal
Child’s personal informationIdentity theft, exploitation, safety risksPreserve evidence and report quickly

Even partial information matters. Criminals often combine leaked details with public information from social media, data brokers, old breaches, public records, and search results.

Save Evidence Before You Request Removal

Take screenshots before deleting posts, reporting profiles, or contacting websites. Capture:

  • The full page URL
  • The date and time
  • Search results where the information appears
  • The visible personal information
  • Usernames, handles, profiles, or accounts that posted it
  • Any threats, demands, messages, or payment requests
  • Any evidence of impersonation or account misuse

Save copies somewhere secure. Evidence may help if you need to report identity theft, fraud, harassment, doxxing, extortion, or a privacy violation.

If the leak involves threats, stalking, blackmail, or intimate images, do not repeatedly search for or share the content. Save what is necessary, then use official reporting and removal channels.

Secure Your Most Important Accounts

Start with accounts that can unlock the rest of your life:

  • Email accounts
  • Banking and payment apps
  • Mobile phone provider account
  • Apple ID, Google Account, and Microsoft account
  • Social media accounts
  • Cloud storage
  • Password manager
  • Government service accounts
  • Work accounts

Change passwords for any account connected to leaked credentials. If you reused that password anywhere else, change it everywhere it was reused.

Use long, unique passwords for every important account. A password manager can help you avoid reuse.

Turn on multi-factor authentication wherever possible. Cybersecurity agencies describe multi-factor authentication as one of the most effective ways to protect accounts because it requires more than one proof of identity before access is granted.

When available, use passkeys, authenticator apps, or hardware security keys instead of SMS codes. SMS is better than having no second factor, but it is weaker if your phone number has been leaked or you are at risk of SIM swap fraud.

Also check account security settings for:

  • Unknown devices
  • Active sessions you do not recognize
  • Email forwarding rules
  • Changed recovery email addresses or phone numbers
  • New backup codes
  • Connected third-party apps
  • Login alerts from unfamiliar locations

After changing passwords, log out of all active sessions.

If Financial Information Was Leaked, Contact Your Bank Immediately

If your card number, bank account number, payment app, tax ID, or financial login was exposed, move fast.

Contact your bank, card provider, or payment service through the official app, website, or phone number on the back of your card. Ask them to:

  • Cancel and replace affected cards
  • Block suspicious transactions
  • Add extra account verification
  • Review recent activity
  • Check for new payees, transfers, or linked devices
  • Monitor for account takeover attempts

Do not use phone numbers or links from unexpected breach emails or text messages. Scammers often use real data leaks as bait for fake “security” alerts.

Use a simple rule: if a message creates urgency, asks for verification codes, requests remote access, or wants payment, stop and contact the organization directly through a verified channel.

Protect Your Credit and Identity

If sensitive identity information was leaked, assume someone may try to open accounts in your name.

This is especially important if the leak includes:

  • Social Security number
  • National Insurance number
  • Tax file number
  • Social insurance number
  • Driver’s license number
  • Passport number
  • Date of birth plus address history
  • Government service login
  • Identity document images

United States

Consider placing a credit freeze with Equifax, Experian, and TransUnion. The FTC explains that credit freezes and fraud alerts can make it harder for scammers to open new credit accounts in your name.

A credit freeze restricts access to your credit report. A fraud alert tells creditors to take extra steps to verify your identity before opening new credit. The FTC says an initial fraud alert is free, lasts one year, and only requires contacting one of the three major credit bureaus; that bureau must notify the other two.

If your information has already been misused, use IdentityTheft.gov to create a recovery plan and report identity theft.

United Kingdom

Check your credit file and report suspicious applications.

If your details were stolen, leaked, or used suspiciously, consider Cifas Protective Registration. Cifas says the service is designed for people worried their personal details have been stolen, people who have noticed unusual account activity, or people affected by an organization losing or leaking sensitive data.

Also report fraud or attempted fraud through the appropriate national fraud reporting service.

Australia

If you have been or are likely to become a victim of fraud, you can request a ban on your consumer credit report. The Office of the Australian Information Commissioner says a credit reporting body can place a ban on your report to prevent it being used or disclosed as part of a credit check.

If a government-issued identity document was exposed, contact the agency that issued it. The OAIC specifically recommends contacting the relevant issuing agency when a breach involves documents such as a driver’s license or Medicare details.

You can also report cybercrime through ReportCyber. Australia’s Cyber.gov.au says that if there is an immediate threat to life or risk of harm, call 000.

Canada

Report fraud, attempted fraud, or identity theft to the Canadian Anti-Fraud Centre. The CAFC collects information on fraud and identity theft, and the Government of Canada says scams or fraud should be reported even if you were not a victim.

The Canadian Anti-Fraud Centre warns that fraudsters may use personal information to apply for government benefits, credit cards, bank accounts, cell phone accounts, or to take over email and social media accounts.

Remove the Information From the Source Website

Search engines are usually not the original source. If your personal information appears on Google, Bing, or another search engine, the data normally lives on a website that the search engine indexed.

Start with the source website.

Look for:

  • Privacy contact
  • Abuse report form
  • Doxxing or harassment policy
  • Data removal form
  • Legal contact
  • Webmaster contact
  • Hosting provider abuse contact if the site owner ignores you

Keep the request short and specific. Include the exact URL and explain what personal information is exposed.

Example:

Hello,

This page exposes my personal information without my consent: [insert URL].

The page contains my [address/phone number/email/government ID/other personal information]. I am requesting that you remove this information urgently because it creates a privacy and safety risk.

Please confirm once the information has been removed.

For people-search sites and data brokers, use their opt-out or suppression forms. Expect the process to be repetitive. Some sites remove data quickly, some require verification, and some may republish information later from new sources.

Be careful with removal forms that ask for more personal information than necessary. Provide only what is needed to verify and remove the listing.

Remove Personal Information From Google and Search Results

After contacting the source website, request removal or refreshing of search results.

Google allows removal requests for several types of sensitive personal information, including addresses, phone numbers, email addresses, confidential government IDs, bank account or credit card numbers, images of signatures or IDs, private medical records, and confidential usernames or passwords.

Google’s removal process can reduce visibility in search results, but it does not automatically delete the original webpage. You still need to contact the website owner or host for full removal.

For Bing and other search engines, use their privacy, outdated content, or legal removal processes where available. In Europe, Microsoft provides a Bing request form for search-result blocking where results are inadequate, inaccurate, no longer relevant, or excessive in searches for a person’s name.

Use Privacy Rights Where They Apply

Depending on where you live and where the organization operates, you may have rights to request deletion, correction, restriction, objection, or access to your personal data.

Privacy rights can help with:

  • Companies holding outdated or unnecessary personal data
  • Data brokers
  • Marketing databases
  • Breach notifications
  • Incorrect personal records
  • Some search result removal requests
  • Complaints to privacy regulators

In the UK, the Information Commissioner’s Office says that if you discover or are notified of a data breach, you can ask the organization what happened, what information was affected, and what steps it plans to take to protect your information.

In Australia, the Notifiable Data Breaches scheme requires organizations to notify affected people when a breach is likely to result in serious harm, and a data breach notification should explain what kind of information was involved and recommend actions you can take.

In California and some other jurisdictions, privacy laws may give residents rights to request deletion, correction, opt-out, or limits on certain uses of sensitive personal information.

These rights are useful, but they are not magic. Public records, court documents, journalism, law enforcement records, archived pages, and information kept for legal reasons may be harder or impossible to remove.

Report Fraud, Threats, Doxxing, or Identity Theft

Not every leak needs a police report. But you should report it if:

  • Someone used your information to open accounts
  • Money was stolen
  • Your identity documents were used
  • You are being threatened, stalked, or extorted
  • Your address was posted with malicious intent
  • Private images or sensitive records were shared
  • Your accounts were hacked
  • Someone is impersonating you
  • A child’s information was exposed

Use the right reporting channel for your country. In the United States, use IdentityTheft.gov for identity theft recovery and IC3 for cyber-enabled fraud or cybercrime. In the UK, report fraud through the national fraud reporting route and consider Cifas protection if your identity is at risk. In Australia, use ReportCyber for cybercrime and contact police if personal safety is involved. In Canada, report fraud and identity theft to the Canadian Anti-Fraud Centre.

If there is immediate physical danger, call emergency services first.

If Intimate Images Were Leaked or Threatened

A leak involving intimate images needs urgent handling. Do not pay blackmailers. Payment rarely guarantees deletion and may invite more demands.

Preserve evidence, report the profile or content to the platform, and use specialist removal tools where appropriate.

StopNCII.org is a free tool designed to support victims of non-consensual intimate image abuse. It works by creating a hash of the image or video and sharing that hash with participating companies so they can help detect and remove matching content.

For images or videos involving someone under 18, use child protection reporting channels. NCMEC’s Take It Down tool is designed to help remove sexually explicit images or videos of minors from participating online platforms, including cases where the person is now an adult but the image was taken when they were under 18.

In Australia, image-based abuse can also be reported to the eSafety Commissioner.

Watch for Follow-Up Scams

After a personal data leak, scammers may contact you pretending to be:

  • Your bank
  • A government agency
  • A credit bureau
  • A breach response team
  • A law firm
  • A tech support provider
  • A cryptocurrency recovery service
  • A police or cybercrime investigator

They may already know your name, address, date of birth, phone number, employer, or account provider. That does not make them legitimate.

Be suspicious of anyone who:

  • Sends unexpected links
  • Requests verification codes
  • Asks for remote access to your device
  • Demands payment
  • Claims they can remove your data from the dark web
  • Pressures you to act immediately
  • Asks you to move money to a “safe” account

Go directly to the official website or app. Do not trust contact details inside unexpected emails, text messages, social media messages, or pop-ups.

Clean Up Your Public Digital Footprint

Once the urgent risk is under control, reduce what is easy to find.

Review:

  • Old social media profiles
  • Public friend lists
  • Tagged photos
  • Photos showing your home, school, workplace, license plate, or regular locations
  • Posts with your birthday, family names, pets, or old addresses
  • Public resumes with phone numbers or home addresses
  • Forum accounts using the same username
  • Data broker and people-search profiles
  • Old domain registration records
  • Public cloud files
  • Shared calendars and photo albums

Do not delete evidence before saving it. But once you have records, remove unnecessary public information.

Also review your privacy settings. Limit who can see your posts, friends, tagged photos, phone number, email address, location history, and old content.

Set Up Monitoring

You cannot assume removal is permanent. Leaked data can be copied, scraped, sold, reposted, archived, and combined with other information.

Monitor for:

  • Your name plus address
  • Your name plus phone number
  • Your email address
  • Your usernames
  • Your phone number in quotation marks
  • Your home address in quotation marks
  • New credit applications
  • Bank transactions
  • Password reset emails
  • SIM swap warnings
  • Mail about accounts you did not open
  • Tax or government benefit notices

Use bank alerts, credit monitoring, password manager breach alerts, search alerts, and identity monitoring where available.

If a breached company offers free credit monitoring or identity theft support, consider using it. But do not rely on monitoring alone. Freezes, password changes, MFA, account reviews, and direct reporting are still more important.

What Not to Do After a Personal Information Leak

Avoid these common mistakes:

  • Do not pay random “data removal” accounts that contact you.
  • Do not reuse a slightly changed version of an old password.
  • Do not assume removing a Google result deletes the source page.
  • Do not ignore partial information such as old addresses or date of birth.
  • Do not upload more ID documents than necessary to unknown removal forms.
  • Do not publicly announce the leak unless there is a clear reason.
  • Do not click links in unexpected breach emails.
  • Do not wait for fraud before securing accounts.
  • Do not argue with harassers, extortionists, or doxxers.

The faster you act, the less useful the leaked data becomes.

A Simple 24-Hour Response Plan

If your personal information was leaked today, do this first:

  1. Screenshot the leak and save the URLs.
  2. Check whether there is any immediate safety risk.
  3. Change passwords on affected accounts.
  4. Turn on multi-factor authentication.
  5. Log out of all active sessions.
  6. Contact your bank if financial data was exposed.
  7. Contact the issuing agency if an ID document was exposed.
  8. Request removal from the source website.
  9. Request search result removal after dealing with the source.
  10. Place a credit freeze, fraud alert, protective registration, or credit report ban where available.
  11. Report fraud, threats, doxxing, or identity theft to the correct authority.
  12. Set up monitoring for accounts, credit files, search results, and suspicious messages.

Final Takeaway

A personal information leak is not just a privacy issue. It can become a security, financial, identity, and personal safety problem if the exposed data helps someone impersonate you, target your accounts, or find you offline.

Act in layers. Preserve evidence, secure your most important accounts, protect your credit and identity, remove the source, reduce search visibility, report serious misuse, and monitor for reappearance.

You may not be able to erase every copy of your personal information from the internet. But you can make it harder to find, harder to use, and less valuable to anyone trying to exploit it.