If your personal data was exposed in a breach, the most useful question is not just what happened but what should I watch for next. Identity theft often unfolds in stages: account takeovers can happen quickly, phishing and smishing campaigns may follow within days, and credit or tax-related fraud can appear later. This guide gives you a practical 90-day monitoring plan so you know which identity theft warning signs matter most, when they tend to show up, and how to respond without trying to monitor everything at once.
Overview
The first 90 days after a breach are usually the most confusing. Many people expect a single dramatic sign of fraud, such as a new loan or a drained bank account. In practice, the early signals are often smaller: a password reset email you did not request, a bank text that looks slightly off, a mailed notice about an account you never opened, or a login alert from an unfamiliar location. Those clues matter because fraud often starts with testing.
A breach can expose different combinations of data: email addresses, phone numbers, passwords, dates of birth, payment card details, Social Security numbers, health data, or account numbers. The type of exposed data affects the likely fraud pattern. If only your email address leaked, expect more phishing scam alerts, brand impersonation, and credential stuffing attempts. If payment details were involved, watch for card misuse and replacement card notices. If highly sensitive identity data was exposed, the risk expands to new-account fraud, tax scams, benefits fraud, and long-tail identity theft.
This article is designed as a tracker, not a one-time read. You can revisit it weekly in the first month, then at 60 and 90 days, using the checkpoints below. The goal is to separate normal post-breach noise from genuine fraud signs after a breach, and to make your response more deliberate.
Two practical rules help from the start:
- Assume follow-on scams are likely. After a public data breach alert, criminals often exploit confusion with fake breach notices, fake account recovery links, and support impersonation.
- Document before you react. Save screenshots, note timestamps, preserve suspicious emails or texts, and keep a simple incident log. If a small issue grows into a larger identity theft case, that record will help.
If you need broader context on active incidents, a standing reference point is the Data Breach Tracker: Major Company Breaches, Exposure Types, and What Customers Should Do.
What to track
The key after a breach is to track a small set of recurring indicators rather than checking everything constantly. These are the highest-value warning signs for someone trying to monitor identity theft.
1. Account access changes
Start with your core accounts: primary email, mobile carrier account, banking, credit cards, and any password manager you use. Warning signs include:
- Password reset emails you did not request
- Multi-factor authentication prompts you did not initiate
- New device, browser, or location login alerts
- Changes to recovery email addresses or phone numbers
- Locked accounts without a clear reason
Why this matters: email is often the pivot point for broader account takeover. If an attacker gains email access, they can reset passwords elsewhere. If your email may already be compromised, see What to Do If Your Email Was Hacked: Recovery Steps, Evidence, and Account Security Checks.
2. Financial account anomalies
Check transaction histories and account notices for unusual activity, but also look for administrative changes that happen before money moves:
- Small test charges on cards
- New payees or linked external accounts
- Address changes on bank or card accounts
- Paperless settings enabled unexpectedly
- Replacement card notices you did not request
These can indicate an attacker is preparing for larger fraud. In some cases, small charges are simply a validation step to confirm a stolen card still works.
3. Credit report changes
One of the clearest identity theft warning signs is a new account, hard inquiry, or address on your credit file that you do not recognize. Track:
- New credit inquiries
- New revolving or installment accounts
- Name, address, or employer changes
- Collection items that do not belong to you
If a breach involved sensitive identity data, a credit freeze after breach exposure is often the most effective preventive move. For a detailed walkthrough, use Credit Freeze Guide After a Breach: When to Freeze, Lift, and Monitor Your Reports.
4. Mail and document irregularities
Physical mail still matters. Many victims first notice fraud through mail they were not expecting, including:
- Credit card or loan mailers tied to applications you did not make
- Statements for unfamiliar accounts
- Tax documents from unknown employers or institutions
- Healthcare explanations of benefits for services you did not receive
Do not dismiss mailed notices as routine spam if they reference a real account number, application, or service date.
5. SIM and phone account signals
Phone numbers are valuable for account recovery and two-factor authentication. Track:
- Sudden loss of mobile service
- Carrier emails about SIM changes or device swaps
- Account PIN reset notices
- Unexpected port-out confirmations
If your number is taken over, downstream account takeovers can happen quickly because text-based authentication may be intercepted.
6. Phishing, smishing, and impersonation attempts
After a public or private breach notification, criminals often send messages that appear to help. Watch for:
- Texts claiming your account needs urgent verification
- Emails about settlement payments, refunds, or free credit checks
- Calls from people claiming to be fraud support or breach response staff
- Links that route to lookalike login pages
These messages may mention real companies and real incidents. Their timing is what makes them effective. If you are unsure whether a text is legitimate, use How to Tell if a Text Message Is a Scam: Current Red Flags and Brand Impersonation Tactics and Phishing Scam Alerts: New Email, Text, and QR Code Scams to Watch.
7. Benefits, tax, and healthcare anomalies
These signs often appear later and are easy to miss:
- Tax filing rejection because a return was already filed
- Benefits notices for claims or enrollments you did not initiate
- Medical billing for unknown providers or services
- Employment verification notices tied to unfamiliar employers
These forms of misuse can persist longer than payment-card fraud and may require a more formal dispute trail.
Cadence and checkpoints
Rather than checking everything every day, use a schedule. A defined cadence reduces anxiety and helps you notice real change.
Days 0 to 7: Containment and fast-moving abuse
This first week is about securing your position and watching for immediate account misuse.
- Change passwords on your email account first, then banking, payment apps, and other high-value accounts.
- Enable or review multi-factor authentication, preferring app-based methods or hardware keys where possible.
- Check recent logins and active sessions for major accounts.
- Review bank and card activity daily.
- Save the breach notice and note exactly what data was said to be exposed, if known.
Most important warning signs in this phase: password resets, MFA prompts, suspicious texts, small card charges, and carrier account changes.
Days 8 to 30: Monitoring for follow-on fraud
This is the period when many victims start receiving more scam traffic. Continue checking financial accounts, but broaden the focus.
- Review your credit files or alerts for new inquiries or accounts.
- Watch postal mail for unfamiliar financial or benefits correspondence.
- Check your main email account for forwarding rules, security setting changes, and unusual login attempts.
- Revisit your mobile carrier and key financial accounts for profile changes.
Most important warning signs in this phase: new-account attempts, impersonation messages referencing the breach, and paperless setting changes that may hide statements.
Days 31 to 60: Confirmation stage
If an attacker obtained enough identity data, this is when broader fraud patterns may become visible.
- Re-check credit reports and dispute unfamiliar items quickly.
- Monitor for collections notices, verification letters, or service denials tied to accounts you do not know.
- Review healthcare and benefits portals if relevant.
- Audit older accounts that you rarely use but still keep open.
Most important warning signs in this phase: new tradelines, unfamiliar addresses, debt collection activity, and evidence that an attacker is using dormant accounts.
Days 61 to 90: Stabilization and long-tail risk review
By this point, immediate account abuse may have slowed, but this is not the time to stop watching entirely.
- Confirm that freezes, fraud alerts, password changes, and MFA settings are still in place.
- Check for any unresolved disputes or replacement cards that never arrived.
- Review tax, benefits, or employment-related notices.
- Update your incident log with what changed, what was false alarm, and what still needs follow-up.
Most important warning signs in this phase: delayed account openings, administrative identity changes, and unresolved records that could reappear later.
For readers managing incidents in a business setting, especially if customer or employee data may be involved, Vendor Breach Response Checklist: What SMBs Should Do When a SaaS Provider Is Compromised can help structure the response side.
How to interpret changes
Not every alert means your identity has been stolen. The practical skill is learning how to classify changes.
Low concern: background noise, but still worth noting
Examples include generic phishing emails, spam texts that do not reference a real account, or a single marketing mailer that appears unrelated. These do not prove misuse, but they may increase after a breach because your contact details are circulating more widely.
Moderate concern: signs of targeting or testing
Examples include repeated password reset requests, MFA prompts, small card charges, or a bank text referencing a real institution where you have an account. These often indicate active testing rather than completed fraud. Respond by securing the relevant account immediately and documenting the event.
High concern: evidence of identity misuse
Examples include a new credit inquiry you did not authorize, a changed mailing address on a financial account, a SIM swap or port-out event, a collection notice for an unknown debt, or tax or healthcare records tied to your identity that you do not recognize. These are not wait-and-see events. Treat them as active identity theft indicators and begin formal remediation.
A useful way to interpret any change is to ask three questions:
- Does this involve a real account or institution I actually use? If yes, prioritize it.
- Does it change control of my identity, communications, or money? Email, phone, banking, and credit changes are high impact.
- Can this event lead to more fraud if ignored for 24 to 48 hours? Password resets, SIM changes, and address changes usually can.
If you do need to escalate, your response may include contacting the affected company through known channels, freezing credit, replacing cards, tightening account recovery methods, and documenting all notices and calls. If you are reviewing legal notice language or trying to understand consumer rights around a breach notification, Breach Notification Laws by State: Deadlines, Thresholds, and Consumer Rights is a useful companion reference.
When to revisit
This topic is worth revisiting on a schedule, not only when something goes wrong. A simple revisit plan helps catch delayed misuse and keeps your defenses current.
Revisit weekly for the first month
Use a 10-minute checklist:
- Review your main email security settings and recent login activity
- Scan bank and card transactions
- Check for unfamiliar texts, calls, or voicemails referencing real accounts
- Look at carrier notices and account profile changes
- Review any new mail related to financial, tax, or medical activity
Revisit at day 60
This is a good point to check whether your monitoring is too narrow. Add any account category you ignored in the first month, especially dormant accounts, old financial services logins, and benefits portals.
Revisit at day 90
Make a final first-phase review:
- Confirm whether any suspicious events turned into verified fraud
- Keep copies of dispute letters, screenshots, and notices
- Decide what stays on your long-term quarterly checklist
- Evaluate whether a credit freeze should remain in place
Revisit monthly or quarterly after that if sensitive data was exposed
If the breach included data that can support new-account fraud, the useful horizon is longer than 90 days. Your ongoing checklist should include credit monitoring, tax-season awareness, carrier account security, and cautious handling of breach-themed scam messages.
The most effective action is not constant vigilance against every possible scam. It is disciplined monitoring of the signals that actually predict harm: access changes, financial anomalies, credit activity, phone account events, and official notices that do not fit your life. If you build that habit now, you will be in a much stronger position not only after this breach, but after the next data breach alert or privacy alert that affects your accounts.
