Important: The National Public Data breach exposed personal information, including names, addresses, and social security numbers. Learn how to protect yourself and how Microsoft Defender is helping to prevent fraud. See: National Public Data breach: What you need to know.
There's a tendency to downplay the compromise of your email address. After all, you probably use it fairly often, give it to online stores and services, it may even be printed on your business cards. It's not really much of a secret. However, if scammers get your address there is some mischief they can get into.
What can they do with your email address
At a basic level, scammers getting your email address can result in a surge in spam messages to your inbox. More troubling is that some of that spam may actually be increasingly sophisticated scams or phishing. In addition to being annoying these scams require you to be a little more alert to avoid accidentally clicking a malicious link or engaging with a scammer.
Criminals who have your email address could potentially use it to impersonate you in an effort to carry out scams or phishing attacks against your friends, family, or coworkers. Especially if the email address they got is your work address.
For example, they could send a message to somebody else in your company but make it appear as if the message came from you. If your coworker is not at their best that day they could be fooled, at least long enough to divulge sensitive information or get caught in some other scam.
More concerning is that your email address is increasingly used as your user ID on many sites, shops, and online services. If criminals have your email address that's half of what they need to sign into those sites as you. Criminals could try guessing your password, brute forcing it (That's where they just try every combination of letters and numbers until they stumble across the right one) or using a password of yours that was compromised in another breach. If they get lucky, they'll be able to sign in as you and cause other problems.
Tip: For a short, engaging, story about the dangers of reusing passwords see Cameron learns about reusing passwords.
What can you do about it
It may not be practical for you to change your email address, but there are a couple of things you can do to make yourself safer.
Check the locks
First off, check any accounts where that email address is used as your username for signing in. Confirm that you've got a strong, unique, password and that multi-factor authentication is turned on. Multi-factor authentication defeats 99% of the password attacks we see. It's the single most important thing you can do to secure your online identity.
Tip: If you're using Microsoft Edge you can go to Settings > Profile > Passwords and use the search box to quickly find all of the accounts you've saved credentials for that use a particular username.
If any of your passwords are weak or used on multiple sites, you should immediately change them.
Tune your filters
All major email services and email apps offer spam filtering and a way to report a message that is spam or a phishing scam. Whenever you see a message in your Inbox that is unwanted, report it to help tune the filters so fewer of those messages can get to your Inbox.
Tune your mental filters too
Be extra alert for any messages that ask you to click a link, open an attachment, or call a phone number. Especially if they are from strangers or try to get you to act immediately. Creating a sense of fake urgency or fear of loss is a common trick of scammers. For more information see How to spot a "fake order" scam.
If a message seems off in any way take a moment, slow down, and think carefully about what they're asking you to do and why. If you're still not sure if you should take action, talk to somebody you trust and get their opinion.
Set up identity theft monitoring in Defender
Use Microsoft Defender’s identity theft monitoring service to find out if companies have exposed your email address in a breach and to get access to restoration services to help address the situation. For more information see Getting started with identity theft monitoring in Microsoft Defender - Microsoft Support.
Protecting your email address
It's hard to protect your email address because by its very nature it needs to be given out to be useful. However, consider having at least 2 email addresses.
-
One that you give only to friends and family and is never given to strangers.
-
A second address that you only use for signing into online accounts.
Tip: Some people have a third "throwaway" email address that they use when shops or sites insist on getting an email address. This email address, sometimes referred to as a "spam trap" can be something you rarely check since it should really only collect ads, offers, and junk mail.