An alleged hack at a background check company grabbed headlines this week for potentially exposing billions of social security numbers. Don’t panic, though – this incident is par for the course as companies amass data on consumers, cybersecurity experts say.

The data in question appeared on hacker forums in April and contains millions of rows of data, some of which are authentic names and social security numbers, multiple cybersecurity researchers told The Washington Post. Still, the scale and severity of the alleged breach has been overstated in some reports, they said. It’s still unclear how much of the data is genuine and whether it all really came from hacking a company, as opposed to scraping publicly available sources.

Posters in hacking forums claimed responsibility for the breach and offered to sell or share the data, which they said included personal information from billions of people across the United States, the United Kingdom and Canada. While researchers have confirmed the authenticity of some data, the set is large enough to suggest some fake or reused data, security expert Troy Hunt told The Washington Post. A class-action lawsuit filed in August and first reported by Bloomberg Law accused the background check company National Public Data of not safeguarding personal information including names, addresses and social security numbers.

National Public Data and the Social Security Administration didn’t immediately respond to requests for comment.

Rob Shavell, CEO of consumer security company DeleteMe, said his team hasn’t seen signs that a wave of new stolen data is hitting online markets.

James E. Lee, chief operating officer at Identity Theft Resource Center, a nonprofit that helps consumers deal with fraud, said that there is “nothing new” about this particular data haul and that SSNs already circulate online.

“The steps you need to take today are the steps you needed to be taking for years,” Lee said.

FREEZE YOUR CREDIT

A credit freeze blocks any new lines of credit, so a bad actor couldn’t open new cards or accounts in your name. You can initiate a freeze without impacting your credit score. Just visit the websites of the three major credit reporting agencies Equifax, Experian and TransUnion. You might have to scroll down the page or click on one of the menu tabs at the top to find a “manage freeze” or “add a freeze” button. You’ll fill out a form and might get asked to set up an account of verify your identity – it this case go ahead and do so.

You can pause or remove the freeze at will by going back to the website or by contacting the reporting agency by phone or mail.

TURN ON TWO-FACTOR AUTHENTICATION

This is the thing that sends you a text message with a code as you log in. “Two factor” just means you need to authenticate your identity in multiple ways before accessing an account.

Turning on two-factor authentication – either when you set up an account or later in the settings – is one of the best and easiest ways to keep accounts secure, according to the Identity Theft Resource Center, a nonprofit that helps consumers deal with fraud. Still, maybe people skip this step. Always say “yes” to two-factor authentication, whether that’s through text messages, emails or a stand-alone authenticator app that asks “is that you?” every time you sign in.

If you haven’t set up two-factor authentication, start with your most sensitive accounts such as banking and health care, Shavell said.

CONSIDER DARK WEB MONITORING

Data brokers collect details about individuals to build profiles they sell to advertisers and even law enforcement. If your Social Security number turned up in a broker’s database, it would be hard to hunt down on your own. You can sign up for a service that monitors the web for your personal info and sends removal requests on your behalf.

REVISIT YOUR PASSWORD HYGIENE

It’s 2024, and we’re not using the same password for multiple websites anymore. Each account you own should have a long, distinct password containing a mix of letters, numbers and special characters.

Worried about remembering all those? Get a password manager such as DashLane or 1Password, which automatically generates secure passwords and autofill them next time you log in. (Both of these products cost about the same as a Netflix subscription, but Apple and Google have their own free password managers that come with your operating system.)

If you’re still refusing to use a password manager, try to keep your passwords free of personal information such as your pet’s name or your birthday – those make it easier for bad actors to guess, said Ginny Fahs, director of research and development at consumer advocacy nonprofit Consumer Reports.

DON’T FORGET ABOUT VISIBILITY

If you don’t mind making your social media accounts private, doing so can cut down on the personal information criminals can access. A bunch of public Facebook posts, for instance, could make it easier for a hacker to impersonate you in a phishing attack targeting one of your friends or family members. Don’t forget to check your privacy settings in apps such as Venmo and YouTube as well. Just last month, reporters at Wired found that the public Venmo transactions of vice-presidential candidate Sen. JD Vance, R-Ohio, provided a glimpse into the politician’s social connections.

DELETE ACCOUNTS YOU DON’T USE

Don’t just abandon accounts you don’t use anymore – go ahead and delete them. It reduces the amount of personal info you have sitting online, such as an old Myspace account, and in some cases prevents companies from sharing or selling your data down the line.

“If you’re no longer using that site, there’s no reason for that company to have your information,” Fahs said.

In many cases, deleting your profile doesn’t mean the company has deleted the data it stores about you. But some states have privacy laws that require companies to honor a deletion request and purge your information from its servers. Consumer Reports made a tool called Permission Slip that lets you send multiple data deletion requests in one place.