What To Do Post-Identity Theft?

Good morning folks! I recently had my identity stolen, which is part of the reason I got interested in this forum. While it may be “too late” to undo the damage that’s already been done, what are some good measures to prevent it from getting worse, or from happening again in the future?

I set up credit monitoring, and have changed just about all of my passphrases and/or deleted the accounts associated with them, plus I’ve been enabling 2FA on everything I can think of. I haven’t yet finished setting up Qubes, but am in the process of doing that. Any other advice?

I’m sorry to hear you had your id stolen. However, you shouldn’t confuse privacy with security.

Privacy can help by limiting the amount of information an attacker can gather about you online, however, it will not help you if your account on a website with information is hacked or leaked, that is really the domain of account security. Qubes will not help you with ID theft, if you give the information to the site anyway.

In your circumstance, deleting all non-essential accounts, particularly on sites that perhaps don’t appear so secure, and implementing 2FA is key, so that’s a good start. Another fundamental precept of account security is to use a good password manager, with a strong masterkey. This means every site has a different, random and strong password. Some good selections are Keepass/KeepassXC or Bitwarden. That way you can be sure that one account compromise is unlikely to lead to another.

Another thing that you can do, is where possible and legal, provide as little information, or false information, to those websites that ask for it. I would also suggest getting rid of your social media, or at least auditing it’s privacy settings and the identifying information that you have posted. Remember that even if your social media practices are good, your careless friends can ruin it and reveal almost as much info about you.

I would also make sure that you are using a modern operating system and browser with an adblocker (can’t beat Firefox with uBlock Origin on Qubes, Whonix or Fedora/Debian), with all the latest updates.

You should also ensure that your mobile phone account and voicemail has pin security enabled, and any other security options your provider allows to protect your account should be used, as this is a common target of ID theft.


Sounds like you’ve made a good start.

Subscribe and listen to https://inteltechniques.com/podcast.html there is loads of great content about this exact subject on there and the forum as Michael Bazzell consults for people who have been victims or are high risk targets of hacking, ID theft and stalking.

Getting a credit freeze as well is worth considering as credit fraud is the biggest risk in most cases of ID theft.

Deleting any old/unused accounts may help as credential stuffing is the next most likely scenario.

Targeted attacks are only likely if you are wealthy/famous and Qubes & Graphene (https://github.com/GrapheneOS) are the top picks for secure OS. You should also consider replacing and securing your router and getting new phone numbers.


Yes, we did the credit freeze first, thankfully! I’m in the process of deleting old accounts but it’s taking a while.

Better get on that installing Qubes! Is it weird to say that it’s “hard” to get rid of social media? I think you feel so accustomed to it that deleting it feels alienating. But I understand why you should do it.

1 Like

tbh, even though I encourage Qubes it is a bit overkill if all you want to do is protect yourself from ID theft. Qubes is more for critical anonymity.

If Qubes is too complicated or inconvenient, I would just install Fedora/Debian/Ubuntu instead and keep them up to date.

EDIT: Also I can’t stress enough how important a password manager is!

1 Like

Yes, it appears that some of the information, at least, came from breaches, although it’s hard to tell for certain. I had checked Have I Been Pwned beforehand, and some of the leaked info was on there.

1 Like

Yeah of course. It’s hard to know. The frequency of breaches is quite scary, and really only emphasises the importance of using a good password manager.

1 Like

If you really want to clean up and unless you are very young or have been a minimal internet user, this will take ages.

I started mine a couple of years ago, and I still occasionally get an email or find reference to something that I’d forgotten to delete. Do all of the ones you know, then search here for any major ones:

Then every time you get an email, unless it is something you value, don’t just unsubscribe, also check if you have an account and delete it, use this template if GDPR applies:

GDPR helped a lot.

Not weird at all. What about switching to some alternatives?


great post, only thing to keep in mind, is that from a id theft standpoint, even Mastodon or GNU Social would not assist much if you are posting private identifying info all the time.

1 Like

I’ve been using BitWarden and KeePass (on different machines), and I use Diceware to generate all my passphrases now. Oddly enough, the randomly generated ones don’t seem to get leaked as much!!

1 Like

Yeah, I talk too much…I would really have to get rid of a lot of profiles.

Wow, some of these types of accounts (on Just Delete Me) aren’t so easy to “delete”!!

1 Like

Also, is it possible to get a new IP address easily?

Such a good tool. Well worth following up on the breach data, sometimes you can identify the source and take action.

1 Like

I actually did! I checked https://hacked-emails.com/ as well and did the same thing.

Yup, Steam is a common one. You can still try the GDPR form.

Maybe, you may not even have a static IP now, and your IP address may be useless as it may be shared with everyone in your neighborhood. This will all vary wildly between countries, providers, areas, broadband technologies etc.

1 Like

Potentially useful, though note that this site requires javascript and is Cloudflared.

Ugh…everything is Cloudflared nowadays!!

You shouldn’t really worry about your IP from an ID theft standpoint. Noone sane uses IP addresses to verify identity, as most people have new dynamic IPs from their ISP all the time.

If you do want to hide it from advertisers and websites, you can use a Tor or a VPN to change it. A VPN is probably easiest as your threat model is not very extreme. Make sure you use a paid, reputable VPN though. This website has good suggestions.

1 Like