Skip to main content

University of Michigan School of Information


UMSI researchers’ guide to avoid data breaches

Illustrated graphic shows burglar in mask with sack emerging from laptop screen, approaching two credit cards.

Thursday, 06/24/2021

In the first known study to ask participants about actual data breaches that impacted them, researchers from the U-M School of Information showed 413 people facts from up to three breaches that involved their own personal information. The international team, including Yixin Zou and Florian Schaub from UMSI and researchers from George Washington University and Karlsruhe Institute of Technology, found people were not aware of 74% of the breaches.

At the end of the study, researchers showed participants the full list of breaches affecting them and provided information for taking protective steps against potential risks from data breaches: 



  • Check whether accounts were part of a breach using free services such as or
  • Read breach notifications carefully. 
  • Websites like the FTC’s can help create a recovery plan after identity theft.
  • Make sure to change the password of the breached account and any others for which the same password was used. Doing this once should be enough unless there is a new breach.
  • Sign up for identity monitoring services you get offered. Though not perfect they are better than nothing.
  • If you experience actual harm from a breach you may also be entitled to further support.


  • Use a unique password for each online account. No one can remember dozens of these so it’s best to use a password manager to store and create strong passwords. 
  • Use two-factor authentication, wherever possible, that requires a code by phone in addition to a username and password in order to access an account.
  • Freeze credit reports at the three major bureaus (Equifax, Experian and TransUnion) to make it more difficult for identity thieves to cause financial harm. See
  • Consider using services such as Sign in with Apple to keep an email address private when creating new accounts (the service provider only sees an email address uniquely created for that account).