Help! My information has been stolen! What do I do now?

How secure are my auto-saved passwords in my browser?

Terribly insecure. These passwords are trivial to retrieve.

How secure are my passwords that have been saved in a password manager?

Not very secure at all. If someone had root access to your computer, it's trivial to implement a key logger, or even a plugin to your browser to snarf them before they go out.

Do I really need to reset every password on every account I own?

Only the ones you care about. I likely wouldn't reset my password to adobe.com that I had to register to just to download Adobe Reader. But I would reset my bank and email passwords. Email is of course used to reset passwords. Turn on 2 factor authentication for your bank, email, and anything else that's important. These are all judgement calls about what you consider valuable and what's an acceptable risk. YMMV


Do I need to cancel all Credit Cards I have ever used on that computer?

Credit Cards have fraud protection built in. I myself have had at least 3 incidents where there's been fraud on my CC accounts in the past decade. I never paid a dime for these events, and they went away easily. If you want to avoid the hassle of having to go through this process it's best to cancel the cards, but this is likely the least of your concerns.


What about my archived Tax Paperwork (w/ SSN & Bank Info)?

There's little you can do about your SSN. You can change your bank account numbers relatively easily, though with some hassle. Given the threat, I'd recommend going through the hassle.


Do I need to notify my friends to prevent them getting scammed by the attacker pretending to be me on Social Media?

If you change all the passwords on social media, change all your reset questions, and change all your email passwords, it's not terribly likely someone is going to be able to impersonate you.


What other attack vectors should be considered.

Primarily identify theft. People applying for loans/credit cards/cell phone service, etc under your name. This is a question in-and-of itself, that deserves another question entirely.


The short answer is yes you should do all those things.

I never let passwords auto-save in the browser because it is pretty easy to yank them out.

For LastPass it would depend on what access the attackers had. If they had a key logger you're toast. If not you might be OK. I use LastPass but I have the settings pretty locked down, it logs me out every 30 min, it only remembers my email, never auto-fills on websites, and I use 2 factor authentication. To be safe I would change your LastPass password and have it generate unique passwords for all your websites, and use 2 factor on everything that offers it.

If you are worried that your identity has been stolen I would consider changing card numbers, also for the future I know that Capital One is offering a service that creates a new number for every website that is only valid with that website, so if any website gets hacked you will know right away, and won't have to change your card everywhere else. I would also put a credit lock on all the big services (Equifax, Trans Union, ect..). I do this all the time anyways just in case, it can be a pain if you happen to need a loan, but I think it's worth the work.

This is what I would do, but I'm sort of a "tin foil hat" kind of guy. Good luck.