This is a practical, prioritized list. Do the items at the top first — they have the highest impact. Everything here is free unless otherwise noted.
This Afternoon (Under 30 Minutes Total)
1. Freeze your credit. Go to equifax.com, experian.com, and transunion.com. Request a security freeze at each. Free, takes 10 minutes total. Prevents anyone from opening new credit in your name.
2. Check if your email has been in a breach. Go to haveibeenpwned.com and enter your email address. If you've been in a breach (and you almost certainly have), change the password on that account.
3. Change your most important passwords. Start with email, banking, and any account that could be used to reset others. Use long, random passwords from a password manager.
This Evening (1–2 Hours)
4. Install Bitwarden. Free password manager. Download at bitwarden.com. Set up your account, install the browser extension, and start migrating your passwords.
5. Remove yourself from Spokeo, Whitepages, and BeenVerified. These are the three most visible data broker sites. Submit opt-out requests at each (process takes about 20 minutes total).
6. Enable 2FA on your email account. Use Google Authenticator or Authy. Your email is the master key to everything — it's your highest priority 2FA account.
7. Add a PIN to your mobile carrier account. Call your carrier and request a port-out PIN or account passcode. This prevents SIM swapping.
Tomorrow Morning
8. Switch your default browser to Brave or Firefox. Install uBlock Origin if you use Firefox. Immediately reduces tracker and ad exposure.
9. Switch your default search engine to DuckDuckGo. Takes 30 seconds in your browser settings. Removes Google search tracking.
10. Review your Google data. Go to myactivity.google.com. See what Google has logged. Turn off Web & App Activity and Location History.
11. Review your Facebook app permissions. Go to Settings → Apps and Websites. Remove any apps you don't actively use.
12. Check your iPhone or Android privacy settings. Review Location Services and revoke access from any apps that don't need it.
This Weekend
13. Set up Google Alerts for your name. Go to google.com/alerts. Get notified when new results with your name appear.
14. Use Google's Results About You. Go to myaccount.google.com/results-about-you. Set up monitoring for your address and phone number.
15. Enable 2FA on your banking accounts. Use an authenticator app, not SMS if possible.
16. Remove yourself from 3 more data brokers. After the top 3, work through: Radaris, Intelius, and MyLife.
17. Check your router settings. Log in to your router, change the admin password if it's still default, and verify WPA2 or WPA3 encryption is enabled.
18. Create an alias email address. Sign up for SimpleLogin (free) and start using aliases for new account signups.
19. Set up auto-delete on your Google account. Go to myaccount.google.com/data-and-privacy and set Web & App Activity to auto-delete after 3 months.
20. Freeze your child's credit (if you have children). Minor children can be targeted for identity theft. Freeze their credit at all three bureaus.
Make It a Habit
Schedule 30 minutes every quarter to: re-submit data broker opt-outs (they re-add your data), check haveibeenpwned for new breaches, and review which apps have permissions on your phone.