At ID.me, your security is our top priority. If we detect that your password has been exposed in a known data breach, we’ll alert you when you sign in, create a new account, or change your password.
The breach did not occur at ID.me but resulted from unauthorized individuals accessing private information from other companies or websites. This article explains how to keep your account secure after a data breach.
What to do after receiving a security alert
The steps you need to take depend on what you’re trying to do:
- Sign in: Check your email for a message from ID.me and complete the sign-in process using your current multi-factor authentication (MFA) method. Next, secure your account by updating your password. If you’re unable to complete MFA, visit Resetting your multi-factor authentication (MFA) method.
- Create a new account or change your password: Follow the prompts and use a strong password.
Secure your account
Follow our best practices to ensure your account remains secure:
1. Use a strong password
Ensure your password is strong to reduce the risk of your account being compromised. Strong passwords safeguard your identity and personal information from cybercriminals. To create a strong password:
- Avoid reusing passwords: Make sure your ID.me password is unique and different from any passwords you use for other services.
- Use a passphrase: Combine random words to make a strong but easy-to-remember password. For example, "Sunset$Giraffe!Window92."
- Mix characters: Use a mix of letters, numbers, and symbols. For example, instead of "Basketball74," use "B@sk3tB@ll#74."
- Avoid predictable patterns: Don’t use patterns like "1234" or "abcd," or common sequences like "qwerty."
- Consider a password manager: A password manager can create and remember strong passwords for you.
For step-by-step instructions to change your password, visit Resetting your ID.me password.
2. Add passkey MFA to your account
Passkey MFA is the safest MFA method available, making it the best way to protect your account. A passkey:
- Lets you use your smartphone or computer to sign in. For example, you’ll use facial recognition, a fingerprint, or a pattern unique to your device.
- Helps prevent phishing attacks because someone would need your device to sign in.
- Makes signing in to your account even faster.
To learn how to enable passkey MFA, visit Setting up passkey multi-factor authentication (MFA).
3. Protect your 6-digit MFA code
Some multi-factor authentication methods, like text message/phone call and code generator MFA, use a 6-digit code to complete sign in. If someone asks for your 6-digit code, STOP—it’s a scam. Never share your 6-digit code with anyone. ID.me will never contact you for this code. You’ll only be prompted to enter it at login.
When to contact Support
If you suspect that someone tried to create an ID.me account or verify using your information, or if you believe someone else signed in to your account, report it to ID.me immediately. Learn how to report fraud to ID.me Support.