4 things to know about the Chase hack

A cyberattack at JPMorgan Chase put the accounts of 76 million households at risk. The breach, which was disclosed Thursday, compromised a wealth of personal information like addresses and phone numbers. While nobody knows exactly what hackers will do with this data, consumers can take steps to lessen the potential damage.

What hackers stole. Hackers could potentially have your name, address, phone number and email address. While that may not seem quite as serious as having your financial accounts’ user names and passwords, some experts say it has the potential to be seriously damaging.

According to JPMorgan, there is no evidence that account numbers, passwords, user IDs, dates of birth or Social Security numbers were compromised. Trish Wexler, a spokeswoman for the bank, said it was not suggesting that customers change their passwords. “I think it is always good practice to regularly watch your accounts,” she said. “You won’t be held liable for any unauthorized transactions that you notify us of. That is just good financial hygiene to monitor your accounts.”

What you should do right now. Credit freezes are probably one of the smartest things consumers can do to protect themselves against identity theft. This prevents the big three credit bureaus from releasing your credit reports to any company that doesn’t already have a relationship with you – something that financial providers and other companies typically access before issuing a new account.

You need to individually approach each of the three credit bureaus, Equifax, Experian and TransUnion. You may need to pay a small fee, depending on where you live.

What hackers can do with the information. Pamela Dixon, executive director at the World Privacy Forum, a public interest research group, said hackers could sell your data to others who then layer it with other publicly available information, like census data. With that, they can create sophisticated – and very convincing – emails that aim at individual consumers, a practice known as spear phishing. Their goal is to extract even more sensitive information from you.

“I would be very conscious of the email you get in the next year, which could be related to this hack,” she said. “They are really hard to detect. It’s not like, ‘Send me money in the Philippines.’ ”

How to avoid becoming a spear phishing victim. Legitimate financial services companies, retailers, cellphone companies, government agencies like the Internal Revenue Service and other providers will not (or at least should not) request personal information in an email.

If you suspect something unusual about an email, contact the company that supposedly sent it, but do not use the phone number in the email – that’s likely to put you in touch with the criminals you want to avoid. The Federal Bureau of Investigation also advises consumers to enter website addresses manually (or at least Google them). In other words, don’t follow links inside the email.

This story was originally published October 3, 2014 at 6:34 PM.