Last spring, I got an email from a pharmacy I’d used once. Twice, actually. It was a breach notice. My address, phone number, and partial card details had been “potentially accessed.” I remember staring at it thinking, this is the fourth one this year. I don’t even remember signing up for half these places.
Turns out I’m not alone. The Identity Theft Resource Center tracked 3,322 data compromises in 2025 in the US, a record, and in a survey of 1,040 people, 80% said they’d received a breach notice in the past year. Nearly 40% got between three and five of them. So if you feel like your inbox is becoming a graveyard of “we regret to inform you” letters, it’s not paranoia. It’s just Tuesday.
The good news is protecting yourself doesn’t require a six-figure tech salary or weekends learning Linux. Most of what actually works is cheap, free, or priced like a streaming service. Here’s what’s worth doing.
Start with passwords. Really, just start there.
I know. Password advice is the broccoli of the privacy world. Everyone says eat it, no one wants to. But here’s the thing: the overwhelming majority of account takeovers happen because someone reused a password that leaked in an old breach. Your 2014 LinkedIn password is still out there. Somewhere. Being sold.
A password manager fixes this in about an afternoon. Bitwarden’s free plan is genuinely useful, not a teaser. Unlimited passwords, unlimited devices, open source. If you want to pay, the premium tier runs under twenty dollars a year. That’s less than one bad phishing incident costs you in Advil and lost hours on the phone with your bank.
Turn on two-factor authentication everywhere it’s offered, starting with your email. If someone gets into your email, they own every account attached to it. Your bank. Your Amazon. Your cloud storage. Email is the master key.
A VPN is worth it, but shop smart
There’s a reason privacy writers keep bringing up VPNs. When you’re on hotel wifi, on your phone’s network at a cafe, or just trying to keep your internet provider from logging every site you visit, a VPN encrypts the pipe. Your ISP sees “user connected to VPN” and nothing else.
Here’s the part most people get wrong though. They look at the monthly price, decide it’s too much, and just skip the whole thing. That’s the wrong call. VPN pricing is weird. The sticker rate is almost never what you actually pay. I’ve been on Surfshark for about two years now, and every time my renewal comes up I go poke around for a code before I pay. Last time I looked at this Surfshark page and there was a discount running that dropped it to roughly what I spend on coffee in a week. A multi-year plan with a working code usually ends up cheaper than a decent lunch per month. Sometimes less.
What a VPN won’t do: make you anonymous, stop you from clicking sketchy links, or protect you if you hand your login to a phishing page. It’s a tool, not a force field.
Your apps know way too much
Open your phone right now. Go to Settings, Privacy, Location Services. Scroll. Half the apps asking for your location in the background have no business knowing where you are. Weather apps? Fine, use precise location while in use. That flashlight app from 2019? Absolutely not.
Do the same for microphone and contacts. Revoke anything that doesn’t pass a laugh test. It takes ten minutes. You will feel unreasonably smug afterward.
While you’re there, check app permissions for anything that syncs your contact list to its servers. That’s how your mom’s phone number ends up in random marketing databases. She didn’t sign up. You did, on her behalf, by tapping “Allow” without reading.
Use an email alias for the junk
This one genuinely changed my life, and I’m trying not to oversell it. Services like SimpleLogin (free tier available) and DuckDuckGo’s Email Protection (free) let you generate throwaway addresses that forward to your real inbox. Signing up for a coupon? Use an alias. Newsletter? Alias. Some sketchy site that demands an email before showing you a recipe? You get the idea.
When an alias starts getting spam, you nuke it. Your real email stays clean. When a company inevitably gets breached, you know exactly which one leaked you, because the alias tells you.
Browser and search
Switch your default browser to Firefox or Brave. It’s free. It takes three minutes. Firefox blocks most tracking by default now. Brave blocks ads without an extension. Both are miles ahead of Chrome, which is essentially Google’s data funnel wearing a browser costume.
For search, DuckDuckGo or Startpage. Are they as good as Google? Sometimes no, honestly. Google is scary good because it has ten years of your searches to tune results. But for 90% of queries, the alternatives work fine, and the trade of slightly-less-personalized results for not being catalogued is one I’ll take.
Install uBlock Origin. It’s free, open source, and does more to protect you from malvertising than any paid antivirus. Malicious ads, or “malvertising,” can install spyware without you clicking anything. Block the ads, skip the problem.
Stop oversharing. It’s not just your Instagram.
James E. Lee, president of the ITRC, put it plainly: “Consumers can take all of the right steps, businesses can have the best cybersecurity and still fall victim to criminals.” That’s sobering, but it cuts both ways. You can’t control what a company does with your data. You can control how much you give them.
Stop posting photos tagged with your location in real time. Post them a week later if you must. Don’t announce when you’re on vacation to a public audience. Audit your old social posts every few months. Delete things. Your 2012 self didn’t need to share their home intersection.
Also: when a website asks for your birthday, phone number, or physical address, ask whether they actually need it. A newsletter signup doesn’t need your birthday. Lie on those fields. Use a fake birthday for accounts that have no legal reason to know the real one. Keep a consistent fake one so you don’t lock yourself out of recovery later.
The things I still mess up
I’m not a privacy saint. I still log in to stuff with Google because it’s faster. I still have a Facebook account I haven’t deleted because my aunt posts family photos there. I forgot to renew my VPN once and didn’t realize for two weeks. Real people do real things imperfectly.
The goal isn’t perfection. It’s raising your floor. The difference between someone who does nothing and someone who uses a password manager, two-factor auth, a VPN, and an alias service is enormous. It’s the difference between being an easy target and being one where the attacker moves on to someone easier. There’s almost always someone easier.
Privacy on a budget isn’t about finding the cheapest version of every tool. It’s about picking the three or four things that cover most of the risk and actually using them. Bitwarden. A VPN subscription when there’s a good code running. Permission audits every few months. Email aliases for anything you don’t trust.
Your inbox will still get breach notices. Mine will too. But the ones that matter, the ones with your real password or your primary card, those get rarer. And that’s the whole game.
