Followup to my post just below re the Telus hack..

Copied ⬇️

A no-BS guide for Canadians who aren’t sure where to start

Two days. Two of Canada’s biggest corporate names. Two massive data breaches.

Loblaws got hit - potentially hundreds of millions of records including prescriptions, credit card details, health card numbers and loyalty data. Telus got hit - nearly a petabyte of data stolen over months, including call logs, voice recordings and personal information from at least 20 other companies that trusted Telus with their data.

If you missed either of those pieces, find them here:

Loblaws

Telus

Your information is probably out there. The question is what you do next.

And before you spiral into a full-blown panic attack at the kitchen table...

Acting fast is smart. Panicking is not. I know because I have been there. Full network hack - attackers took over my perimeter cameras, erased events, wiped them offline completely. Lost access to old accounts I’d almost forgotten existed. Got pushed out of social media profiles. It was a mess and it was traumatic.

The biggest mistakes I made happened when I was rushing and stressed. Forgot what I’d just changed, locked myself out of things, lost recovery options I’d never properly set up in the first place.

So - deep breath. Then we get to work.

For the record - these two breaches did not compromise your home network or devices directly. But if you’re taking the steps to protect yourself, there’s no harm in doing this fully and getting it sorted once and for all. Think of it like finally cleaning out that junk drawer. You’ve been through several devices over the years, signed up for dozens of sites, and are now sitting on a jumbled mess of logins that always starts with the same question...

“What is my password again?”

Let’s fix that.

Step 1 - Set Up a Recovery Email First

Before you touch anything else, create a brand new email address you will use for one purpose only - account recovery. This is not your everyday email. This is the safety net you throw under everything else.

Here’s why this matters. Most of your other accounts - banking, social media, shopping - are tied back to your primary email. If someone gets into that, they hold the master key to your entire digital life. They can reset your bank password, your social media, your shopping accounts...all through one inbox.

Your email is not just an email. It is the keys to your house, your wallet, and your passport - combined.

I use Proton Mail for this. It’s free, it’s secure and it walks you through setting up two-factor authentication (2FA) - which means even if someone has your password, they still can’t get in without a code from your phone. Other free options - Gmail or Outlook work fine too.

Once your recovery email is set up, go to your main email account’s settings and add it as a backup. Not sure how?

Paste this into Google: How do I set up a backup email for my [Gmail / Shaw / Telus / Outlook / whatever you use] - and follow the directions.

While you’re in there...change your main email password too. And write it down somewhere safe. Not a sticky note on your monitor.

Step 2 - Your Cards. Do This Today.

If you have a PC Financial or Loblaws credit card - the Mastercard tied to PC Optimum - seriously consider cancelling it. Given what was allegedly stolen from Loblaws, it is not worth the risk. Call the number on the back or log into your PC Financial account and request a new card, or cancel outright if you don’t use it regularly.

For your regular bank debit and credit cards - most major Canadian banks now let you lock your card inside their app so it cannot be used for online purchases or tap payments without you unlocking it first. I’ve done this myself. It sounds like a pain, and honestly - it kind of is at first. But the routine becomes second nature fast.

Unlock in the app - pay for gas, groceries, whatever the bill is - relock immediately after. Nobody can use your card without going through you first. Download your bank’s app (RBC, TD, CIBC, Scotiabank, BMO - they all have this), or call your branch and ask them to walk you through it.

Step 3 - Passwords and 2FA

Change your passwords, starting with the accounts most directly connected to these breaches - Telus accounts (mobility, internet, MyTelus app), PC Optimum, Shoppers Drug Mart online, and any account where you reused those same passwords.

Strong passwords are long passwords. Aim for at least 20 characters - a phrase, a sentence, something only you would think of, with a number or symbol thrown in. “BlueSky2026!CanadaMaple” is better than “Password1.”

And don’t try to remember all of them yourself. Use a password manager - Bitwarden is free, 1Password is excellent for a small monthly fee. These apps generate and store strong passwords for every account so you only need to remember one master password to rule them all.

Once your passwords are changed, turn on two-factor authentication (2FA) everywhere it’s available. This adds a second step when logging in - usually a code from an app on your phone. Use an authenticator app like Authy rather than SMS text codes where possible, because hackers with stolen phone metadata can sometimes intercept texts through SIM-swap attacks.

Enable 2FA on your email accounts, banking apps, social media, shopping accounts, and anything that holds payment information.

Step 4 - Account Priority Order

If you’re feeling overwhelmed about where to start, here’s the order that matters most. Work through it at a steady pace, not a sprint.

Email - first, always. Everything else recovers through here.
Banking and credit cards - online banking portals, investment accounts, PayPal, Interac.
Telecom accounts - Telus, Rogers, Bell, your mobile carrier. Change password and set an account PIN. Ask your carrier specifically about SIM-swap protection.
Social media - Facebook, Instagram, X, LinkedIn, TikTok, Snapchat. Hackers use these to run scams on your contacts.
Shopping accounts - Amazon, eBay, Walmart, any delivery app that has a saved card on file.
Government accounts - CRA MyAccount, My Service Canada, provincial services. These enable identity theft at a whole different level.
Cloud storage - Google Drive, iCloud, OneDrive. May contain personal documents and identity records.
Streaming and everything else - lower risk but connected to payment methods. Get to these once the priority list is done.
Step 5 - Watch for These Warning Signs

This is the one I want you to remember even if you forget everything else in this article.

Watch for emails or notifications from your email provider, your bank or your social media accounts that say something like: “Someone tried to log into your account from [city or device] - was this you?”

These are not spam. These are early warning shots.

As in...someone has your credentials and is actively testing them. If you see one of those messages and it wasn’t you - change that password immediately and enable 2FA if you haven’t already.

Beyond that, watch for:

Calls from “Telus support,” “your bank’s fraud department” or “Service Canada” that you didn’t initiate - hang up and call back on the official number from the company’s website.
Emails or texts with links asking you to “verify your account” or “confirm a recent login” - delete them and log in directly through the real app or website instead.
Any unexpected password reset emails for accounts you didn’t touch. Change that password immediately.
Friends or family telling you they got a strange message from your social media account - your account may already be compromised.
The Telus breach included detailed call logs and voice recordings. Scammers with that data can make incredibly convincing calls - knowing your name, your account details, who you’ve spoken to. If something feels off about a call, it probably is. Hang up.

Step 6 - Long-Term Monitoring

The data from breaches like these circulates in criminal markets for months, sometimes years. Changing your password once is only the first step, not a permanent fix.

Credit / Identity Theft:
Freeze your credit with Equifax Canada and TransUnion Canada to prevent new accounts from being opened in your name.
Free monitoring: Borrowell, Credit Karma

Dark Web Leaks:
Check if your email appears in known breach databases using Have I Been Pwned.

Bank Fraud:
Enable transaction alerts through your bank app and monitor statements daily for at least 30 days.

Ongoing Monitoring:
Set a Google Alerts notification for your email address + “breach” to catch future exposures.

Bottom line: Assume breached data may resurface later and stay vigilant.

One more thing worth doing…go to HaveIBeenPwned.com right now and type in your email address. It will tell you if your information has appeared in any known data breach. Free, takes 30 seconds.

One Last Thing

I was hacked once.

Badly.

And what I wish someone had told me before it happened was this…the damage doesn’t always come immediately. It comes weeks-months later. While this never happened to me, I do know others who have had a full credit breach following a hack or just having their information exposed.

Things like - being rejected for a credit card, while they believed that their credit was inline - because somebody had already crushed their rating.

Finding out about vehicles purchased in their name, but only finding out because the vehicle was in an accident and it was their information that it was registered under.

Seeing elderly people scammed online because they got what seemed like a message from a family member asking for financial help…

The steps above are not glamorous and they take an hour or two to work through properly. But that hour protects you from problems that can take years to undo.

Take it one step at a time, don’t rush it, write things down as you go...and get it done.

We got this.

https://substack.com/app-link/post?publication_id=447842&post_id=190943448&utm_source=post-email-title&utm_campaign=email-post-title&isFreemail=true&r=jdw0f&token=eyJ1c2VyX2lkIjozMjU2MDcxOSwicG9zdF9pZCI6MTkwOTQzNDQ4LCJpYXQiOjE3NzM1MDQ2ODIsImV4cCI6MTc3NjA5NjY4MiwiaXNzIjoicHViLTQ0Nzg0MiIsInN1YiI6InBvc3QtcmVhY3Rpb24ifQ.SLKnSBAd0QcZL1be9Utn_p531ptj9ThpIDHGsy2aQlI