Freeze you credit if you have the option.

Change the password on the account and turn on 2fa if it’s available.

If all your accounts use the same password, time to start changing those and use a password manager.

A password manager is probably your best defense against a future problem as it makes it very easy for each account to have unique passwords.

KeepassXC is a good free option. Bitwarden, ProtonPass have free, somewhat limited, options. Bitwarden is $10 a year the last time I checked.

Keep an eye out for sms and phone calls that are trying to scam, your bank, cc, and government accounts will not text or call you.

1. If you are not already, start using a password manager. BitWarden, or VaultWarden if you want to self-host. Reset all of your passwords, starting with email addresses that are used to access other accounts, then financial accounts, government service accounts, healthcare accounts, etc.

2. Reset the PIN numbers on your bank/credit cards, starting with whichever you use most frequently.

3. Freeze your credit. Check your credit reports and make sure there aren’t any new accounts you don’t recognize.

4. Consider getting a new phone number.

5. Consider getting a new email address (with a provider that at minimum provides encryption at rest).

6. Keep the official notice of the theft of your identity somewhere safe. You may need it to help prove that any new accounts created with your information are not legitimate.

7. If you do find out that someone is illegally using your identity, check with your relevant government office. In the US you can apply for a new SSN if there’s evidence that someone is actively impersonating you, though of course changing it creates a host of follow-on problems for you.

8. Identity information is a commodity item on the Internet, with both legal and illegal information traders. If you’re concerned about exposure, you might want to pay for a data removal service like EasyOptOuts or Delete Me. These services are not scams, they are effective for what they do, but they only work with legally registered data brokers. Having them submit deletion requests for your data will mostly remove it from OSInt sources and people search services. They can’t actually delete your information from any sources that are trading it illegally or take it off the “dark web”, and can’t protect you from someone opening new credit accounts or impersonating you for job applications.
   The effectiveness of this is limited, and it costs money, which is why it’s low on this list.

9. Depending on what you do for work, consider letting your manager know. If your personal details could be used to access your employer’s information system for some malicious purpose, giving them notice might help them avoid trouble and might save you from taking the blame for some illegal activity. I would mostly recommend this if you work for some government agency, healthcare organization, or financial institution where malicious access could harm other people.

If you live in the US:

Contact credit bureaus and freeze your credit.

Pull your own credit reports from credit bureaus now and when offered take the credit monitoring if it’s offered for free.

Request a new ID card with updated picture and different ID number.

Contact your bank and notify them that your information has been leaked and follow whatever steps they give you to protect your account(s).

Perhaps consider joining a class action lawsuit if it is available.

You have some good responses so far.

Seconding freezing your credit.

Seconding changing all your passwords and using a password manager and literally everything else here.

The only thing I’m not seeing is to talk to your family about common scams and how to avoid them or be aware of them. You’ll start getting spam calls and emails now, and they’ll look pretty sophisticated. Be circumspect of everything coming your way.