What to Do if Your Retailer Gets Breached — and How to Spot a Fake Subscription Trap

June brought a wave of data breaches at major retailers, along with a reminder that fake subscriptions are still one of the easiest scams to pull off. Here's what happened, why it matters, and what you can actually do about it.

When Large Companies Get Hacked

In June 2026, hackers breached Madison Square Garden Sports (nearly 10 million accounts), JCPenney (368,000 employee accounts), and Ralph Lauren (140,000 customer accounts). These weren't subtle attacks. In MSG Sports' case, the hackers made their intentions clear — they stole the data as part of an extortion scheme, demanding payment to keep it private.

What did the hackers get? Names, email addresses, dates of birth, phone numbers, and in JCPenney's case, Social Security numbers. This is the kind of information that makes identity theft possible.

Here's the thing: you can't prevent a company from being hacked. You can only respond when it happens.

How to Know If You Were Affected

If you have an account with any of these companies, the simplest move is to check a free service called Have I Been Pwned. Go to haveibeenpwned.com, enter your email address, and it will tell you which breaches it's been exposed in. You'll get a clear yes or no. No sign-up required.

If your information was stolen, don't panic. Being in a breach doesn't mean someone has already used your data. It means they could. That's why the next step matters.

What to Do Right Now

First, change your password for that company's account. Make it a strong password — at least 12 characters, with a mix of uppercase, lowercase, numbers, and symbols. If you used the same password anywhere else, change those accounts too.

Second, monitor your accounts for suspicious activity. Check credit card statements for charges you don't recognize. If you have a Social Security number exposed (as JCPenney customers do), consider placing a fraud alert with the credit bureaus. This is free and tells lenders to verify your identity before opening new accounts in your name.

Third, watch your email for scams. Hackers who steal your email address will often send you fake messages pretending to be from the breached company. These look real but are designed to steal your password or trick you into clicking a malicious link. If you get an email about "confirming your account" after hearing about a breach, don't click links in the email. Instead, go directly to the company's website by typing the address yourself.

The Subscription Scam You Should Know About

While retail breaches grabbed headlines, the FTC was busy suing a company called Genesis Tech for running fake subscription traps. Here's how these work: you sign up for a service (a free trial of something, a discount tool, a cleaning app — whatever). The terms are hidden in fine print, and what you think is a one-time purchase actually enrolls you in a recurring monthly charge.

Then comes the hard part: canceling. Genesis Tech and similar operations made it deliberately difficult to stop the charges. You'd need to jump through hoops, call a number that doesn't answer, or find a "cancel" button that doesn't exist.

These scams work because they rely on inertia. They count on people noticing the $9.99 charge, shrugging, and moving on rather than fighting to cancel.

How to Spot the Trap Before You Get Caught

When you sign up for anything online, especially anything free, treat it like a contract negotiation. Before you click "sign up" or "agree," find the actual terms. Look for words like "recurring," "monthly," or "automatically renew." If you can't find these terms before committing, that's a red flag.

If the fine print is genuinely hard to read or seems intentionally buried, it's probably a trap. Real companies make it simple to understand what they're charging you for.

If you do get hit with mystery charges, call your bank or credit card company first. They can dispute the charge and often will refund you. You don't have to win an argument with the scammer — your card issuer's job is to protect you from fraud.

One More Thing About Your Streaming Devices

Researchers also found that millions of Android TV boxes were infected with malware. These are budget streaming devices you might use to access free movies or sports. The malware was sold through a company that promised to unlock free service, but instead stole data and gave hackers access to devices.

If you use a cheap streaming box, make sure it has security updates turned on. Check the settings menu for an "automatic updates" option and enable it. You're unlikely to get a virus from a legitimate streaming service (Netflix, Disney+, YouTube TV). You're more likely to get one from devices sold cheap with promises they'll unlock premium services for free.

None of these situations is your fault. Companies should protect data. Scammers shouldn't exist. But they do. Knowing the difference between a real breach and a fake subscription trap puts you ahead of the game.