Data breaches happen constantly. If your email or password has been leaked, acting quickly can prevent attackers from using those credentials before you do.
In This Guide
Step 1: Find Out What Was Leaked
Visit haveibeenpwned.com — enter your email address to see which breaches you've been included in and what data was exposed (passwords, phone numbers, addresses, etc.).
Step 2: Change the Leaked Password Immediately
Change your password on the breached service first. Use a unique, randomly generated password — at least 16 characters. Do not reuse this password anywhere.
Step 3: Check for Reused Passwords
If you used the same password on any other service, change it there too — immediately. Credential stuffing attacks try leaked credentials on hundreds of services within hours of a breach becoming available.
This is the primary way one breach becomes ten compromised accounts.
Step 4: Enable 2FA on the Affected Accounts
If you haven't already, enable 2FA on every account where you've changed the password. Use an authenticator app, not SMS. Use 2faco.com to generate codes instantly if you don't have an app.
Step 5: Check Your Email Inbox for Suspicious Activity
Look for password reset emails you didn't request, new device login notifications, or emails confirming changes you didn't make. If you find any, the affected accounts need immediate attention.
Step 6: Review Connected Apps and Sessions
On major services, go to Settings → Security → Active sessions or Third-party apps. Sign out all devices except your current one. Revoke access for apps you don't recognise.
Step 7: Set Up a Password Manager
The root cause of credential stuffing working is password reuse. A password manager generates and stores unique passwords for every service, making you immune to this class of attack.
Going Forward
- ✓ Unique password for every account
- ✓ 2FA enabled on all important accounts
- ✓ Password manager in use
- ✓ Set up breach alerts at haveibeenpwned.com to be notified of future breaches
How to Find Out If You Have Been Breached
The fastest way to check is haveibeenpwned.com — enter your email address and it shows which known data breaches included your credentials. Check every email address you use. For passwords specifically, haveibeenpwned.com also lets you check if a specific password has appeared in a breach (it uses a k-anonymity method so your actual password is never transmitted). Many password managers now automatically alert you when a saved password appears in a breach database.
Immediate Steps After a Breach
First, change the password on the breached site immediately. Second, if you used the same password anywhere else, change it on every site where you used it — check your password manager for reuse. Third, if the breach included payment information, contact your bank or card issuer and ask about monitoring or card replacement. Fourth, enable 2FA on the affected account if you have not already. Fifth, watch for phishing emails in the weeks following a breach — attackers often use stolen email addresses to craft targeted phishing messages.
Does 2FA Protect You After a Breach?
If your password was leaked but your 2FA is active, an attacker who tries to use the leaked password will be stopped at the 2FA verification step. They have the password but not the second factor. This is one of the clearest demonstrations of why 2FA matters — a breach of your password alone is not sufficient to access a 2FA-protected account. Enable 2FA now, before a breach happens, rather than scrambling to add it after.
Password Reuse — The Amplifier of Breach Damage
The reason data breaches cause so much downstream damage is password reuse. If you use the same password for 10 sites and one site is breached, attackers will test that password on the other nine within hours — this is called credential stuffing. Using a unique password for every account limits a breach to the single site that was compromised. A password manager makes this practical by remembering the unique passwords for you.
Long-Term Monitoring
Data breaches often go unreported for months. Set up free monitoring to catch future breaches early: sign up for alerts on haveibeenpwned.com (free for individual email addresses), enable breach alerts in your browser or password manager, and regularly check the account settings of your most critical services for any unrecognised sign-ins or changes. Early detection dramatically limits the damage from a breach.