Security

Your Account Was in a Data Breach — What to Do Right Now

2026-02-22 · 6 min read · Steven Adams · Last reviewed: March 2026

Data breaches happen constantly. If your email or password has been leaked, acting quickly can prevent attackers from using those credentials before you do.

In This Guide

  1. Step 1: Find Out What Was Leaked
  2. Step 2: Change the Leaked Password
  3. Step 3: Check for Reused Passwords
  4. Step 4: Enable 2FA on Affected Accounts
  5. Step 5: Check Your Email for Suspicious Activity
  6. Going Forward

Step 1: Find Out What Was Leaked

Visit haveibeenpwned.com — enter your email address to see which breaches you've been included in and what data was exposed (passwords, phone numbers, addresses, etc.).

Step 2: Change the Leaked Password Immediately

Change your password on the breached service first. Use a unique, randomly generated password — at least 16 characters. Do not reuse this password anywhere.

Step 3: Check for Reused Passwords

If you used the same password on any other service, change it there too — immediately. Credential stuffing attacks try leaked credentials on hundreds of services within hours of a breach becoming available.

This is the primary way one breach becomes ten compromised accounts.

Step 4: Enable 2FA on the Affected Accounts

If you haven't already, enable 2FA on every account where you've changed the password. Use an authenticator app, not SMS. Use 2faco.com to generate codes instantly if you don't have an app.

Step 5: Check Your Email Inbox for Suspicious Activity

Look for password reset emails you didn't request, new device login notifications, or emails confirming changes you didn't make. If you find any, the affected accounts need immediate attention.

Step 6: Review Connected Apps and Sessions

On major services, go to Settings → Security → Active sessions or Third-party apps. Sign out all devices except your current one. Revoke access for apps you don't recognise.

Step 7: Set Up a Password Manager

The root cause of credential stuffing working is password reuse. A password manager generates and stores unique passwords for every service, making you immune to this class of attack.

Going Forward

  • ✓ Unique password for every account
  • ✓ 2FA enabled on all important accounts
  • ✓ Password manager in use
  • ✓ Set up breach alerts at haveibeenpwned.com to be notified of future breaches

How to Find Out If You Have Been Breached

The fastest way to check is haveibeenpwned.com — enter your email address and it shows which known data breaches included your credentials. Check every email address you use. For passwords specifically, haveibeenpwned.com also lets you check if a specific password has appeared in a breach (it uses a k-anonymity method so your actual password is never transmitted). Many password managers now automatically alert you when a saved password appears in a breach database.

Immediate Steps After a Breach

First, change the password on the breached site immediately. Second, if you used the same password anywhere else, change it on every site where you used it — check your password manager for reuse. Third, if the breach included payment information, contact your bank or card issuer and ask about monitoring or card replacement. Fourth, enable 2FA on the affected account if you have not already. Fifth, watch for phishing emails in the weeks following a breach — attackers often use stolen email addresses to craft targeted phishing messages.

Does 2FA Protect You After a Breach?

If your password was leaked but your 2FA is active, an attacker who tries to use the leaked password will be stopped at the 2FA verification step. They have the password but not the second factor. This is one of the clearest demonstrations of why 2FA matters — a breach of your password alone is not sufficient to access a 2FA-protected account. Enable 2FA now, before a breach happens, rather than scrambling to add it after.

Password Reuse — The Amplifier of Breach Damage

The reason data breaches cause so much downstream damage is password reuse. If you use the same password for 10 sites and one site is breached, attackers will test that password on the other nine within hours — this is called credential stuffing. Using a unique password for every account limits a breach to the single site that was compromised. A password manager makes this practical by remembering the unique passwords for you.

Long-Term Monitoring

Data breaches often go unreported for months. Set up free monitoring to catch future breaches early: sign up for alerts on haveibeenpwned.com (free for individual email addresses), enable breach alerts in your browser or password manager, and regularly check the account settings of your most critical services for any unrecognised sign-ins or changes. Early detection dramatically limits the damage from a breach.

Related Articles

Security

Is 2FA Really Necessary?

Why 2FA matters for every account.

Read →
Security

Phishing Attacks Explained

How credentials are used after a breach.

Read →
Security

Best Authenticator Apps in 2026

Choose your 2FA app.

Read →
Security

What Is Bcrypt?

How good sites store your passwords securely.

Read →

The First 24 Hours: What to Do Immediately

If you discover that a service you use has been breached, speed matters. Within the first 24 hours: change your password on the breached service immediately, change your password on any other service where you used the same or similar password, and enable 2FA on the breached service if you had not already. Check your email for alerts from the service about the breach, and verify the alert is genuine by going directly to the service's website rather than clicking email links. Use Have I Been Pwned (haveibeenpwned.com) to check if your email address appears in known data breaches and set up alerts for future breaches.

What Data Was Exposed: Understanding the Risk Level

Not all breaches are equal. A breach of hashed passwords is less immediately dangerous than a breach of plaintext passwords, but the password should still be changed since hashed passwords can be cracked given time. A breach exposing your Social Security Number, date of birth, address, and credit card numbers requires immediate action at the credit bureau level — place a fraud alert with one of the three major credit bureaus (Experian, Equifax, TransUnion) and consider a security freeze, which completely prevents new credit from being opened in your name. In the US, these are free and can be placed online in minutes.

Protecting Your Password Manager After a Breach

If your password manager is breached (LastPass suffered a significant breach in 2022), treat it with particular seriousness. Security researchers advised changing every password stored in the vault, not just the master password, because encrypted vault data was obtained. When a password manager is breached, assume your master password hash is now in attacker hands — change your master password immediately and generate new passwords for your most critical accounts first.

Frequently Asked Questions

Should I trust the company's breach notification? Verify breach reports through independent sources (news articles, Have I Been Pwned, the company's official security blog) before taking action on emails. Attackers send fake breach notification phishing emails that include malicious links.

How long does breach data remain useful to attackers? Password hashes can be cracked weeks, months, or even years after a breach. Email addresses and personal details remain useful indefinitely for phishing and social engineering. Assume any data exposed in a breach is in permanent circulation on cybercriminal forums.

Can I sue a company for a data breach? In some jurisdictions, yes — particularly for breaches involving healthcare data or where the company was demonstrably negligent. Class action lawsuits following major breaches are common in the US, but individual compensation is typically small and litigation is slow.