Found your password in a data breach or suspect someone accessed your account? Here is what to secure first, which accounts to prioritize, and what to check.
Finding out that your password appeared in a breach can be unsettling. It does not automatically mean someone is reading your email or taking money from your account right now. Sometimes it is an old breach from an online shop, forum, or service you used years ago.
The risk is higher if you reused the same password elsewhere. Attackers know this and often try leaked login details across email, social media, online banking, shops, and workplace tools.
The important thing is to avoid random panic work. Secure the accounts that can unlock other services first, then replace reused passwords, enable two-factor authentication, and review recent logins, devices, and security settings.
What to do right away
If you do not have time to read the whole guide, start here:
- Change the password on the account affected by the breach. Do not just add a number, symbol, or current year.
- If you used the same or a very similar password elsewhere, change it there too.
- Prioritize email, your password manager, banking, payment services, social media, and work accounts.
- Enable two-factor authentication.
- Sign out devices you do not recognize. For important accounts, sign out of all devices and sign back in only where you actually use the account.
- Check whether anyone changed recovery email addresses, phone numbers, forwarding rules, or other security settings.
- If card details may have leaked or you see a suspicious payment, call your bank and ask what to do next.
Your new password should be truly new. If SummerHoliday2025! leaked, do not use SummerHoliday2026!. Create a long, unique password that you do not use anywhere else.
Practical tip
Generate a strong password in seconds
Create a secure password in seconds.
First, understand what happened
Not every breach carries the same risk. There is a difference between:
- a service announcing a data breach,
- finding your email address in a breach database,
- your browser or password manager warning about a compromised password,
- getting an alert about a login from an unknown device,
- someone changing account settings or sending messages in your name.
If only your email address appeared in a breach, the account may not be compromised. Still, expect more spam or phishing attempts. If you see an unknown login, changed password, email forwarding, or sent messages, treat it as active account abuse.
The service Have I Been Pwned is often used to check known breaches. For passwords, it is safer to use your password manager or browser, which can compare passwords against breach databases without sending the full password in readable form.
Step 1: secure your email
Email is often the most important account because it is used to reset passwords for other services. If someone gets into your email, they can request reset links from other sites and gradually take over more accounts.
In your email account, check especially:
- change the password to a completely new and unique one,
- enable 2FA, ideally with an authenticator app or security key,
- review signed-in devices and recent logins,
- sign out unknown devices, old phones, and computers you no longer use,
- check forwarding rules and filters,
- verify the recovery email address and phone number,
- review sent mail to see whether someone contacted people in your name.
If you use a password manager, save the new password there. If you do not use one yet, email is one of the first accounts where a password manager is worth it.
Step 2: change the password everywhere it was reused
Password reuse is the biggest problem after a breach. Attackers often do not stop at the breached service. They try the same password on email, social networks, shops, streaming services, and workplace tools.
If you are not sure where you used it, check saved passwords in your browser or password manager. Look for the same password, close variations, and accounts where abuse would cause the most damage.
Prioritize:
- Email and password manager.
- Banking, payment services, accounting, and shops with a saved card.
- Social media and messaging apps.
- Work accounts, admin panels, and cloud storage.
- Other services where you may have reused the password.
Set a different password for every account. For practical guidance, see How to create a strong password.
Step 3: enable two-factor authentication
Two-factor authentication adds a second step to signing in. Even if someone knows the password, they still need a code, app approval, or security key.
For most people, an authenticator app is the best balance. SMS is better than nothing, but if a service offers an app or security key, prefer that.
When you enable 2FA, save the recovery codes immediately. Put them in a password manager or another safe place, not in an unlocked note on your phone.
Step 4: check active sessions and devices
Changing a password does not always sign out existing sessions. In account settings, look for items such as signed-in devices, active sessions, security activity, recent logins, connected apps, or authorized devices.
Sign out anything you do not recognize: an unknown phone, old laptop, login from an unfamiliar location, or a device name that means nothing to you. For important accounts, it is reasonable to sign out everywhere and sign back in only on devices you use.
Also review third-party apps. If you see something you do not use or recognize, revoke its access.
Step 5: check payments and personal data
If the breach involved a service where you store a card, orders, or billing details, review recent payments, saved cards, shipping addresses, invoices, new orders, and changes to phone or email details.
If you see a suspicious payment, contact your bank or card issuer. They can review transactions, temporarily block a card, advise on a chargeback, or issue a new card.
If documents, national identifiers, or other sensitive data may have leaked, follow the instructions from the service that reported the breach.
Step 6: move to a password manager
If you have been using one password in several places, the best fix is to change the habit. A password manager lets you use a different, long, random password for every account without memorizing them.
Start with the most important accounts, generate a new password for each one, and enable 2FA where available. You do not have to fix your entire digital life in one evening.
What not to do
- do not change the password to a slight variation of the old one,
- do not send passwords through chat or email,
- do not type passwords into unknown "checking" websites,
- do not ignore alerts from your browser or password manager,
- do not reuse the same new password everywhere,
- do not forget to sign out unknown devices.
FAQ
Do I need to change my password if only my email address leaked?
Not always. An email address is not a password. But if the service reported leaked passwords, your browser warned you about a compromised password, or you reused the same password elsewhere, change it.
Is enabling 2FA enough without changing the password?
No. If the password leaked, change it. 2FA lowers the risk a lot, but there is no reason to keep a password that you know appeared in a breach.
