Your password was in a data breach: what to do

Sooner or later, every site you've used will be breached. Yahoo. LinkedIn. Adobe. Target. Equifax. T-Mobile. The list keeps growing. When a breach happens, your password and other info show up on the dark web within days. Here's exactly what to do, in what order, to limit the damage.

How to check if your password was breached

Have I Been Pwned (free)

1. Go to haveibeenpwned.com.
2. Enter your email address.
3. You'll see a list of every known breach that included your email.
4. Run this for every email address you use.

The site is run by Troy Hunt, a respected security researcher. Totally legitimate. The site does NOT store your email or tell anyone you checked.

Your browser's built-in checker

Chrome, Edge, Firefox, and Safari all warn you when a saved password appears in a breach. Look for the notification in the address bar or settings.

• Chrome: Settings > Autofill > Passwords > Check passwords.
• Safari: Settings > Passwords > look for the warning triangle.
• Edge: Settings > Profiles > Passwords > Password Monitor.
• Firefox: Settings > Privacy & Security > Logins and Passwords.

Your password manager

1Password, Bitwarden, Apple Passwords, and Google Passwords all show you which of your saved passwords appeared in known breaches. Check the security audit / watchtower / health check feature.

What to do, in order

Step 1: Change the password on the breached site

1. Go to the site directly (type the URL; don't click email links).
2. Sign in.
3. Find Account > Password.
4. Set a new password. Use your password manager to generate a random one.
5. Save the new password to your manager.

Step 2: Turn on 2FA

If the breached site offers two-factor authentication, turn it on. Even if a scammer has your password, 2FA blocks them.

• Use an authenticator app (Google Authenticator, Authy, your password manager) rather than SMS where possible. SMS 2FA can be bypassed with SIM swapping.
• Save backup codes somewhere safe.

See our 2FA guide for setup.

Step 3: Change reused passwords everywhere

Scammers test breached passwords on other major sites (banks, email, Amazon). If you used the same password elsewhere, those accounts are at risk too.

1. In your password manager, search for that password.
2. Anywhere else it's used, change to unique random passwords.
3. Prioritize: email, banking, Amazon, social media first.

Step 4: Check your accounts for unfamiliar activity

• Bank: log in and look at recent transactions.
• Credit cards: look for unfamiliar charges.
• Email: check for unfamiliar sent items or password reset emails.
• Amazon: check recent orders, including digital purchases.
• Pay attention to anything from the last 30 days.

Step 5: If sensitive info was exposed, freeze credit

If the breach exposed SSN, full credit card numbers, driver's license, or financial info: freeze your credit at all 3 bureaus. See our credit freeze guide.

Step 6: Watch for scams that use breach data

After a breach, scammers use your leaked info to make scams more convincing. Watch for:

• Emails that know your name, address, and partial card number
• Phone calls that reference real account details
• Phishing emails pretending to be from the breached company itself
• "Your account was breached, click here to verify" emails (the breach happened; these "verification" emails are often follow-up scams)

What kinds of data get exposed in breaches

Different breaches expose different things:

• Email + password: the most common. Change those passwords.
• Email + hashed password: still risky; many "hashed" passwords get cracked.
• Personal info (name, address, phone, DOB): can't be changed. Watch for targeted scams.
• Social Security number: freeze credit immediately.
• Driver's license number: consider notifying DMV; some states offer fraud alerts.
• Credit card numbers: contact the card company to cancel and reissue.
• Bank account numbers: alert your bank; they may reissue.
• Medical info: rare in breaches but increasing. Hard to fix; watch for medical identity theft.

The "I'll just change it later" trap

Most people delay. They think "I'll get to it" and the breach data circulates in the meantime. Scammers can hit you in the window between breach disclosure and your password change.

If you get a breach notification:

• Take 15 minutes that day to do the basic steps.
• The longer you wait, the higher the risk of damage.
• If you can't do it that day, at least change the password on the breached account.

How to prevent future damage

Use a password manager (must do)

Every site gets a unique random password. When one site breaches, only that account is at risk. See our password manager guide.

Turn on 2FA everywhere

Especially: email, banking, Amazon, social media, retirement accounts. See our 2FA guide.

Freeze your credit

Even if no breach has hit you specifically, freezing your credit prevents the worst damage (new accounts in your name). See our freeze guide.

Use unique email aliases for accounts

Apple's Hide My Email (iCloud+) and Firefox Relay give you disposable email addresses. Each site gets a different alias; when one breaches, you know exactly which one and can disable that alias.

Set up free credit monitoring

Credit Karma (free) and your credit card companies' free monitoring alert you to new accounts. Useful complement to a freeze.

Keep your operating system updated

Security patches matter. Update iPhone, computer, and other devices regularly.

How long do leaked passwords stay dangerous?

Forever, until you change them. Breach data circulates on the dark web indefinitely. A 10-year-old breach can still be used today if you haven't changed the password since.

This is why password managers and unique passwords matter so much. With them, an old breach is harmless because that password is no longer used anywhere.

Common breach myths

"I'm not important enough to be a target"

You don't need to be famous. Scammers run automated attacks on millions of accounts looking for any successful login. You're a target because your email exists, not because of who you are.

"I have nothing to hide"

The issue isn't hiding; it's preventing scammers from buying things with your credit, opening accounts in your name, or holding your data ransom.

"Changing my password should be enough"

For the breached site, yes. For your overall security, password change + 2FA + unique passwords elsewhere + credit freeze is the full set.

"Big companies will tell me right away"

They often don't. Some breaches go undisclosed for years. Use Have I Been Pwned to find out about ones you weren't told about.

What to do if you can't access the breached account

If the scammer changed the password before you noticed:

1. Use the site's password recovery flow.
2. If they changed the recovery email too: contact the site's customer service.
3. For email accounts: each provider has account recovery (Google, Apple, Microsoft).
4. For financial accounts: call the bank directly. They have dedicated fraud lines.
5. For social media accounts: each platform has a hacked account recovery flow.
6. If the account is unrecoverable: report identity theft and create new accounts.

5 things to do this week

1. Check your email at haveibeenpwned.com.
2. If there are breaches you didn't know about, change those passwords today.
3. If you reuse any passwords, start replacing them with unique ones (use a password manager).
4. Turn on 2FA on your email and bank.
5. Freeze your credit if you haven't (see our credit freeze guide).