Security guide

What to Do When Your Password Is Breached

A data breach can happen to anyone. What matters is how quickly you respond once you learn about it.

Check whether you were breached

If you receive a breach notification email from a service, or a login alert appears from an unfamiliar location, you should suspect a breach.

It's also good to periodically use a breach-lookup service that tells you whether your email is included in a known breach.

What to do immediately

If you've confirmed a breach, handle it quickly in order.

  • Immediately change the password on that site
  • Change it on every other site where you used the same password
  • Turn on two-factor authentication (2FA) on accounts that support it
  • Check your payment history and login records for any unusual activity

The risk of reusing the same password

An email-and-password combination leaked from one site is immediately fed into logins on other sites automatically (credential stuffing). That's how a breach in one place spreads into cascading damage across many accounts.

If you use a completely different password on every site, even if one leaks the damage stays confined to that single site.

Preventing it going forward

Habits that prevent a recurrence.

  • Use a password manager for a unique, strong password on every site
  • Keep two-factor authentication on for important accounts at all times
  • Check regularly with a breach-monitoring service
  • Delete old accounts you no longer use
Back to guides