Incident response

Your Account Was in a Data Breach: A Calm 7-Step Plan

By Sophie Bennett · · 8 min read

A breach notification feels alarming, but it is rarely a crisis. The plan is straightforward: change the password on the affected account, switch on two-factor authentication, make sure you have not reused that password anywhere else, and stay alert for follow-on scams. Work through the seven calm steps below and you will have contained the situation in well under an hour.

First, take a breath

Most breaches involve a company's systems, not your personal devices. Often what leaks is limited — an email address, a username, perhaps an old password hash. That does not mean ignore it, but it does mean you can act methodically rather than in a panic. Clear, deliberate steps beat frantic ones every time.

The 7-step plan

1. Confirm the notice is genuine

Scammers love to imitate breach alerts. Do not click links in the message. Instead, open the company's website yourself by typing the address, or use a bookmark, and check your account and any official announcement there. If the warning came from your browser or password manager, that is usually trustworthy.

2. Change the password on the affected account

Sign in the way you normally would and set a brand-new password — not a small tweak of the old one. Make it long and random. Our password generator creates a strong one entirely in your browser, and our password analyser can confirm it is solid before you save it.

3. Turn on two-factor authentication

If the account is not already protected by a second step, add one now, choosing an authenticator app or passkey over text messages where possible. This means a leaked password alone can no longer open the account. Our guide to two-factor authentication and passkeys explains how to pick the strongest option.

4. Check where else that password was used

This is the step people skip and later regret. If you used the same or a similar password elsewhere, those accounts are now at risk too. Change every one of them to its own unique password. If they were already unique, you only have the single breached account to worry about — which is exactly why unique passwords matter so much.

5. See what was actually exposed

A trusted breach-checking service such as Have I Been Pwned lets you search your email address and see which known breaches it appears in. This helps you judge how serious the leak is and which other accounts deserve attention first. Treat the results as a to-do list, working from your most important accounts down.

6. Watch closely for follow-on phishing

After a breach, criminals often use the leaked details to send convincing scam messages that mention the very company involved. Be wary of any unexpected email, text or call urging you to click a link, confirm details or move money quickly. Learning the warning signs in our guide to recognising social engineering will keep you a step ahead.

7. Tidy up and protect the account going forward

Review the account's recent activity and active sessions, sign out of devices you do not recognise, and check that recovery details — backup email, phone number — are still yours. For financial accounts, keep an eye on statements for a while. Then move on; you have done what matters.

The one habit that changes everything: a unique password for every account. With unique passwords, a breach of one site is annoying but contained — it can never be used to walk into your other accounts.

Why unique passwords make breaches survivable

The real danger of a breach is not the single leaked account — it is reuse. When the same password unlocks several sites, attackers feed leaked combinations into login pages elsewhere, an attack called credential stuffing. If every account has its own password, that attack simply fails. We explain the mechanics in why reusing passwords is so dangerous, and a password manager makes giving everything a unique password effortless.

The bottom line

A breach is a prompt, not a punishment. Verify the notice, reset the affected password, switch on a second factor, deal with any reuse, check your exposure, and stay sharp for scams. Build unique passwords and 2FA into your routine and the next breach notification will be little more than a five-minute chore.

Frequently asked questions

Should I panic if my email shows up in a breach?

No. Many breaches only expose email addresses or old data. Treat it as a prompt to change that password, enable two-factor authentication and stay alert for phishing, rather than as an emergency.

How do I know if my details were really leaked?

A reputable breach-checking service such as Have I Been Pwned lets you search your email address to see which known breaches it has appeared in, so you can prioritise which accounts to update.

Do I have to change every password I own?

Change the breached account first, then any other account that used the same or a similar password. If your passwords are already unique, you only need to deal with the one that leaked.

Why do scam messages often spike after a breach?

Leaked contact details are sold and reused, so criminals send convincing follow-on phishing that references the breach. Be cautious with any unexpected message urging you to click a link or confirm details.

Is it worth using a password manager after a breach?

Very much so. A manager lets you give every account a long, unique password, so a future breach of one site cannot be used to open any of your other accounts.

This article is general online-safety education, not professional security advice.