Your password was in a data breach: what to do now
A breach notification is unsettling, but the fix is straightforward. Here is exactly what to do - and how to stop it from mattering next time.
What a breach actually means
When a company is breached, attackers may walk away with lists of usernames and passwords. Those lists get traded and fed into automated tools that try the same email-and-password combination on hundreds of other sites - banking, email, shopping. This is called "credential stuffing," and it works because so many people reuse passwords.
So the danger is not only the breached site. It is every account where you used the same password.
Do these now
- Change the password on the breached account. Pick something new and unique - not a small variation of the old one.
- Change it everywhere you reused it. This is the important step. Any site sharing that password is exposed.
- Turn on two-factor authentication (2FA). Even if someone has your password, 2FA usually stops them from getting in. Start with email, banking, and social media.
- Watch for follow-up scams. Breaches are often followed by phishing emails that use your real details to look convincing.
Stop it from mattering next time
- Use a unique password for every account. If each password is different, one breach can never cascade.
- Use a password manager. It generates and remembers strong, unique passwords so you do not have to. Good free and open-source options exist.
- Prefer passphrases. Four random words ("river-candle-mint-otter") are both strong and memorable.
Check before you reuse
Not sure if a password has already been exposed? Paste it into our Password Checker - it tells you whether it has appeared in known breaches, and your password never leaves your browser.
A breach feels alarming, but it is really just a prompt to do the one thing that protects you long-term: stop reusing passwords.