Your Password Just Leaked. Here's What to Do in the Next 60 Minutes.
You're scrolling through your email when you see it — a notification from some service you barely remember signing up for. "We've detected unauthorized access." Your stomach drops. You close the tab, tell yourself it's probably nothing, and go make coffee.
That instinct to ignore it is exactly what gets people into serious trouble.
I've watched this play out enough times to know the pattern: someone gets a breach notification, does nothing for a few days, and then wakes up to find their email account locked, their bank doing fraud review, or their social media posting things they never wrote. The breach itself isn't always the disaster. The inaction after it is.
So here's what you actually do — starting right now.
Step One: Find Out What Got Exposed (Before You Panic)
Not all leaks are equal. A breach that exposed your username and an old hashed password from 2019 is annoying. A breach that exposed your current plaintext password, your phone number, and your home address is a completely different problem.
Go to Have I Been Pwned and enter your email address. It will show you exactly which breaches your account appeared in and what type of data was involved. This isn't guessing — it's pulling from an actual database of verified breach data.
According to Have I Been Pwned, the site currently holds records from over 13 billion compromised accounts across hundreds of breaches. That number should tell you something: this is common, not shameful. Treat it like a fire drill, not a moral failing.
Step Two: Change the Leaked Password — But Not Just on That Site
This is where most people stop after one fix and feel like they've handled it. They haven't.
The real danger with leaked passwords isn't the breached site itself. It's that most people reuse passwords across multiple accounts. Attackers know this. They take a leaked credential — say, your email and password from a fitness app — and automatically try it on Gmail, PayPal, Amazon, and your bank. This is called credential stuffing, and it's largely automated and fast.
If you used that same password anywhere else, change it everywhere. Yes, everywhere. This is tedious. Do it anyway.
Step Three: Lock Down Your Email First — Everything Else Flows From It
Here's the counterintuitive thing most breach guides don't tell you: your email account is more valuable to an attacker than your bank account.
Why? Because your email is the master key. Every "forgot my password" reset link goes to your inbox. If someone controls your email, they can reset every other account you own — including your bank. Securing your email matters more than securing your bank directly.
Enable two-factor authentication (2FA) on your email immediately if it isn't already on. Use an authenticator app like Google Authenticator or Authy, not SMS text messages if you can help it. According to CISA (the U.S. Cybersecurity and Infrastructure Security Agency), SMS-based 2FA is significantly weaker than app-based 2FA because phone numbers can be hijacked through SIM-swapping attacks.
Step Four: Set Up a Password Manager (For Real This Time)
You've heard this before. You've nodded and done nothing. I understand — it feels like extra friction added to your life for some abstract future threat.
Here's the practical reality: you cannot remember 80 unique, strong passwords. No one can. A password manager like Bitwarden (free), 1Password, or Dashlane generates and stores them for you. You remember one strong master password. The manager handles the rest.
The part people miss: most breaches succeed specifically because of password reuse. A password manager eliminates that attack surface almost entirely. It's not a luxury security tool — it's basic hygiene at this point.
Step Five: Check for Active Session Intrusions
Changing your password doesn't kick out someone who's already logged in.
On Gmail, scroll to the bottom of your inbox and click "Last account activity." On Facebook, go to Settings → Security → Where You're Logged In. Most major platforms have something similar. If you see a session from a device or location you don't recognize, terminate it immediately.
This step gets skipped constantly. Someone changes their password feeling secure, while an attacker is already inside reading their messages with an active session that the password change didn't invalidate.
Step Six: Watch Your Other Accounts for the Next 30 Days
The effects of a credential breach don't always show up immediately. Attackers sometimes wait weeks before using stolen credentials, especially if they're selling them in bulk to other actors first.
Set calendar reminders to check your bank statements, credit card activity, and email login history over the next month. If your Social Security number or financial data was part of the breach — which you'll know from the Have I Been Pwned details — consider placing a credit freeze with all three major bureaus: Equifax, Experian, and TransUnion. According to the Federal Trade Commission, a credit freeze is free and prevents new credit accounts from being opened in your name without your explicit unfreeze.
A credit freeze doesn't affect your existing accounts or credit score. There's no real downside to doing it.
The Honest Caveat
Here's what no article about breach response should pretend: doing all of this correctly reduces your risk significantly, but it doesn't eliminate it. If your data is already in a criminal's database, it may be sold and resold for years. Your email address, phone number, and old passwords become part of phishing lists used in future attacks.
You cannot un-leak data. What you can do is make yourself a harder target than you were before — and most attackers are opportunistic enough to move on to easier prey. That's the realistic ceiling of what individual action can accomplish here.
The breach already happened. What happens next is still partly up to you.
Sources:
- Have I Been Pwned
- CISA: Multi-Factor Authentication
- Federal Trade Commission: Credit Freezes and Fraud Alerts