The email arrives, or the scan result comes back, and now you know: a service you use was breached, and your data was in it. Most people do one of two things next. They panic and change every password they can remember in a frantic hour, or they shrug and plan to deal with it later.

Both responses miss the same point. In the first day, the order you do things in matters more than how fast you do them. Here is the sequence, and the reasoning behind each step.

Hour one: secure the breached account itself

Change the password on the account that was actually breached. Not because that account is necessarily valuable, but because it is the confirmed point of exposure and takes two minutes to close.

While you are there, check the account's recovery settings. Attackers who get in quietly often change the recovery email or phone number so they can walk back in after you reset the password. If the recovery details are not yours, you were not just exposed, you were compromised, and everything below becomes more urgent.

Hour two: your email account, before anything else

This is the step people skip, and it is the most important one on the page. Your inbox is the master key to every other account you own: every password reset, every verification link, every security alert flows through it.

If the breached password was the same as, or similar to, your email password, change your email password immediately and turn on two-factor authentication there first. An attacker who controls your inbox does not need to crack anything else. They just click "forgot password" everywhere and harvest the resets.

Hours three and four: hunt down the reuse

Now ask the uncomfortable question: where else did you use that password, or a close variant of it? Adding an exclamation point or swapping a letter for a number does not count as a different password. Cracking tools try those mutations automatically.

Prioritize by damage, not by memory: banking and financial accounts, then anything storing a payment card, then work accounts, then social media. If the list is long and you are tempted to give up halfway, that is the strongest sign you should be using a password manager. Today is a reasonable day to start.

The rest of the day: raise the walls

Expect smarter phishing. Here is what most breach advice never mentions: the criminals who have your data know which company lost it. A fake "security alert" from the exact service that was just breached, arriving days after the news, is a standard play. It works because it is plausible. Treat every message about the breach as hostile until proven otherwise, and reach the company by typing its address yourself rather than clicking anything.

Check what else was taken. If the breach included your phone number, date of birth, or home address, changing passwords does not address it. Those data types feed SIM swapping and new-account fraud, and the countermeasures are different: a carrier PIN on your phone account and a credit freeze at the bureaus.

If money or your SSN was involved, freeze. A credit freeze is free, takes minutes per bureau online, and blocks the single most damaging outcome of identity theft: someone opening new credit in your name. If the breach touched financial data or a Social Security number, do not wait for evidence of misuse. In the United States, IdentityTheft.gov is the official recovery resource if you find fraud has already happened.

Do this today
  1. Change the breached account's password and verify its recovery settings.
  2. Secure your email account: new password if there is any reuse, and two-factor authentication on.
  3. Change every account sharing that password or a variant, worst accounts first.
  4. Distrust every message that references the breach. Navigate directly, never through links.
  5. If financial data or your SSN was exposed: freeze your credit at all three bureaus.

What you do not need to do today

You do not need to buy anything today. Identity monitoring services have their place, and we cover who actually benefits from them honestly elsewhere. But nothing on that shelf substitutes for the five steps above, and a purchase made in a panic is how people end up paying for protection they never configure. Do the free, decisive things first. Decide about the paid things next week, calmly.

Not sure which breaches you are actually in?

Start with the facts. Our free scan shows which known breaches contain your email and what was taken in each.

Run the Free Breach Scan →
Keep reading

Step three above was hunting down password reuse. Here is why that one habit causes most account takeovers:

Why One Reused Password Can Unlock Everything

Credential stuffing is cheap, automated, and built entirely on the assumption that you reuse passwords. Most people prove it right.

← Back to all guides