What to do after a data breach: a step-by-step response
Learning your data is in a breach is unsettling, but the response is straightforward if you do it in the right order. Speed matters — leaked credentials get replayed fast.
Act in this order
- Change the breached password immediately — and change it anywhere you reused it. That reuse is what attackers count on.
- Make each new password unique with a password manager, so a future leak can’t cascade.
- Enable multi-factor authentication on the affected account and on your email, banking and work logins.
- Secure your email first — it’s the reset gateway to everything else.
- Watch for phishing that references the leaked data, and verify unusual requests through a known channel.
- If financial data leaked, alert your bank and monitor statements; consider a card reissue.
- Set up breach monitoring so you’re alerted the next time your data appears in a leak.
What you can’t undo
Passwords can be changed; personal data can’t. If your name, address, phone number or date of birth leaked, treat it as permanently public and stay alert to targeted phishing, SIM-swap attempts and identity fraud that use those details to sound convincing.
If it’s a work account
Report it to your security or IT team immediately — don’t just fix it quietly. A single leaked corporate credential can be an attacker’s entry point into the whole organisation, and the team may need to force resets, check for misuse and meet notification deadlines.
Reduce the next breach’s impact
- Use unique passwords everywhere (a manager makes this painless).
- Turn on MFA — prefer authenticator apps or hardware keys over SMS.
- Close old accounts you no longer use so they can’t leak your data later.
- Keep a monitoring alert active so you learn about leaks early.
FAQ
Related questions
What’s the first thing to do after a breach?
Change the breached password and any place you reused it, then enable MFA. Securing reused passwords quickly is what stops the leak from spreading to your other accounts.
Should I change all my passwords after one breach?
Prioritise the breached password and anywhere it was reused, plus your email and financial accounts. Moving to unique passwords via a manager over time removes the need for mass resets in future.
Is it worth paying for breach monitoring?
Monitoring — free or paid — is valuable because it shortens the time between a leak and your response. The sooner you know, the less chance leaked credentials are successfully reused.
Keep reading
More guides
-
What is a data breach? Types, causes and consequences
A data breach is any unauthorised access to data. Here’s how they happen, what gets exposed, and why leaked credentials cause the most damage.
Read guide -
Credential stuffing: how one leaked password becomes account takeover
Attackers don’t guess passwords — they replay leaked ones. Here’s how credential stuffing turns an old breach into a hijacked account.
Read guide