The email lands, usually with a subject line built to make your stomach drop. Some company you may not even remember signing up with is writing to tell you your information got caught up in a data breach. Your first instinct is either to panic or to close the tab and pretend you never saw it. Neither one helps.
Here is the reassuring part. A breach notice is not the same thing as someone emptying your bank account, and you do not need to buy anything or turn into a security expert to deal with it. You mostly need to do a handful of the right things, in the right order, over the next hour or two. That is genuinely the whole job.
First, Make Sure the Warning Is Real
Breach notifications are catnip for scammers. The moment a real breach hits the news, copycat emails and texts start going out, all of them hoping you will click a “secure your account now” button in a panic and type your password into a fake login page.
So slow down for thirty seconds. Do not click the link in the message. Open a new tab, go to the company’s website the way you normally would, and log in from there instead. If the breach is genuine, there will usually be a notice waiting in your account or on their homepage. And if a message is leaning on you to act this very second or threatening to lock you out, treat that pressure as its own warning sign.
Find Out What Actually Leaked
Not every breach is the same size of problem, and the notice usually tells you which kind you are dealing with. Buried somewhere in that wall of text is a line describing the information involved. Read that part. Nobody reads these emails, I get it, but that one line decides how much you actually have to do.
An exposed email address and some marketing preferences is annoying but low-stakes. An exposed password is more serious. An exposed Social Security number, ID document, or full card number is the kind that earns the extra steps further down this page. If the notice is vague about what leaked, you can check independently: Have I Been Pwned is a free, well-regarded site that tells you whether your email or phone number has turned up in known breaches, and what was exposed each time.
Change the Password, Starting With the Right Account
Now the hands-on part. Log in to the breached account and change its password. If it was your email account that got exposed, start there first, ahead of everything else. Email is the skeleton key to your digital life; most of your other accounts reset through it, so whoever controls your inbox can quietly walk into the rest.
Your new password should be long, genuinely random, and used on exactly one account. If inventing one on the spot feels like a chore, lean on a tool for it. The FTC actually lists an automatically generated password as one of the legitimate ways to do this, and a free password generator will hand you something long and unguessable in a couple of clicks, which you then save somewhere safe. What matters is that the replacement bears no resemblance to the one that leaked.
The Real Problem Is Everywhere Else You Used It
Here is what most people get wrong. Changing the password on the breached site closes that one door. It does nothing about the fact that you almost certainly used the same password, or a close cousin of it, on a dozen other accounts.
That reuse is what the attackers are really counting on. As the FTC bluntly put it after one big breach: “Hackers know a secret many of us share: we reuse passwords. Don’t.” Once they have one password that works, they just run it against your email, your bank, your shopping logins, all of it. So change it anywhere you reused it. Yes, this is tedious. It is also, weirdly, the single most useful hour you will spend this week. From here on, try to give each account that actually matters its own password.
Turn On Two-Factor Authentication
While you are already poking around in the account settings, switch on two-factor authentication if the account offers it. This is the thing that quietly saves you the next time a password leaks: even someone holding your login can’t get in without the second code.
One caveat worth knowing. Text-message codes are far better than nothing, but they can be intercepted if a scammer hijacks your phone number through a SIM-swap. An authenticator app on your phone holds up better, and a small physical security key better still. If setting any of that up feels like one task too many today, just turn on whatever the account gives you. You can always upgrade the method some other evening.
If You Can’t Get In, or Something Looks Off
Sometimes the bad news is that you are already locked out, because whoever grabbed your password changed it before you got there. Don’t spiral. Use the account’s “forgot password” or recovery flow right away. If that has been tampered with too, skip straight to the provider’s support or security team and tell them the account was taken over.
Even if you can still log in fine, spend a minute on the back doors. Look at the recovery email and phone number on the account, the list of active sessions or logged-in devices, and any mail-forwarding rules. Attackers often don’t bother keeping your password at all; they quietly slip in their own recovery address and wait. Reset anything there you don’t recognize.
When It’s More Than a Password
If the breach reached your Social Security number or financial details, there is one more layer, and the part worth hearing is that it costs nothing.
You have the right to place a fraud alert and a credit freeze with the three big credit bureaus, Equifax, Experian, and TransUnion, and both are free. A freeze makes it much harder for anyone to open a new account in your name. For everything beyond that, the FTC runs IdentityTheft.gov, a free government site that walks you through a personalized recovery plan one step at a time. You do not need a paid identity-protection subscription for any of this, whatever the ads that tend to swarm in after a breach would like you to believe.
A Short Recovery Checklist
If you would rather have the whole thing at a glance:
- Confirm the notice is real by visiting the site directly, not through the email link
- Read what was actually exposed, and check Have I Been Pwned if you are not sure
- Change the breached password, and secure your email account before the others
- Update every other place you reused that same password
- Switch on two-factor authentication, ideally an app rather than text codes
- If sensitive data leaked, setting up a free fraud alert and credit freeze the same day is well worth the twenty minutes
None of this asks for technical skill or a credit card. It mostly asks you to sit down for an hour and work down the list while the coffee is still warm. Do that, and the scary email goes back to being what it almost always turns out to be: a nuisance you dealt with, rather than a disaster that dealt with you.