What to Do After a Password Breach
If you just got a breach alert, the most important thing is not speed alone. It is doing the right actions in the right order.
I see people make the same mistake every time: they panic, change one password, then assume the incident is over. Meanwhile attackers may still have active sessions, forwarding rules, or token access.
This is the exact response workflow I use when an account credential is exposed. It is designed to contain damage quickly and reduce the chance of a second incident.
How serious is a password breach in 2026?
It is serious if that credential was reused anywhere else, or if the compromised account is tied to identity/recovery flows.
Attackers do not usually stop at one login. They test exposed credentials across email, cloud apps, shopping platforms, and financial services. If they land in your inbox, they can pivot into many other accounts quickly.
So yes, treat any real breach notice as an incident, not a minor inconvenience.
What to do in the first 30 minutes
This is my immediate sequence:
- Reset the breached credential immediately at the official site (not from unknown links).
- Change reused passwords anywhere that same or similar credential appears.
- Sign out all sessions and revoke old tokens/devices.
- Reconfirm MFA and remove unknown factors.
- Check recovery settings for unauthorized changes.
This early phase is about containment. You are reducing attacker dwell time and cutting off lateral movement.
Which accounts to secure first
If you cannot do everything at once, prioritize by blast radius. My order is:
- Email accounts
- Identity providers and SSO accounts
- Banking and payment services
- Cloud storage and work tools
- Social and commerce accounts
This order protects your recovery core first, then your highest-impact assets.
How to check if attackers still have access
Changing a password is not enough if persistence exists. I always audit for:
- unknown active sessions/devices
- new MFA methods I did not enroll
- changed recovery email or phone
- inbox forwarding rules and suspicious filters
- third-party app grants I do not recognize
If any of these are present, assume deeper account exposure and harden every linked high-value account.
Why email and recovery settings matter most
Email is usually the account takeover hub. If an attacker controls your email, they can request password resets for many other services.
After any breach, I always secure email first and verify:
- no unknown forwarding targets
- no malicious inbox rules
- recovery contacts are correct
- MFA is intact and trusted
This single step prevents a lot of follow-on damage.
Should you take financial or identity protection steps?
Sometimes yes, especially if breached accounts included personal details, payment data, or government/financial identities.
In higher-risk cases I recommend:
- reviewing recent transactions immediately
- enabling extra fraud/security alerts
- replacing cards where misuse risk is elevated
- considering credit monitoring or credit freeze depending on jurisdiction and exposure scope
Take action based on what data was exposed, not just whether a password leaked.
What to do for work account breaches
If a corporate or client account is involved, notify IT/security early. Do not treat it as only a personal credential issue.
Teams should run a structured workflow:
- reset credentials and revoke sessions
- review sign-in logs and impossible travel events
- check privileged roles and API tokens
- verify mailbox rules and data access events
- document timeline and containment actions
Fast escalation reduces business risk and improves legal/compliance response quality.
How to prevent a second incident
After containment, I run a second hardening wave within 24-72 hours:
- replace weak/reused credentials with generated unique ones
- expand MFA coverage across all important accounts
- clean out stale app connections and unused devices
- review password manager hygiene and master account security
- set calendar reminders for periodic security audits
Then I do a follow-up review around day 7 and day 30 to confirm the incident is truly closed.
My breach response checklist
- Change breached and reused credentials immediately.
- Revoke sessions/tokens and remove unknown devices.
- Secure email and recovery controls first.
- Re-enroll or verify MFA methods.
- Audit rules, forwards, and third-party app access.
- Protect financial/identity surfaces where relevant.
- Run 7-day and 30-day follow-up checks.
Questions people ask me most
I got a breach email. Is it real or fake?
Verify alerts by opening the service directly from your own bookmark and checking security notifications inside your account.
If one password is leaked, do I need to change all passwords?
Change the breached password and any reused or similar variants first, then prioritize high-value accounts.
How quickly do attackers use leaked passwords?
Often very quickly. Automated credential testing can begin soon after data exposure becomes available.
Is changing the password enough after a breach?
No. You also need to revoke sessions, verify MFA/recovery settings, and audit app/rule persistence.
Should I reset my password manager master password too?
If there is any chance it was exposed or reused, rotate it immediately and review all vault sessions.
What are signs an attacker still has access?
Unknown sessions, changed MFA/recovery settings, odd forwarding rules, unexplained outbound messages, or new app authorizations.
Do I need to tell my bank after an account breach?
If financial accounts or sensitive personal data may be exposed, contact your bank promptly and enable stronger fraud monitoring.
How long should I monitor accounts after a breach?
Active monitoring for at least two weeks is sensible, with a full follow-up audit around one month.
Share this article
Image credit: Unsplash.