What to Do After a Password Breach: Step-by-Step Recovery

Data breaches happen constantly — over 3,200 publicly reported breaches exposed 353 million records in 2023 alone, according to the Identity Theft Resource Center. Many breaches go unreported for months or years. You might learn about a breach through a notification email from the affected service, a news report, a dark web monitoring alert, or by checking haveibeenpwned.com.

Have I Been Pwned (HIBP) is a free service created by security researcher Troy Hunt that aggregates breach data. Enter your email address to see which breaches included your credentials. The service currently indexes over 14 billion breached accounts across 800+ breaches. It also offers a notification service that alerts you when your email appears in future breaches.

Signs of compromised accounts include: password reset emails you did not request; login notifications from unknown locations or devices; changes to your account settings you did not make; contacts receiving messages you did not send; and unfamiliar transactions on financial accounts. If you notice any of these, treat the account as compromised immediately — do not wait for an official breach notification.

Step 1: Change the password on the breached account immediately. Use your password manager to generate a new 20+ character random password. If you cannot access the account, initiate the password reset process through the service's recovery mechanism (email, phone, security questions).

Step 2: If you reused the breached password on any other accounts, change those passwords immediately as well. This is the most critical step — credential stuffing attacks (where attackers try leaked credentials on hundreds of other services) begin within hours of a breach becoming known. Prioritize email, banking, and cloud storage accounts.

Step 3: Enable multi-factor authentication (MFA) on the breached account and all accounts where you just changed passwords. Use a TOTP app (Google Authenticator, Authy, Microsoft Authenticator) or a hardware security key (YubiKey). Avoid SMS-based MFA if possible, as it is vulnerable to SIM swapping.

Step 4: Check for unauthorized activity on the breached account. Review recent login sessions, connected applications, email forwarding rules, and account recovery settings. Attackers often set up persistence mechanisms — such as adding their email as a recovery address or connecting an OAuth application — that survive password changes.

Your email account is the master key to your digital life. Most online services use email for password resets, which means an attacker who controls your email can take over virtually every other account you own. If your email credentials were breached, this account takes absolute priority.

After changing your email password and enabling MFA, audit every aspect of the account: check email forwarding rules (attackers add forwarding to their own address); review connected applications and OAuth permissions; verify recovery phone numbers and backup email addresses; check for filters that auto-delete or auto-archive specific emails (attackers use this to hide their activity); and review recent sent messages for phishing emails sent to your contacts.

If you use Gmail, visit myaccount.google.com/security to review recent security events, signed-in devices, and third-party access. For Microsoft accounts, use account.microsoft.com/security. Both services offer activity logs that show recent logins and actions.

If the breach involved a financial service, or if you reused the breached password on any financial account, take immediate additional steps. Contact your bank and credit card companies to report potential compromise. They can flag your accounts for suspicious activity, issue new card numbers, and place temporary holds if necessary.

Place a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, TransUnion). A fraud alert requires creditors to take extra steps to verify your identity before opening new accounts. A credit freeze is stronger — it prevents anyone from opening new accounts in your name until you temporarily lift the freeze.

Monitor your bank and credit card statements daily for at least 30 days after the breach. Set up transaction alerts for any amount. Pay special attention to small test transactions ($1-5), which fraudsters use to verify that a stolen card is active before making larger purchases.

In Ukraine and the EU, monitor your bank account via your banking app and contact your bank's fraud department. Ukraine's National Bank maintains a hotline for financial fraud. If you discover unauthorized transactions, file a report with both the bank and the Cyberpolice (cyberpolice.gov.ua).

Beyond checking if your email was breached, you should verify whether your specific passwords have appeared in any known breach. The Have I Been Pwned Passwords API allows you to check passwords without transmitting them. It uses a technique called k-anonymity: only the first 5 characters of the SHA-1 hash are sent, and the full list of matching hashes is returned for local comparison.

Most password managers integrate breach checking directly. 1Password's Watchtower, Bitwarden's vault health reports, and Dashlane's dark web monitoring all use HIBP or similar databases to flag compromised passwords in your vault. Run a full vault audit and change every password that appears in breach data.

Our password generator includes a built-in breach check tool. Enter any password to instantly check it against the HIBP database. The check happens entirely in your browser — the full password is never sent to any server. Only the first 5 characters of the hash are transmitted, preserving your privacy while providing real-time breach data.

Adopt a password manager if you have not already. This is the single most effective step to prevent future credential-reuse breaches. With a password manager, every account gets a unique random password, so a breach at one service cannot cascade to others. Bitwarden (free, open source) and 1Password ($2.99/month) are excellent choices.

Enable MFA on every account that supports it, prioritizing email, banking, cloud storage, and social media. Hardware security keys (YubiKey, Titan) provide the strongest protection and are phishing-resistant. If hardware keys are not available, use a TOTP app. Use SMS only as a last resort.

Sign up for breach notifications. HIBP offers free email monitoring: enter your addresses at haveibeenpwned.com/NotifyMe. Google's Password Checkup (integrated into Chrome and Google accounts) also monitors your saved passwords against breach databases. Enable these features so you learn about breaches quickly rather than months later.

Practice regular security hygiene: review your password manager vault quarterly for weak or old passwords; audit connected applications and OAuth permissions on your major accounts; keep your software updated (many breaches exploit known vulnerabilities in outdated software); and be vigilant about phishing — the most common way attackers obtain credentials.

In Ukraine, report cybercrime to the Cyberpolice at cyberpolice.gov.ua or by calling 0-800-505-170. Under GDPR (applicable through Ukraine's Data Protection Law alignment with EU standards), you have the right to be informed about breaches affecting your data and to request deletion of your data from the breached service.

In the US, report identity theft to the FTC at identitytheft.gov, which creates a personalized recovery plan. File a report with your local police department as well — this documentation may be needed for bank and credit disputes. If the breach involved health records, file a complaint with the HHS Office for Civil Rights.

Document everything: save breach notification emails, screenshot any unauthorized activity, record dates and times of your response actions, and keep copies of all correspondence with affected services. This documentation is essential for any future disputes, insurance claims, or legal proceedings.