Your Calm Action Plan After a Data Breach
The short answer: take a breath, then change the password on the breached account and anywhere you reused it, switch each one to a fresh unique passphrase, and turn on two-factor authentication. That's the heart of it, and it usually takes about fifteen minutes. Everything below is just the calm detail.
Getting an email that says "we recently experienced a security incident" can make your stomach drop. But a breach notification is not a disaster bell — it's a company doing the responsible thing and asking you to update your security. With a clear plan, you'll be back in control quickly. Let's walk through it together.
First, make sure the warning is real
Scammers love a breach scare, because panic makes people click. So before you do anything, confirm the news is genuine.
- Don't click links in the email. Instead, open your browser and type the company's website address in yourself, then log in there.
- Check a reputable breach-checking service by visiting it directly. These let you look up your email address to see which known breaches it has appeared in.
- Be wary of urgency. "Act in the next hour or lose your account" is a classic scam tactic. Real companies give you reasonable time.
Golden rule: never enter a password on a page you reached by clicking a link in an unexpected message. Always navigate to the site yourself. This single habit defeats the large majority of phishing attempts.
Step one: change the breached password
Log in to the affected account the safe way (by typing the address yourself) and change its password. Make the new one a strong, unique passphrase — a few random words you can picture. Our generator will make one in seconds, entirely on your device.
Crucially, do not reuse a password you already use elsewhere. The whole point is to give this account a fresh, one-of-a-kind key.
Step two: change it everywhere you reused it
This is the step people skip, and it's the most important. Attackers know we reuse passwords, so after a breach they try the stolen email-and-password combination on dozens of other popular sites. This is called "credential stuffing," and it's how one breach quietly becomes five.
So ask yourself honestly: where else did I use that same password? Email, shopping, social media, streaming? Change each of those to its own unique passphrase too. If the answer is "honestly, everywhere," don't beat yourself up — you're far from alone, and the next section fixes it for good.
Step three: turn on two-factor authentication
While you're in each account's settings, look for "two-factor authentication," "2FA," or "two-step verification" and switch it on. This adds a second lock: even if someone has your password, they also need a code from your phone to get in. An authenticator app is better than text-message codes, but any two-factor is far better than none.
Priority order: if you only have time for a few accounts today, secure your email first. Your email is the master key — it's where password resets for everything else are sent. Protect it like the front door it is.
Step four: set yourself up so this is easy next time
Here's the quiet truth: the people who sail through breaches calmly aren't lucky — they're set up well in advance. Two habits make all the difference.
- Use a password manager. It stores a unique strong password for every site, so a breach at one company can never touch the others. You only remember one master passphrase.
- Make that master passphrase a good one. Six random words, memorised as a vivid little scene. My guide to passphrases made easy shows you how, and the safety of generators piece explains how to make one privately.
Do this once and the next breach email becomes a five-minute non-event: change one password, done, because nothing was reused anyway.
If money or identity details were involved
Most breaches expose email addresses and passwords. Occasionally, more sensitive details like card numbers are involved. If so:
- Call your bank using the number printed on your card, not one from an email. They handle this every day and can guide you.
- Watch your statements closely for a while and report anything you don't recognise.
- Consider a replacement card if card details were exposed — your bank can arrange it.
- Be alert to follow-up scams. Criminals sometimes use breached details to make convincing phone calls. A real bank will never ask for your full password or a one-time code.
You've got this
A data breach is something that happens to you, not something you did wrong. The power you have is in your response, and now you have a calm plan for it: confirm it's real, change the password, fix any reuse, switch on two-factor, and set yourself up so it's easy next time. Fifteen minutes, no panic, back in control.
Frequently asked questions
What is the first thing to do after a data breach?
Change the password on the breached account first, then change it anywhere you reused the same password. Use a new, unique passphrase for each. Turn on two-factor authentication while you're there.
Should I panic if I get a breach notification?
No. A breach notification means a company is telling you to update your security, which is a good thing. Work calmly through the steps and you'll be back in control in about fifteen minutes.
How do I know if my information was really breached?
Only trust breach news from the company directly or from a reputable breach-checking service you visit yourself. Never click links in unexpected emails; type the website address in by hand instead.
Do I need to change all my passwords after one breach?
Not every single one. Change the breached account and every account where you reused that password. If you've reused passwords widely, this is the moment to switch to unique passphrases and a password manager.
What if my bank or card details were exposed?
Contact your bank using the number on your card, watch your statements closely, and consider asking for a replacement card. Banks deal with this routinely and can guide you through it.
Start with a fresh passphrase
Make a strong, unique one for the breached account — free and private.
Open the generator