Email found in a data breach? What to do, step by step
2026-06-27
A breach notification is unsettling, but it is not an emergency by itself — what you do in the next hour decides whether it becomes one. When your email address shows up in a data breach, the address is usually the least of it: the same dump often contains your password, name, and whatever else the service stored. Here is the step-by-step response, in the order that matters.
Step 1: Confirm what actually leaked
Go to Have I Been Pwned and enter your address. It tells you which breaches include you, when they happened, and — crucially — which data classes leaked: email only, or also passwords, phone numbers, addresses, partial payment data. "Email addresses and passwords" is a very different problem from "email addresses only." Check every address you use, not just your main one. If the breach is recent and includes passwords, treat the next step as urgent; if it is a years-old, email-only leak, the main consequence is the sudden spam you may have already noticed.
Step 2: Change the passwords that matter
- Change the password on the breached service first. Even if the company says passwords were hashed, assume the worst — cracking rigs chew through weak hashes quickly.
- Then change it everywhere you reused it. This is the real danger. Attackers take leaked email+password pairs and try them on Gmail, PayPal, Amazon and every bank — a technique called credential stuffing. One reused password turns one breach into ten.
- Make every new password unique, and let a password manager remember them. Nobody memorizes 80 unique passwords; a manager generates and stores them so a future breach only ever costs you one account.
- Start with the accounts that can hurt you: your email account itself (it can reset everything else), banking and payments, then shopping and social accounts.
Step 3: Turn on two-factor authentication
Enable 2FA on your email account, financial accounts, and anything else that offers it. With 2FA, a leaked password alone is no longer enough to get in — the attacker would also need your phone or authenticator app. An authenticator app or hardware key is stronger than SMS codes, but SMS 2FA still beats no 2FA. This single step defuses most of the risk from any password that leaked before you changed it.
Step 4: Expect targeted phishing
After a breach, attackers know exactly which service you use — and they exploit it. Expect convincing emails that reference the breached company by name: "Your account was compromised, click here to secure it." These arrive precisely when you're primed to act fast. The rule: never use links in these emails. Type the service's address into your browser yourself, or use its app. Legitimate breach notifications will never ask for your password or payment details by email, and no matter how genuine a message looks, the unsubscribe-or-spam decision is easy here — anything phishy gets marked as spam, unclicked.
Step 5: Decide whether the address is worth keeping
One breach is survivable. But if your address has appeared in many breaches over the years, it is on permanent spam and credential-stuffing lists, and no cleanup removes it. At that point consider retiring it: create a new address, migrate the accounts that matter over a few weeks, and let the old inbox wind down. Keep the old address alive for a while to catch stragglers — just stop giving it to anyone new.
Prevention: leak less next time
You can't stop companies from being breached, but you can shrink your exposure so the next breach barely touches you:
- Unique passwords everywhere — a breach then costs exactly one account, not your digital life.
- 2FA on everything important — leaked credentials become useless on their own.
- Fewer databases containing your real address. Every account you create is a future breach candidate. For one-time signups, downloads and trials, use a disposable email address instead — if that database leaks, it exposes an address that stopped existing 10 minutes after you used it.
- Periodic checkups. Re-check Have I Been Pwned every few months, or subscribe to its free notifications. The other habits that keep your real address out of circulation are in our anti-spam guide.
The takeaway
Breach response is a checklist, not a catastrophe: confirm the damage, kill the reused passwords, switch on 2FA, distrust every email that references the breach. Then reduce the attack surface — the fewer places your real address lives, the less any future breach can leak. For everything that doesn't deserve a permanent place in your life, grab a free 10-minute address and let it expire with the signup; the FAQ explains exactly how it works.