Skip to content
By password

Was Your Password in a Data Leak? What to Actually Do Next

Finding out your password was in a data leak is unsettling, but panic is not the right response and neither is ignoring it. Here is exactly what to do, in priority order, and an honest answer to how worried you should actually be.

Was Your Password in a Data Leak? What to Actually Do Next, by Deepak Gupta on guptadeepak.com

If you just got a notification that your password showed up in a data leak, here is the first thing to know: this is extremely common, it does not mean you did anything wrong, and there is a clear set of steps that will protect you.

Around 80% of data breaches involve compromised credentials. Billions of leaked username-and-password pairs circulate in datasets that get traded and aggregated. If you have used the internet for more than a few years, the odds are high that some password of yours has appeared in a breach at some point. That is unsettling, but it is manageable.

So let me answer the two questions people actually have: how worried should you be, and what should you do right now? After years working in identity and credential security, I can give you both honestly.

How Worried Should You Actually Be?

The honest answer: it depends on three things, and you can assess them in about a minute.

Is the leaked password one you still use anywhere? If the breached password is old and you have not used it in years, the risk is low. If it is a password you currently use, especially on important accounts, the risk is real and you should act now.

Do you reuse that password across multiple sites? This is the factor that turns a minor leak into a serious problem. Attackers take leaked credentials and try them automatically across hundreds of other services, a technique called credential stuffing. If your leaked password is unique to one site, the damage is contained to that site. If you reused it, every account sharing that password is now exposed.

Was multi-factor authentication enabled on the affected accounts? If yes, a stolen password alone is much less dangerous, because the attacker still needs your second factor. If no, the password may be the only thing standing between an attacker and your account.

The worst case is a current, reused password on accounts without MFA. The best case is an old, unique password on an account you have since secured. Most situations fall somewhere in between, and the steps below handle all of them.

What to Do, in Priority Order

Do these in order. The first few matter most.

1. Change the password on the breached account immediately.

Start with the account that was actually leaked. Change its password to something new, long, and unique. Do not reuse a password you use anywhere else. If you can no longer access the account, use its recovery process to regain control before an attacker does.

2. Change that password everywhere you reused it.

This is the most important step if you reuse passwords, and it is the one people skip. Every other account where you used the same password is now a target for credential stuffing. Change all of them to unique passwords. Yes, this is tedious. It is also the single highest-impact thing you can do, because credential stuffing is how one leak becomes ten compromised accounts.

3. Turn on multi-factor authentication on your important accounts.

MFA is the protection that makes a leaked password far less dangerous. With it enabled, an attacker who has your password still cannot get in without your second factor. Prioritize your email, financial accounts, and any account that can be used to reset other passwords. Where possible, prefer app-based or hardware-key MFA over SMS codes, since SMS can be intercepted, though any MFA is far better than none.

4. Start using a password manager.

The reason people reuse passwords is that remembering dozens of unique ones is impossible. A password manager solves this completely. It generates and stores a strong, unique password for every account, so a future leak of one site never threatens any other. This is the structural fix that prevents the whole problem from recurring. If you do only one long-term thing after a breach, make it this.

5. Consider passkeys where they are offered.

Increasingly, services let you replace passwords entirely with passkeys, which use cryptographic keys tied to your device instead of a shared secret. There is no password to leak, which eliminates this category of risk at the source. Where a service offers passkeys, adopting them is the strongest move you can make. You can read more about how this works in my guide to FIDO2 and passkey authentication.

6. Watch the affected accounts for unusual activity.

For the next few weeks, keep an eye on the breached account and any financial accounts for logins you do not recognize, unexpected password-reset emails, or transactions you did not make. Early detection limits the damage if someone did get in.

Why This Keeps Happening: The Technical Reality

Understanding why leaks happen helps you see why these steps work.

When a website is breached, attackers often do not get your password in plain text. Well-built services store passwords in hashed form, meaning the password is run through a one-way cryptographic function so the stored value cannot easily be reversed back into your password. This is why the strength of the hashing matters so much: a strong, modern hashing algorithm makes leaked credential databases far harder to crack, buying you time even after a breach.

The problem is that not all services hash properly. Some use weak or outdated algorithms, and some older breaches exposed passwords with little or no protection. When that happens, attackers can recover the actual passwords and use them directly. This is why a leak from a poorly secured service can be more dangerous than one from a service that hashed credentials correctly.

If you want to understand the technical side of how passwords are protected (and why some protection is much stronger than others), I cover it in depth in my comparison of password hashing algorithms and the SHA-2 family explainer. The short version: you cannot control how a service stores your password, which is exactly why unique passwords and MFA matter so much on your end. They protect you even when a service fails to protect you.

The One Habit That Prevents Most of This

If you take nothing else from this, take this: unique passwords plus multi-factor authentication defeats the vast majority of credential-based attacks.

A leak is only dangerous when the leaked credential unlocks more than the one breached account. Unique passwords ensure a leak stays contained. MFA ensures a leaked password is not enough on its own. Together, they turn a breach from a potential disaster into a minor inconvenience where you change one password and move on.

You will almost certainly be in another breach at some point. Everyone is, eventually, because breaches happen to companies, not to you, and you cannot control their security. What you can control is whether a breach of theirs becomes a problem for you. Set up the structural protections now, while you are thinking about it, and the next notification you get will be a shrug instead of a scramble.

This article covers personal security. If you are experiencing a situation where your accounts are being actively targeted or you feel unsafe, consider reaching out to the affected services' support teams directly, as they can often lock down and recover accounts quickly.

Get the newsletter

New writing on identity, AI security, and building software, delivered when it ships. No tracking pixels, no funnels, unsubscribe with one click.