Your Password Was Exposed in a Data Breach. What to Do Now?

Data breaches show no sign of slowing down, and the result is the stolen credentials of billions of people. Chances are more likely today than not that someone’s data has been exposed in a data breach – and they might not even know it.

Companies are legally obligated to let their users and clients know about a data breach once they discover it. Usually, this comes in the form of an email.

Got an email about a data breach? Don’t ignore it. Anyone who suspects their password or any other personal information was exposed in a data breach should take immediate action.

What is a Data Breach?


The term “data breach” refers to when a company’s servers or database has been breached by an outside entity, usually a crime ring. Hackers can breach a company’s security to steal all sorts of information.

Usually, when a data breach makes it onto the news, it’s because customer records were stolen. Getting access to customer information is usually also the main objective for criminals.

The type of data that typically gets stolen in a data breach includes:

  • passwords (hopefully hashed and salted if the company’s security is properly implemented),
  • names,
  • email addresses,
  • phone numbers,
  • physical addresses,
  • credit card information,
  • social security numbers or other forms of identification,
  • other confidential personal information depending on what data the company gathers.

However, don’t panic. A data breach does not automatically mean anyone’s accounts have been hacked – yet. But it does mean that those people’s accounts and other personal information are at risk. It could also be worse for some than others, depending on their security habits.

Recommended for you: Top 5 Cybersecurity Threats Today at 2020 and Beyond.

Immediately: Change Account Passwords


Change the password of the account in question immediately, whether the data breach is confirmed or not. Even if someone is unsure whether their data has been exploited in the data breach, it’s best to change passwords anyway.

Make this an opportunity to practice good password hygiene as well by making the password unique and complex. There may be a chance that the password hasn’t been stolen in the data breach but change it nevertheless.

Hackers have various methods for figuring out people’s passwords – especially if they’re not complex enough. So, if they got someone’s email address in a data breach, then they can go ahead and try to figure out their password.

If the password for the account in question has been used on other accounts as well, go change those passwords too. Remember that it’s never a good idea to reuse a password across more than one account because they can then get into those accounts too.

The Data Breach Action Guide


1. Confirm That a Data Breach Has Occurred

Your Password Was Exposed in a Data Breach. What to Do Now? - Point 1A company is supposed to let its users know when a data breach has occurred the moment, they become aware of it. In reality, this doesn’t always happen. Sometimes, people find out through the media first. Sometimes they don’t find out at all.

Anyone who’s uncertain whether their data has been exploited in a data breach can look at a tool like Avast Hack Check or HaveIBeenPwned. People can enter their email address on this website, and it will tell them if any accounts associated with that email have been implicated in any breaches. Aside from that, it’s also usually possible to contact the breached company and ask them directly.

Keep in mind, though, that there is such a thing as data breach phishing scams. These are emails sent to people posing as a company that’s been breached and urging them to click on links to change their passwords. Ensure that any data breach claims are legitimate first by visiting the company’s website or official social media channels.

2. Determine What Information Was Stolen

Your Password Was Exposed in a Data Breach. What to Do Now? - Point 2Getting the full picture of what type of data has been stolen is vital to know what steps to take next. Naturally, the account password has to be changed, either way, just to be sure. But there may be other confidential information now exposed that requires further action.

For example, people’s social security numbers were leaked in the Equifax data breach of 2017. That means everyone whose data was exposed should then have taken steps to monitor their credit for suspicious behavior, among other things. If they didn’t know their SSNs were exposed to that data breach, they wouldn’t have known to take further action.

You may like: Cybersecurity Threats: COVID-19 Scams You Need to Avoid.

3. Re-Verify Account Data and Activate 2FA

Your Password Was Exposed in a Data Breach. What to Do Now? - Point 3Passwords aren’t the only account-related information that could have been compromised. There’s also other login information like the answers to security questions. As well as any sensitive information saved on or sent through the account. This needs to be changed, as well.

It’s also a good time to activate two-factor authentication (2FA) on the breached account (and others) if it hasn’t been activated already. 2FA is an authentication method that requires two or more pieces of verification. Usually, this takes the form of a pin sent to a second account or device via email or text message.

4. Back-Up Important Information

Your Password Was Exposed in a Data Breach. What to Do Now? - Point 4If there’s some doubt about whether the account has been hacked or not, it’s best to back up valuable information. That way, there’s no chance of any data being lost should the account have been compromised.

5. Follow the Breached Company’s Guidelines

Your Password Was Exposed in a Data Breach. What to Do Now? - Point 5Sometimes, breached companies offer their users/clients assistance to help limit the loss of personal data or further perils. If a company does make that offer, accept their help. This will make the process of dealing with the fallout of the data breach much easier.

Unless there are problems with accepting the offer, such as objectionable terms. Keep in mind that the company may still have their own best interests and may inject clauses in their offer to help save their own skin.

Password Data Breach

6. Notify any Intermediaries of the Stolen Information

Your Password Was Exposed in a Data Breach. What to Do Now? - Point 6This step depends solely on what type of information was stolen.

For instance, if it was a social media platform like Facebook that was breached, then hackers might gain access to people’s accounts. In that case, they may post phishing scams or steal other information. Anyone who’s concerned that their social media account may have been hacked should notify their friends and followers.

Similarly, if the breach exposed credit card information, then a person might want to contact their credit card company to warn them about possible fraud. Or even to cancel that credit card altogether.

7. Evaluate Personal Cybersecurity and Adjust as Needed

Your Password Was Exposed in a Data Breach. What to Do Now? - Point 7Data breaches often show people just how vulnerable they are to outside attack. This might be a good time to evaluate personal cybersecurity and identify any flaws. Cybersecurity encompasses everything from the device someone’s using to their network security. Naturally, it also has to do with online account security.

If it helps, make a checklist of everything that needs to be checked and secured. Here are some items to start:

  • Network security: If the router still uses the default network SSID and password, change them now. Hackers can easily find the default password for the router online. Sign up with a VPN service as well. Virtual private networks like NordVPN protect the data sent over a network connection by encrypting it, thus keeping hackers from stealing data in transit.
  • Device security: Both smartphones and computers should be locked with a pin or similar authentication method. Biometric authentication is considered the most secure but has yet to make the adoption jump from smartphones to computers. People should also always secure their devices with credible antivirus programs.
  • Software and app security: Apps and programs need to be protected too. First off, this means vetting them properly before installing them in the first place. It also means keeping them updated as developers should release regular security updates to protect users from possible exploits.
  • Account security: Aside from passwords, security questions, and 2FA, people should also check their privacy settings. Platforms often gather a lot of personal information about their users, but this can be limited by changing privacy settings. Limiting the amount of data, they can collect will also help limit fallout in the event of a data breach.

8. Keep Monitoring Those Accounts

Your Password Was Exposed in a Data Breach. What to Do Now? - Point 8It’s fine to take a breather after going through all of these steps when mitigating the aftermath of the data breach. Don’t become complacent, though. Even if criminals’ chance of getting into the account is now minimal, it’s impossible to say with certainty that they can’t.

So, keep monitoring the account – and any others that may have shared the same password – for unusual behavior or changes.

You may also like: Cybersecurity Risk Assessment & Management Tips for Small Businesses.

Final Thoughts


Massive data breaches are regularly making the news now, and it’s a worrisome trend. Anyone who’s concerned that their information has been stolen in a data breach should secure their account immediately. After that, they can take steps to reduce the potential consequences of the data breach and make sure their accounts and devices are more secure.

Realizing that a password (or any other information) has been stolen in a data breach is cause for concern. But it’s important to take a deep breath and handle the situation quickly and efficiently. Remember, a stolen password doesn’t mean the related account has been hacked yet. Try to take action before that can happen.

Disclosure: Some of our articles may contain affiliate links; this means each time you make a purchase, we get a small commission. However, the input we produce is reliable; we always handpick and review all information before publishing it on our website. We can ensure you will always get genuine as well as valuable knowledge and resources.
Share the Love

Related Articles

Published By: Souvik Banerjee

Souvik BanerjeeWeb Developer & SEO Specialist with 15+ years of experience in Open Source Web Development specialized in Joomla & WordPress development. He is also the moderator of this blog "RS Web Solutions".