What to Do if a Site's Data Is Leaked
A data breach at any site you use requires a specific set of steps. Here is what to do if you are notified of one.
Act Fast and Reset Your Credentials
The moment a site confirms a breach, the single most important step is changing the password for that account. Create a new password that is long, unique, and never used anywhere else. Do not simply add a number or special character to the old one. Attackers frequently run scripts that try slight variations, so a truly fresh passphrase is needed.
If you have ever reused that password on other services, change it on every one of those accounts immediately. Credential stuffing attacks rely on the fact that people often recycle passwords, and a single leak can unlock your email, social media, or payment platforms. Using a password manager makes generating and tracking unique passwords far easier, but even a manual immediate sweep of your most critical accounts stops the bleeding right away.
Wherever possible, turn on two-factor authentication after resetting the password. Even if an attacker gets your new credentials through a future unknown leak, the extra code sent to your phone or generated by an app will block them. Many sites also offer a feature to log out all active sessions; use it to force out anyone who may already have a stolen session token.
Figure Out What Information Was Actually Exposed
Read the breach notification carefully. A leaked email address and password alone already put many of your other accounts at risk, but if the breach included your full name, physical address, phone number, or date of birth, the danger grows. That combination can fuel identity theft attempts or be used to answer security questions on other sites.
Pay special attention to payment data. Even if the site says card numbers were encrypted or tokenized, treat any payment detail that was stored as potentially compromised. Attackers sometimes manage to decrypt data months later, and partial information like the last four digits of a card can fuel convincing social engineering. Contact your card issuer and explain the situation. A proactive reissue of the card and a temporary transaction alert on your account is safer than waiting for a fraudulent charge to appear.
If highly sensitive personal identifiers, such as a government-issued ID number, were part of the leak, consider freezing your credit with the major bureaus and enrolling in any free credit monitoring the breached company offers. Keep an eye on your bank and credit card statements for at least six months after the event, because stolen data is often traded and used long after the initial announcement.
Beware of Phishing That Exploits the Breach
In the weeks following a leak, attackers often send fake emails pretending to be the affected company. They may offer a free credit monitoring link, a "mandatory" password reset, or a security tool download. Because the message may include your real name or other details taken from the breach, it can look genuine. Never click the links in such emails. Instead, open your browser and manually type the website address to log in and check for official notifications.
Phone-based scams also spike after a breach. You might receive a call from someone claiming to be support staff who needs to verify your identity. Legitimate companies almost never reach out this way. Hang up and contact the business through a phone number you find