What to Do the Moment You Realize Your Password Was Leaked

Updated on March 22, 2026

It happens fast. You get an email from a service you barely remember signing up for, or a friend sends you a screenshot, or—worst of all—you notice a login from a city you've never visited. Your stomach drops. My password is out there.

The good news: the minutes right after you find out are the most powerful ones you have. Most account takeovers don't happen the instant a breach occurs—they happen days or weeks later, when attackers run automated scripts and count on you to do nothing. Here's exactly what to do, in order, right now.

Step 1: Verify the Breach Is Real (2 minutes)

Before you panic-change everything, confirm what actually leaked. Rushed changes to the wrong accounts waste time and can introduce new mistakes.

  • Go to HaveIBeenPwned.com and enter the email address associated with the account in question. Troy Hunt's database indexes billions of records from confirmed breaches. If your email shows up under a specific breach, note the breach name and date—that tells you which password was exposed.
  • Check Google's Password Checkup (built into Chrome and your Google account under Security → Password Manager → Check passwords). It cross-references your saved credentials against known breach databases in a privacy-preserving way.
  • Look at the breach notification email itself. Legitimate breach notifications will tell you what data was exposed (email, hashed password, plain-text password, phone number). If the email is asking you to click a link to "secure your account," that's a phishing attempt—go directly to the site manually instead.

Once you've confirmed the breach is real and know roughly which password leaked, move immediately to the next step.

Step 2: Change the Leaked Password on That Site Right Now

  • Open the affected service directly in a new browser tab (type the URL, don't click links from any email).
  • Generate a new password that is at least 16 characters, random, and unique—something you've never used before. A password manager's built-in generator is the right tool here. Avoid anything with your name, pet, birthday, or the word "secure" anywhere in it.
  • Do not reuse even a pattern like MyOldPass2024MyOldPass2025. Attackers run rule-based mutation scripts that guess exactly these kinds of incremental changes.
  • Save the new password in your password manager before closing the tab. Rushing through this step and then forgetting the new password is a classic way to compound the problem.

Step 3: Hunt Down Password Reuse—This Is the Real Danger

A single leaked password is manageable. The same password used across twenty sites is a catastrophe waiting to happen. Credential stuffing—where attackers take one set of login details and automatically try them across hundreds of popular services—is responsible for the overwhelming majority of account takeovers. The attackers don't need to hack each site individually; you've already given them the key.

  • Open your password manager and search for any other account using that same password. Most managers (1Password, Bitwarden, Dashlane) have a "Watchtower" or "Security Dashboard" feature that highlights duplicates and compromised entries.
  • Prioritize by damage potential: banking and financial accounts first, then email (because email can reset everything else), then work accounts, then social media, then everything else.
  • Change each one in sequence, generating a fresh unique password for every account. Yes, this takes time. No, there's no shortcut. This is the job.
  • If you don't use a password manager yet, now is the forcing function. Install Bitwarden (free, open source, excellent) or 1Password while you work through this. Import or manually add credentials as you go.

Step 4: Kill Every Active Session

Changing your password does not automatically kick out someone who's already logged in. Many services issue session tokens that remain valid until they expire, sometimes for weeks. An attacker who got in before you changed your password can stay in.

  • Look for a "Sign out of all devices" or "Active sessions" option. On Google, this is under Security → Your devices → Manage all devices. On Facebook, it's Settings → Security and Login → Where You're Logged In. Most major services have an equivalent.
  • Sign out everywhere, then sign back in fresh with your new credentials.
  • Check for connected apps and authorized third-party access. On Google, visit myaccount.google.com/permissions. On Twitter/X, it's Settings → Security → Apps and sessions. Revoke anything you don't recognize or no longer use. These OAuth connections can persist even after a password change.

Step 5: Enable Two-Factor Authentication—Today, Not Tomorrow

Two-factor authentication (2FA) is the single most effective thing you can do to prevent an attacker from using a leaked password. Even if they have your exact current password, they can't log in without the second factor. This turns a credential leak from a full account takeover into a speed bump.

  • Prefer an authenticator app over SMS. SMS 2FA is better than nothing, but it's vulnerable to SIM swapping—where an attacker tricks your carrier into porting your number. Apps like Ente Auth (open source, encrypted cloud backup), Authy, or Google Authenticator generate time-based one-time passwords (TOTP) that exist only on your device.
  • For maximum security: use a hardware key. A YubiKey or similar FIDO2 device provides phishing-resistant authentication. Even a cloned password and a fake login page can't steal a hardware key response.
  • Enable 2FA on the breached account immediately, then work down your priority list—email, banking, social media, anything with a payment method attached.
  • Save your backup codes. Every service provides recovery codes when you set up 2FA. Print them or store them in your password manager. Losing access to your 2FA device without backup codes can lock you out permanently.

Step 6: Secure Your Email Account Above Everything Else

Your email is the master key. Every "forgot password" link goes there. If an attacker controls your email, they can reset every other account at leisure—regardless of what passwords you change elsewhere.

  • Change your email account password now if it used the same or similar credentials as the breached account.
  • Enable 2FA on your email first if you haven't already. Gmail, Outlook, and ProtonMail all support authenticator apps and hardware keys.
  • Check email forwarding rules and filters. A subtle attacker doesn't lock you out—they set up a silent forwarding rule so all your mail copies to them, and you never notice. In Gmail, go to Settings → See all settings → Forwarding and POP/IMAP and delete anything unexpected.
  • Review recovery options. Make sure the recovery phone number and backup email on your account are ones you actually control.

Step 7: Monitor for Downstream Damage

Even after you've rotated everything, keep watch for the next few weeks.

  • Set up breach alerts. HaveIBeenPwned offers free email notifications when your address appears in a new breach. Sign up so you're not waiting to find out the hard way next time.
  • Review recent account activity on your financial accounts, email, and any shopping sites with stored payment methods. Look for unfamiliar logins, purchases, or password reset requests you didn't initiate.
  • Check your credit if financial data was in the breach. If the breach involved payment cards or your Social Security number, consider placing a credit freeze with the three major bureaus (Equifax, Experian, TransUnion). A freeze is free, doesn't affect your credit score, and prevents anyone from opening new credit in your name.
  • Watch for phishing follow-ups. Breached email addresses get sold and end up on phishing lists. Be especially skeptical of "urgent security notices" from any service in the next few weeks. Go direct—never through links in email.

The Honest Truth About Why This Happens

Websites get breached. It's not a question of if; it's when. The sites you trusted to store your data securely sometimes fail—through poor security practices, through storing passwords in plain text or with weak hashing (MD5 is still out there in 2024, embarrassingly), or through vulnerabilities they didn't patch in time.

The only real defense you control is what you do on your end: unique passwords everywhere, a password manager to make that feasible, 2FA on everything that matters, and a practiced response for when something inevitably leaks. The checklist above isn't paranoia. It's the minimum.

The moment you know is the moment your advantage is greatest. Use it.