The alert lands: a service you used has been hit by a data breach, and your address is on the list. Maybe the leak is just emails. Maybe it is passwords, or worse. The usual reaction is a flash of panic followed by a vague “I should do something.” This is the something. Work through it in order and, by tonight, you will be in a far better spot than you were this morning. I think about this sequence a lot, because cutting down breach exposure is half the reason I built LettMail.
Hour 1: confirm what the data breach actually exposed
Not all breaches are equal. Some leak only addresses. Some leak passwords in a hashed form that may or may not be crackable. Some leak names, addresses, payment details, and security answers. Before anything else, find out which kind you are facing. Go to Have I Been Pwned, enter the address, and it lists every known breach it appears in and what was exposed each time. Make a short list of the affected accounts.
Hour 2: change the password on the breached account
Log in and change it. Long, unique to that site, and not a tweak of the old one. If the service can log you out of all other sessions, do that. If it offers extra verification for new logins, switch it on now.
Hour 3: change it everywhere you reused it
This is the step most people skip, and it is the most important one. If that password lives on other accounts too, every one of them is now exposed through credential stuffing — attackers replay the leaked email-password pair against thousands of sites within hours. List every account that shared the password or a near-variation, and change them all. A long list is normal, and it is the clearest argument for finally using a password manager.
Hour 4: turn on two-factor authentication
On each of those accounts, enable two-factor authentication — an authenticator app or hardware key rather than SMS, which is exposed to SIM-swap attacks. Pay special attention to your primary email: control of your inbox means control of every password reset you own. Treat it as the keys to the kingdom.
Hour 5: check account recovery settings
While you are in each account, review recovery options. Is the recovery phone current? Is the backup email one you still control? Are there trusted devices you no longer use? Clean them out. Attackers often quietly add their own recovery routes so they can return later, even after you change the password.
Hour 6: watch for targeted phishing
The days right after a breach are prime time for phishing aimed at exactly the people who were exposed. The attacker knows your address is live and which service was hit, so the fake “verify your account” mail looks convincing. Do not click links in any breach email — open a fresh tab, go to the service yourself, and if you want to be sure who really sent a message, read its email headers. (More on the patterns in how to avoid phishing.)
Hour 12: look at financial accounts
If the leak touched payment data, partial card numbers, or billing details, watch your statements for weeks. Switch on real-time transaction alerts. Dispute anything you do not recognize, even a tiny charge — small test charges often precede bigger fraud. For deeper exposure such as a national ID number, consider a credit freeze with the major bureaus; it is free, reversible, and one of the strongest defenses against identity theft. In the US, IdentityTheft.gov walks you through a recovery plan step by step.
Hour 24: build a short watch list
Before the day ends, note three things: the breached service, the date you acted, and a reminder to check back in two weeks. Stolen credentials can sit unused for months, so a reminder for two weeks and again at three months gives you a shot at catching anything that surfaces late.
Reduce the damage of the next one
Breaches will keep happening to other services no matter what you do. The goal is not to prevent every breach but to make the one that hits you cost as little as possible.
- Use a password manager. Unique, long, random password per account, so one leak cannot spread.
- Use two-factor authentication everywhere it is offered, especially email and money.
- Shrink how many services hold your real email. Use a temporary email for low-trust sign-ups; if a future leak hits one of those, your real inbox was never on the list. Here are ten everyday moments where that pays off.
- Subscribe to breach alerts so you hear about the next leak early.
The calm version of a data breach response
Breaches are baked into how the internet works. The damage is not. Most of it comes from one failure — password reuse — and most of the rest from reacting too fast to a phishing email while you are still rattled. Slow down, work the steps in order, and you close the doors that matter long before anyone can walk through them.