What to do after a data breach or hacked account
Your data was exposed, or an account was broken into. Don't panic — work through these steps in order to contain the damage.
Data breaches happen to companies of every size, and even careful people get accounts compromised. What matters is acting quickly and in the right order.
If a company you use was breached
- Change that account's password to a new, unique one.
- Change it everywhere you reused it. Attackers will try the leaked password on your other accounts.
- Turn on two-factor authentication for that account and your email.
- Watch for phishing — scammers send fake "security" messages referencing the breach.
- If payment details were exposed, tell your bank and watch your statements.
If your account was actually hacked
- Regain control via "forgot password," or the service's hacked-account recovery page if you are locked out.
- Change the password and sign out all other sessions — most services have a "log out everywhere" button.
- Turn on two-factor authentication.
- Check what was changed: recovery email and phone, forwarding rules, connected apps — attackers often add a back door so they can return.
- Tell your contacts if the account messaged or scammed them.
Protect your email first, always
Your email is the master key — password resets for everything else land there. If you can only secure one account, secure your email: new unique password, two-factor on, and remove any unfamiliar recovery addresses or forwarding rules.
If money or identity is involved
- Call your bank to freeze cards and dispute fraudulent charges
- Consider a credit freeze or fraud alert so no one opens accounts in your name
- Report identity theft via the official services in our reporting directory
- Keep a written record of what happened and every step you took
Make the next breach harmless
- Use a password manager so one leak never affects another account
- Turn on two-factor everywhere important
- Set up free breach alerts at haveibeenpwned.com
- Share as little personal data as possible in the first place
Remember the order: contain (change passwords, log attackers out), secure (two-factor, check for back doors), then recover (bank, credit, reporting).