'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
you get notified of a data breach and you reuse that password on other services
Short answer
Assume that password is now “public” and change it everywhere you used it (starting with your email account), then turn on two-step verification on your most important accounts.
Do not do these things
- Don’t click links in the breach email unless you independently navigate to the company’s website/app first (breach notices are often used for phishing).
- Don’t “tweak” the old password (like adding a number) and reuse it again — attackers try common variations.
- Don’t start with low-value accounts first; secure email, banking, and your mobile/Apple/Google accounts before anything else.
- Don’t store the new password in notes, screenshots, or an unprotected document.
- Don’t ignore “no suspicious activity yet” — credential-stuffing can happen days or weeks later.
What to do now
-
Make a quick list of everywhere that password was used.
Include “similar” versions (same base word with small changes). If you’re unsure, assume it counts. -
Secure your email account first (this is the reset key for everything).
- Change the email password to a strong, unique one.
- Turn on two-step verification (2SV).
- Check your email filters and forwarding rules, and remove anything you didn’t set.
-
Change the breached account password next — using a completely new, unique password.
If the service provides a “devices/sessions” or “where you’re logged in” page, sign out of other sessions/devices and review recent login activity. -
Change that reused password everywhere else — in priority order.
Do these first:- banking, credit cards, PayPal/other payment apps
- Apple ID / Google account / Microsoft account
- mobile network account (SIM/number control)
- any work accounts, password manager, cloud storage
Then do shopping, social, forums, etc.
-
Turn on 2SV on the most important accounts (even after changing passwords).
Prefer an authenticator app or hardware key where available. Keep backup/recovery codes somewhere safe. -
Add “tripwires” so you’ll know fast if someone tries again.
- Enable login alerts / new device alerts where possible.
- Add/confirm a recovery email and phone number you control (and that are themselves secured).
-
Watch for signs of misuse and act quickly if you see them.
Examples: password reset emails you didn’t request, new logins, changed profile details, new payees/orders. If you see any, use the service’s account-recovery flow immediately and contact your bank/payment provider if money is involved. -
If the breach includes personal details (not just a password), consider identity-fraud precautions.
- If you’re worried someone could apply for products/services in your name, Cifas Protective Registration can add extra checks when your details are used. It’s a paid service, can slow down genuine applications because checks are added, and it doesn’t guarantee prevention of all fraud.
- If you think an organisation has handled your personal information badly, complain to the organisation first. If you’re not satisfied with their response (or they don’t respond after a reasonable period, often up to a month), you can escalate a data protection complaint to the ICO.
What can wait
- You do not need to decide today whether to close accounts or change email address/phone number.
- You do not need to overhaul every security setting everywhere — focus on unique passwords + 2SV + securing email first.
- You do not need to reply to the breach email (unless you’re sure you’re communicating via the official site/app).
Important reassurance
Reusing passwords is extremely common — attackers rely on automation, not personal targeting. Taking the “email first, then everything else” approach quickly cuts off most of the damage.
Scope note
This is first steps only for the next hour or two. If you find evidence of account takeover, financial loss, or identity fraud, you may need additional steps specific to that service/bank.
Important note
This guide provides general information for immediate stabilisation and harm reduction, not legal, financial, or cybersecurity professional advice. If you’ve lost money, feel unsafe, or believe identity fraud is underway, contact the relevant provider(s) promptly.
Additional Resources
- https://www.ncsc.gov.uk/guidance/recovering-a-hacked-account
- https://www.ncsc.gov.uk/section/respond-recover/sole-hacked-accounts
- https://www.ncsc.gov.uk/files/recovering-hacked-accounts-infographics.pdf
- https://ico.org.uk/for-the-public/how-to-make-a-data-protection-complaint/
- https://ico.org.uk/for-the-public/i-m-worried-about-how-an-organisation-has-handled-my-information/what-steps-should-i-take-if-i-have-experienced-a-data-breach/
- https://www.cifas.org.uk/pr
- https://www.cifas.org.uk/protective-registration-terms