'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
you get notified of a data breach and you reuse that password on other services
Short answer
Treat that password as compromised: change it everywhere you used it (start with your email), then turn on two-factor authentication on your most important accounts.
Do not do these things
- Don’t click links or call numbers in the breach notice until you verify them independently (phishing often piggybacks on real breaches). Use the company’s official site/app, or a number you already trust (like the one on your statement, card, or in account settings).
- Don’t share one-time verification codes (2FA codes) or sensitive identifiers in response to an inbound email/text — only enter them in a login/recovery flow you started from a verified site/app.
- Don’t reuse the old password with small edits (like “Password1!” → “Password2!”).
- Don’t start with low-priority accounts first; lock down email, banking, and Apple/Google/Microsoft accounts before anything else.
- Don’t save new passwords in a plain note, screenshot, or unprotected file.
- Don’t assume you’re safe because nothing looks wrong yet — automated login attempts can happen later.
What to do now
-
Confirm the notice is real (fast, without engaging with it).
Go directly to the company’s official website/app (type it in or use your existing app), sign in from there, and look for a security notice or inbox message. -
Secure your email account first (it controls password resets).
- Change your email password to a strong, unique password.
- Turn on 2FA.
- Check for unfamiliar forwarding rules/filters and remove anything you didn’t create.
-
Change the breached account password next, then force logouts.
Use a brand-new unique password. If the service offers a “devices/sessions” page, sign out of other sessions/devices and review recent login activity. -
Change that reused password on every other service — in priority order.
Do these first:- banks, credit cards, PayPal/payment apps
- Apple ID / Google / Microsoft accounts
- mobile carrier account (controls your phone number)
- work accounts, password manager, cloud storage
Then move to shopping, social media, subscriptions, etc.
-
Turn on 2FA wherever it matters.
Start with email + financial + mobile carrier + major identity accounts. Prefer authenticator apps or hardware keys when available; store backup codes safely. -
Add “tripwires” so you’ll know quickly if someone tries again.
Turn on login alerts/new device alerts, and confirm recovery email/phone are correct and secured. -
If the breach included personal info that could be used for identity theft, consider credit protections.
- A credit freeze makes it harder for someone to open new credit in your name; to be fully effective you generally place it with each of the three nationwide credit bureaus.
- A fraud alert tells creditors to take extra steps to verify it’s you; you can typically place one by contacting any one of the three bureaus.
- If identity theft is suspected (new accounts, bills, or credit activity you don’t recognize), use IdentityTheft.gov for a step-by-step recovery plan and documentation.
-
Watch closely for the next few weeks.
Keep an eye out for password reset emails you didn’t request, new logins, new payees, unusual purchases, or mail about new accounts. If money is involved, contact your bank/card issuer right away.
What can wait
- You don’t need to close all accounts today — first stop password reuse and enable 2FA.
- You don’t need to rebuild your whole digital life right now — focus on the handful of accounts that can cascade into everything else.
- You don’t need to respond to the breach notice email once you’ve handled changes through official channels.
Important reassurance
This situation is common, and attackers usually use automation, not personal targeting. If you change reused passwords (starting with email) and add 2FA, you eliminate most of what credential-stuffing relies on.
Scope note
This is immediate stabilisation and first steps only. If you find evidence of account takeover, financial loss, or identity theft, follow the relevant provider’s recovery process and use official identity-theft resources.
Important note
This guide provides general information for immediate stabilisation and harm reduction, not legal, financial, or cybersecurity professional advice. If you’ve lost money or believe identity theft is occurring, contact the relevant providers promptly and consider official reporting steps.
Additional Resources
- https://consumer.ftc.gov/consumer-alerts/2022/10/have-you-been-affected-data-breach-read
- https://consumer.ftc.gov/articles/use-two-factor-authentication-protect-your-accounts
- https://consumer.ftc.gov/articles/credit-freezes-and-fraud-alerts
- https://consumer.ftc.gov/credit-freeze-or-fraud-alert-right-you
- https://www.identitytheft.gov/databreach
- https://www.identitytheft.gov/Steps?scroll=true