If your password was leaked in a data breach, change it immediately on the breached account and on every other account where you used the same password. Then enable two-factor authentication on all of them. Speed matters — attackers test stolen passwords against other sites within hours.

How do you know if your password was leaked?

There are several ways to find out:

  • Breach notification email — the company that was breached is legally required to tell you, though these can take weeks to arrive
  • Breach checker — use EmailLeaked to scan your email against 12 billion+ stolen records and see exactly what was exposed in each breach
  • Password leaked alerts — some browsers and password managers warn you when a saved password appears in known breach databases
  • Strange account activity — if someone else is logging into your accounts, your password may have been compromised

The fastest way to check is to scan your email now. It shows you which breaches exposed your data and whether passwords were included.

How serious is a leaked password really?

Very serious — especially if you use the same password on multiple sites.

Here is what happens after a password leaks:

  1. The stolen database is shared on hacker forums within hours to days
  2. Automated tools test your email and password against hundreds of popular sites
  3. Any accounts where you reused that password are now accessible to the attacker
  4. The attacker can read your emails, access your bank, impersonate you on social media, or steal your identity

If the leaked password is unique to the breached site and you do not use it anywhere else, the damage is limited to that one account. But if you reused it — even with small variations — every account with that password is at risk right now.

Step 1 — Change the password immediately

Go directly to the breached site and change your password right now. Your new password should be:

  • At least 16 characters long
  • Completely random — not based on a word, name, or date
  • Generated by a password manager if possible
  • Never used on any other site

Do not create a slight variation of your old password. If your password was “MyDog2023!” do not change it to “MyDog2026!” — automated cracking tools test variations like this automatically.

If you cannot log in because someone already changed your password, use the “Forgot password” link to regain access through your email.

Step 2 — Find every account using that password

This is the critical step most people miss. Think carefully about everywhere you may have used that same password or a close variation.

Check these first — they are the highest-value targets:

  • Your email accounts (Gmail, Outlook, Yahoo)
  • Banking and financial services
  • Social media (Facebook, Instagram, X, LinkedIn)
  • Shopping sites with saved payment info (Amazon, eBay)
  • Cloud storage (Google Drive, Dropbox, iCloud)
  • Work and employer accounts
  • Subscription services (Netflix, Spotify, etc.)

Change the password on every one of these to something new and unique. A password manager makes this much easier — it generates and stores a random password for each site.

Step 3 — Enable 2FA on every account you changed

After changing your passwords, add two-factor authentication to every important account. 2FA means that even if an attacker gets your new password somehow, they still cannot log in without a code from your phone.

Use an authenticator app (Google Authenticator, Authy) rather than SMS codes when possible. SMS can be intercepted. Authenticator apps cannot.

Priority accounts for 2FA:

  • Email (this is the master key to everything else)
  • Bank accounts
  • Password manager (if you use one)
  • Social media
  • Cloud storage

For a full guide on setting up 2FA, read What is two-factor authentication and how to set it up.

Check which of your accounts may be compromised — see exactly which breaches exposed your data and whether passwords were included.

Step 4 — Check if anything suspicious already happened

While you are changing passwords and enabling 2FA, look for signs that the leaked password was already used:

  • Email: Check your sent folder for messages you did not send. Look at your email forwarding rules — attackers often set up silent forwarding to watch your inbox
  • Bank accounts: Review recent transactions for anything you do not recognise
  • Social media: Check for posts, messages, or friend requests you did not make
  • Login history: Most services show recent login locations and devices. Look for unfamiliar ones
  • Password reset emails: If you received unexpected password reset emails, someone may have been trying to access your accounts

If you find suspicious activity, take screenshots for evidence, contact the affected service’s support team, and consider placing a fraud alert with your bank.

How to make sure this never happens again

The permanent fix is straightforward:

Use a password manager. It generates and stores a unique random password for every account. A breach at one site can never affect another. For more details, read What is a password manager and do you need one?.

Enable 2FA everywhere. This adds a second layer of protection that works even if a password leaks.

Check regularly. Use EmailLeaked to scan your email for new breaches. The sooner you know, the faster you can act.

Never reuse passwords. This is the golden rule. Every account gets its own unique password. A password manager makes this effortless.

Frequently asked questions

How do hackers use leaked passwords?

Hackers use automated tools called credential stuffing bots. These take your leaked email and password and try them on hundreds of popular websites — banks, email providers, social media, shopping sites — within hours. Any account where you used the same password is instantly accessible.

How quickly do hackers use stolen passwords?

Research shows that stolen credentials are tested on other sites within hours of a breach becoming public. In many cases, attackers have been using the data for weeks or months before the breach is even announced. This is why speed matters.

Should I use a different password for every site?

Absolutely. This is the single most important thing you can do for your online security. When every password is unique, a breach at one site cannot cascade into other accounts. A password manager makes this practical.

What makes a strong password in 2026?

A strong password is long (16+ characters), random, and unique. The best passwords are generated by a password manager — strings like “x7#Kp9mR$2vLnQ4w” that are impossible to guess. If you must create one manually, use a passphrase of 4+ random words.

Is my password still dangerous if it is old?

Yes. Old breach data is actively used in attacks years after the original breach. Credential stuffing bots use databases from breaches going back over a decade. If you have not changed a password that was in an old breach, change it now.

What is credential stuffing?

Credential stuffing is an automated attack where hackers take stolen email and password pairs from one breach and try them on other websites. It exploits the fact that most people reuse passwords. If your LinkedIn password was stolen and it is the same as your bank password, the attacker gets access to your bank. The only defence is unique passwords for every site.