In my line of work, the question “have I been breached?” usually arrives in a panic — a suspicious login alert, a friend saying they got a strange message from your account, or a news headline about a company you use. The instinct is either to ignore it and hope, or to flail and change everything at random. Neither works. What works is a calm, ordered response, the same way an IT team runs an incident: assess, contain, recover, and harden.

This guide gives you that process. First, how to find out whether your data is actually out there. Then, a step-by-step playbook for the critical first hour if it is.

Part 1: How to check whether you’ve been breached

Check your email and passwords against known breaches

The most useful starting point is a breach-notification service that aggregates known data leaks. Have I Been Pwned (haveibeenpwned.com) is the established, reputable one, run independently and used by security professionals worldwide. You enter your email address and it tells you which known breaches included it, and what data was exposed — passwords, phone numbers, addresses, and so on.

A word of caution that matters: only ever check passwords on a service that uses a privacy-preserving method (Have I Been Pwned uses a technique called k-anonymity, where your password is never actually sent to the server). Never type your real passwords into a random “breach checker” you found through an ad. A fake checker is itself a phishing tool. The same principle is why our own password tools do all their analysis locally in your browser and never transmit what you type.

Use your browser and password manager’s built-in monitoring

Modern browsers and password managers continuously cross-reference your saved passwords against breach databases. Chrome’s Password Checkup, Apple’s Security Recommendations in iCloud Keychain, and the watchtower/health features in 1Password and Bitwarden will flag passwords that are weak, reused, or known to be leaked. If you use one of these, check it now — the warning may already be sitting there.

Watch for the behavioural signs

Data isn’t always in a published breach yet. These are the symptoms of a compromised account I tell people to take seriously:

Login alerts or “new device” notifications you don’t recognise. Password-reset emails you didn’t request — a classic sign someone is trying to get in. Friends receiving spam or odd messages from you. Money or orders you didn’t make. Security settings that changed on their own: a new recovery email or phone number is a huge red flag, because it means an attacker is trying to lock you out of your own recovery path. Missing emails, especially deleted password-reset messages, which attackers remove to cover their tracks.

If you see any of these, treat the account as compromised and move to Part 2 immediately.

Part 2: The first-hour playbook

When an account is compromised, the order of operations matters enormously. Do the wrong thing first and you can lock yourself out or tip off the attacker before you’ve contained the damage. Here is the sequence I follow.

Step 1: Secure your email before anything else

This is counterintuitive when, say, your social media is the account that got hacked — but your email is the master key. Every “reset my password” link in your life lands there. If the attacker controls your email, changing other passwords is pointless because they’ll just reset them again.

So: regain control of your primary email first. Change its password to a new, strong, unique one. Check its security settings for any recovery email or phone number you don’t recognise and remove it. Sign out all other sessions (most providers have a “sign out of all devices” option). Only once email is locked down do you move on.

Step 2: Change the password on the breached account — and anywhere you reused it

Change the password on the compromised account to a brand-new, strong, unique one. Generate it rather than inventing it; our password generator creates high-entropy passwords and passphrases locally in your browser.

Then the painful but essential part: every other account where you used that same password is now also at risk. This is exactly how credential stuffing works — attackers take a leaked password and try it everywhere. Change it on every site where you reused it. If you can’t remember where, this is the moment that convinces most people to start using a password manager, so it never happens again.

Step 3: Revoke active sessions and connected apps

Changing the password doesn’t always kick out someone who’s already logged in. Look for “active sessions,” “where you’re logged in,” or “devices” in the account settings and sign out everything. While you’re there, review “connected apps” or “third-party access” — attackers sometimes authorise a malicious app so they retain access even after you change the password. Revoke anything you don’t recognise.

Step 4: Turn on the strongest two-factor authentication available

Now harden the account so it can’t happen again. Add two-factor authentication — and skip SMS if a better option exists, because SMS can be defeated by SIM swapping. An authenticator app is the minimum; a passkey or hardware security key is best. (I cover the trade-offs in detail in my separate guide on multi-factor authentication.) Save the recovery codes offline while you’re at it.

Step 5: Check what the attacker may have changed or seen

Before you relax, look at what damage was done. Check sent-mail and deleted-items folders for messages you didn’t send. Review email forwarding rules — attackers love to set up a silent forward so they keep seeing your mail even after you’ve changed the password. Look at account recovery settings again. For financial accounts, check for new payees, changed addresses, or transactions. For shopping accounts, check saved addresses and recent orders.

Step 6: Notify and protect downstream

If the breach involved financial data, contact your bank and consider a fraud alert. If personal data was exposed, be alert for targeted phishing in the following weeks — criminals use breached details to make scams more convincing. If your work accounts are involved, tell your IT or security team immediately; a personal breach can become a company one.

How to make the next breach a non-event

The goal isn’t just to recover — it’s to make sure that the next leak, which is inevitable, does no damage. Three habits get you there.

Unique passwords everywhere, stored in a password manager. When every account has a different password, a breach of one site cannot cascade to the others. This single change neutralises credential stuffing entirely.

Strong second factors on everything that matters, ideally passkeys or a hardware key. Then a leaked password alone is useless to an attacker.

Periodic checks. Set a reminder to run your email through a breach checker and review your password manager’s health report every few months. Catching exposure early turns a potential disaster into a five-minute password change.

The bottom line

Being in a breach is not a personal failing — billions of records are exposed every year, almost always because of a company’s mistake, not yours. What you control is the response. Check calmly, secure your email first, change reused passwords everywhere, revoke sessions, and add a strong second factor. Do that, and a breach becomes an inconvenience rather than a catastrophe.

Not sure how exposed your current passwords are? Test them privately with the PassGuard Check strength tester — everything is analysed locally in your browser and nothing is ever stored or transmitted.