If Your Email Was Breached

Your First 24 Hours After a Breach: A Calm Checklist

Seeing your email show up in breach data can feel scary. The goal of this guide is simple: keep things calm and give you a practical first-day checklist—nothing extreme, just the highest-impact steps.

1. Don't panic – confirm what actually happened

Start by figuring out what kind of incident you're dealing with:

  • Was it a classic data breach at a service you use (like a website or app)?
  • Was it more of a data scraping incident where public info was copied at scale?
  • Did you get the news from a trusted source (the provider, your IT team, or a reputable tool)?

Knowing the basics helps you respond with the right level of effort instead of guessing.

2. Change the password on the breached account

If the incident involves a specific account you still use, change that password first:

  • Go directly to the site or app (don't click links in random emails).
  • Choose a new, unique password you don't use anywhere else.
  • Turn on two-factor authentication (2FA/MFA) if it's available.

3. Fix password reuse on your most important accounts

If you reused that password elsewhere, fix the most sensitive places within the first 24 hours:

  • Email accounts (personal and work)
  • Financial accounts (banks, cards, PayPal, investment apps)
  • Key identity accounts (Apple ID, Google, Microsoft, phone carrier)

Each one should get its own unique password plus 2FA if possible.

4. Watch for phishing and weird login alerts

After a breach, attackers often send messages that look like they're from the affected company:

  • Be skeptical of "urgent" emails or texts asking you to click a link and log in.
  • Go to sites by typing the address yourself, not by clicking buttons in emails.
  • Pay attention to security alerts like "new login from device X" or "password changed."

5. Check recent financial activity

Spend a few minutes reviewing:

  • Recent card charges
  • Bank and PayPal transactions
  • Any emails about "new accounts" or "new payees"

If you see something that isn't yours, contact the bank or card issuer using the number on the back of your card or from their official website.

6. Decide whether credit protection steps are needed

If the breach exposed things like Social Security numbers or other ID details, you may want to look at:

  • Credit monitoring or alerts offered by the breached company
  • A fraud alert or credit freeze with the major bureaus

Freezes are one of the strongest tools against new-account fraud.

7. For MSPs and IT teams: capture notes for next time

If you're an MSP or internal IT, your "first 24 hours" is also a chance to improve your process:

  • Log which accounts were affected, what you changed, and when.
  • Decide which actions you'll standardize (for example, always enabling 2FA and updating password policies).
  • Turn today's scramble into a reusable checklist you can re-use with the next client.

8. What to do after the first day

Once you've handled the urgent items, you can space out the slower work:

  • Gradually update older reused passwords you still find.
  • Review which apps and services you no longer need and close some accounts.
  • Check back in a week to make sure there's no new suspicious activity.
Important: This checklist is for informational purposes only. It's not legal, financial, or professional security advice. Specific steps can depend on your country, local laws, and the details of the breach. When in doubt, talk with your bank, your IT provider, or another trusted professional.

Want a calm, plain-English view of where your email shows up in breach data?

Check Your Email Now →