CreditSecurity resource

What to do if your email address shows up in a data breach

Discovering your email in a data breach can be unsettling, but taking quick action can help protect your accounts and personal information.

1

First steps after a breach notification

When you learn your email address has been exposed in a data breach, start by verifying the breach details. Use a free service like Have I Been Pwned to see which sites were involved and what information was compromised. Note that Have I Been Pwned only reflects reported and indexed breaches, so a clean result does not guarantee no exposure. If only your email was leaked, focus on phishing awareness and securing your inbox. If your password was also exposed, change that password immediately on the affected site and anywhere else you used the same credentials.

Consider linking to /assessment/ for a personal exposure check

2

Change passwords and enable two-factor authentication

Update passwords for all accounts that share the compromised password. Use strong, unique passwords for each account, ideally generated by a password manager. Enable two-factor authentication (2FA) wherever possible, especially on your email account, as it serves as a gateway to other services. 2FA adds an extra layer of security even if your password is stolen.

3

Watch for phishing and scams

After a breach, cybercriminals may target you with phishing emails that appear to come from legitimate companies. Be cautious of unsolicited messages asking for personal information or urging you to click links. Never share sensitive data via email. If an email seems suspicious, contact the company directly using a known phone number or website.

Want to see which risks apply to you?

Run the free 60-second CreditSecurity assessment to get a quick exposure score without sharing your SSN or payment info.

Check Your Exposure Score
4

Consider creating a new primary email

If your email address appears in multiple breaches and you have reused passwords extensively, creating a new primary email address can help you start fresh. Use the new address for sensitive accounts like banking and healthcare, and gradually migrate important accounts. Keep the old address active for a while to catch any important messages, but reduce its use over time.

5

Monitor your accounts and credit

Even if only your email was exposed, stay vigilant. Monitor your financial accounts for unauthorized transactions and consider placing a free fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, TransUnion). You can also check your free weekly online credit reports from Equifax, Experian, and TransUnion at AnnualCreditReport.com to spot any suspicious activity. As a separate optional layer beyond these free steps, though no service can prevent all identity theft, paid identity protection services can offer features like real-time alerts and recovery support resources.

For a comparison of paid identity protection services, visit /go/identity.

Check your exposure

See if your email or other personal info has been exposed in known data breaches.

Check your exposure

FAQ

What should I do first if my email is in a data breach?

First, verify the breach details using a service like Have I Been Pwned. Then change your password on the affected site and any other accounts using the same password. Enable two-factor authentication on your email and other important accounts.

Should I create a new email address after a breach?

If your email appears in many breaches and you've reused passwords, creating a new primary email can help. Use it for sensitive accounts and gradually move away from the old one.

How can I protect myself from phishing after a breach?

Be cautious of unexpected emails asking for personal information or urging immediate action. Verify the sender by contacting the company directly through official channels. Never click links or download attachments from suspicious emails.

Compare identity protection plans

Explore monitoring and support services that may help you stay informed about identity threats.

Compare identity protection plans

Sources

CreditSecurity provides educational tools and action checklists. It does not provide legal, financial, credit repair, or identity theft recovery services. Some links may be affiliate links, which means CreditSecurity may earn a commission if you choose a partner service.