Skip to main content
Back to all posts

So You've Been Pwned? A Data Breach Survival Guide

SnapSend Team

You put your email into HaveIBeenPwned.com and the screen turns red. You've been breached. Panic sets in.

Don't panic. Act. A breach notification is not the same as your accounts being drained right now — it usually means a company you signed up with years ago got popped, and a copy of their user database is circulating. The damage is preventable if you move in the right order. This guide is that order.

First, understand what "breached" actually means

When a site is breached, attackers walk away with a dump: rows of user records. What's in those rows determines your risk. Sort the situation before you touch anything:

  • Email only. Low direct risk. You'll get more spam and targeted phishing, but nobody can log in with just an address.
  • Email + hashed password. Medium risk. If the site used weak or unsalted hashing (MD5, SHA-1), attackers crack those hashes offline in hours and now hold your plaintext password.
  • Email + plaintext or reversible password. High risk. Assume the password is known.
  • Email + payment data, SSN, ID numbers, or security answers. Highest risk. This enables fraud far beyond one login.

HaveIBeenPwned lists which data classes were exposed for each breach. Read that list before deciding how hard to react. Not every breach deserves a fire drill; a marketing-list leak of just emails is not a reason to reset 40 passwords.

Step 1: Reset the password on the breached site — correctly

Change the password on the affected service first. But "change it" has a right and wrong way:

  1. Make the new password unique and long. Don't reuse a variant of the old one (Summer2025! becoming Summer2026! fools no one). Aim for a randomly generated string of 16+ characters. You can spin one up with our password generator and store it in a manager so you never have to remember it.
  2. Log out all other sessions. Most services have a "sign out of all devices" button in security settings. Changing the password doesn't always kill existing sessions — an attacker already logged in can stay in until you force a global logout.
  3. Check recovery settings. Attackers who got in first often add a backup email or phone so they can reclaim the account later. Verify your recovery email, phone, and security questions are still yours.

Step 2: Kill credential stuffing before it starts

This is the step people skip, and it's the one that causes cascade breaches. Credential stuffing is when attackers take your leaked email:password pair and feed it into bots that try it on hundreds of other sites — banking, email, Amazon, PayPal, your work SSO. If you reused that password anywhere, those accounts are already exposed even though they were never breached themselves.

Be honest with yourself about reuse. Then change the password everywhere you used it, prioritizing in this order:

  • Your primary email account — it's the master key; password resets for everything else land there.
  • Financial accounts — banks, brokerages, PayPal, crypto.
  • Anything with stored payment methods — shopping, subscriptions.
  • Everything else.

If reuse is a recurring problem for you, the durable fix is a password manager so every account gets its own random password — you never again have one leaked password that unlocks a dozen accounts.

Step 3: Turn on two-factor authentication

Enable 2FA on the breached account and on your priority accounts from Step 2. This is your safety net: even if an attacker later obtains your new password, 2FA blocks the login.

Not all 2FA is equal. Prefer an authenticator app (TOTP) or a hardware key over SMS, because SMS codes can be intercepted via SIM-swapping. Where a service offers it, register a hardware security key for your email and financial accounts specifically. The importance of 2FA post goes deeper on choosing methods.

Step 4: Protect your money and identity

If payment or identity data was in the dump, escalate:

  • Call your bank or card issuer. Report the exposure and ask them to watch for fraud or issue a new card number. A leaked card number is cheap to replace and expensive to ignore.
  • Freeze your credit. In the US, place a freeze with all three bureaus — Equifax, Experian, and TransUnion. It's free, it stops anyone from opening new loans or cards in your name, and you can thaw it temporarily when you legitimately need credit. Do all three; freezing one does nothing for the other two.
  • Watch for account-takeover attempts, not just new-account fraud. Unexpected "your password was changed" or "new device signed in" emails are early warnings.

The long game: expect the phishing wave

Once a service is breached, attackers know you're a customer of it. That makes their next move devastatingly convincing: a fake "Suspicious activity — reset your password" email that looks exactly like the real service, sometimes referencing the very breach you just heard about.

Defend against it with a few habits:

  • Never click the link in a security email. Navigate to the site yourself by typing the address or using a saved bookmark.
  • Check the real sender domain, not the display name. security@paypa1.com is not PayPal.
  • Slow down on urgency. "Act within 24 hours or your account is locked" is manufactured pressure. Legitimate services rarely work that way.

If you want to sharpen your eye for these, phishing attacks 101 breaks down the common tells.

The rebuilt-account checklist

After the immediate response, do a proper cleanup pass:

  • [ ] Unique, random password on the breached account
  • [ ] Same password rotated everywhere it was reused
  • [ ] 2FA enabled on email, finance, and the breached service
  • [ ] All other sessions logged out
  • [ ] Recovery email/phone verified as yours
  • [ ] Credit frozen (if identity data leaked)
  • [ ] Bank notified (if payment data leaked)
  • [ ] Ongoing alert for phishing that impersonates the breached brand

A note on sharing new credentials

Cleaning up a breach often means handing a fresh password to a partner, a family member, or a teammate — the Wi-Fi password, a shared streaming login, a work account. Don't undo your careful reset by pasting it into a text or email thread that lives forever. Send it through a self-destructing, end-to-end encrypted link that dies after it's read once, so the new secret doesn't become the next thing that leaks.

Being in a breach isn't a personal failure — it's a certainty of using the internet long enough. What matters is the response. Work the list, in order, and you turn a scary red screen into a routine afternoon of maintenance.

Need fresh, unique passwords for the accounts you're rotating? Generate them locally in your browser with our password generator — nothing is stored or sent anywhere.