What to do if your email is in a data breach

A data breach happens when an organisation that stores your personal information is compromised, and that data is exposed or stolen. Internationally, the GDPR defines a personal data breach as a security failure leading to the loss, alteration, or unauthorised disclosure of or access to personal data (Article 4(12)), which matches the OAIC's notifiable data breach concept in Australia. In most cases, your email address being “in a breach” means a service you used was breached, not that someone has logged into your inbox.

Have I Been Pwned, a free service widely used to check breach exposure, describes the appearance of your address in a breach as an immutable historic fact that cannot later be changed. You cannot delete your address from a breach, but you can reduce the damage. The most common real risk is credential reuse: if the breached password was one you used on other accounts, those accounts are now at risk too.

Use a reputable breach-checking service to see which breaches your email appears in and what categories of data were involved. Have I Been Pwned lets anyone check an email address against known breaches for free, and never asks for your password. The data categories tell you how serious the exposure is, and which steps below matter most:

If the breach exposed a password, or you reused the breached account's password elsewhere, change it everywhere it was used. The global benchmark, the US NIST Digital Identity Guidelines, is to allow long passphrases, not force complex character rules, and not force periodic resets. The Australian Cyber Security Centre gives the same advice: passphrases that are long, unpredictable and unique, at least 15 characters made of four or more random words.

Use a different passphrase for every important account so that one breach cannot unlock the rest. A password manager makes this practical, see our guide on password managers, breach monitors and digital footprint managers to understand how these tools fit together.

The US CISA reports that turning on multi-factor authentication (MFA) makes you about 99% less likely to be hacked, and the ACSC lists it among its most effective protections. It asks for a second proof of identity, a code, prompt or security key, on top of your password, so a stolen password alone is not enough to get in.

Turn MFA on wherever it is offered, starting with your email, banking and government accounts. Where the option exists, an authenticator app or passkey is stronger than SMS codes.

Your email is the recovery channel for most of your other accounts, so it deserves priority. If the breached password matched your email password, treat the inbox as the most urgent task: change the passphrase, turn on MFA, and check for unfamiliar forwarding rules or connected apps that could let an attacker keep reading your mail even after you change the password.

There is a dedicated checklist for this: how to secure your email after a data breach.

Leaked details, your name, email, phone number and which companies you deal with, let criminals craft convincing scam messages. Attackers routinely combine data from multiple breaches to build personalised scams. Treat unexpected contact that references a breach, a refund, or “account recovery” with suspicion, and verify through official channels rather than links in the message.

Report scams to the National Anti-Scam Centre's Scamwatch, which helps authorities track emerging threats.

You also have rights over your data. Internationally the GDPR gives people the right to access their data (Article 15) and correct it (Article 16); in Australia the OAIC provides the equivalent under Australian Privacy Principles 12 and 13.

A single email address is usually linked to dozens of accounts, and the hardest part of breach response is remembering them all. Building an inventory of the accounts tied to your email turns a vague worry into a concrete checklist you can work through.

Two companion guides walk you through it: how to find accounts linked to your email and the digital footprint checklist.

In The Event Of is a digital footprint manager, not a password manager, and not an automatic fixer. It is a life-admin organiser that helps you track and manage account updates through smart checklists and guided steps, with you in control of updating your accounts directly. After a breach it helps you:

You make every change yourself and stay in control of your passwords and personal details. You can read more about the breach-response flow on the getting hacked page and about how your data is handled on the security page.