Privacy8 min read

Your Email Was in a Data Breach. Here Is Exactly What to Do.

Finding out your email address appeared in a breach is alarming. This step-by-step guide tells you precisely how to respond and how to protect yourself going forward.

By Achyuth Kumar · Founder, TempMailKit

Published · Last reviewed by the TempMailKit editorial team

How to Find Out If Your Email Has Been Breached

The most reliable way to check whether your email address has appeared in a known data breach is to use Have I Been Pwned (haveibeenpwned.com), a free service maintained by security researcher Troy Hunt. The site aggregates data from hundreds of publicly disclosed breaches and lets you search by email address or phone number. It is trusted by security professionals worldwide and is used by governments and companies to monitor their own exposure.

Enter your email address in the search field. The results tell you whether your address appears in any known breach, and if so, which ones. For each breach, you will see what categories of data were exposed: email addresses, passwords, names, phone numbers, physical addresses, payment card information, and so on. Different breaches expose different data, and the severity of your risk depends on what was taken.

You can also set up a free alert so you are notified automatically if your address appears in any future breach. This is worth doing for your primary email address.

Step One: Determine What Was Exposed

Not all breaches are equal. An email address alone is relatively low-risk, because email addresses are already widely distributed. A breach that exposed your email address along with your password hash is more serious, because a cracked hash gives an attacker your actual password. A breach that exposed your email address, name, date of birth, and home address gives an attacker the raw material for identity theft and targeted phishing.

For each breach in your results, read the description carefully. Understand what data was included. This determines how urgently you need to act and what specific steps are most important.

Step Two: Change Passwords for Affected Services

If a breach included passwords (even hashed ones), change your password on that service immediately. Do not reuse the old password anywhere. Use a password that is at least sixteen characters long and unique to that account. A password manager makes this practical, because you do not need to remember unique passwords for every account.

More importantly, if you used the same password on any other accounts, change those passwords too. Credential stuffing attacks take username and password combinations from one breach and try them on other services automatically. Attackers know that most people reuse passwords. If your LinkedIn password was the same as your Gmail password, and LinkedIn was breached, your Gmail is at risk.

Step Three: Enable Two-Factor Authentication

A unique, strong password significantly reduces your risk, but two-factor authentication (2FA) adds a second layer of protection that remains effective even if a password is compromised. Enable 2FA on any account that offers it, starting with your email provider, your password manager, your bank, and any other account that contains sensitive information or financial access.

For 2FA, prefer an authenticator app (Google Authenticator, Authy, 1Password) over SMS-based codes. SMS 2FA is better than nothing but is vulnerable to SIM-swapping attacks. Authenticator apps are not.

Step Four: Watch for Phishing Attempts

After a breach, your email address is likely to end up in lists used by phishing attackers, especially if other personal details were included. Be particularly alert for phishing emails in the weeks following a breach. Attackers use breach data to personalise attacks, addressing you by name, referencing your city or the service that was breached, to make the email feel legitimate.

Any unexpected request to verify your account, reset your password, or confirm payment information should be treated as suspicious. Go directly to the service in question by typing its URL rather than clicking any link in the email.

Step Five: Check for Unauthorised Account Activity

Log in to any service included in the breach and check for activity you do not recognise. Most services show a log of recent sign-ins, including the location and device. Look for sign-ins from unfamiliar locations or devices. Change your password, sign out of all sessions, and contact the service's support team if you find anything suspicious.

For financial accounts, review recent transactions carefully. If you see unauthorised transactions, report them to your bank or card provider immediately. Most financial institutions have strong fraud protection policies, but prompt reporting is important.

Step Six: Consider a Credit Freeze if Personal Data Was Exposed

If the breach included your name, address, date of birth, social security number, or other data that could be used for identity theft, consider placing a credit freeze with the major credit bureaus. A credit freeze prevents new credit from being opened in your name without your active unfreezing, which stops most forms of identity fraud at the source. In the US, credit freezes are free at Equifax, Experian, and TransUnion.

How to Reduce Your Exposure Going Forward

The most effective long-term protection is reducing how widely your email address is distributed in the first place. Every service that holds your email address is a potential breach vector. For services you do not fully trust or consider critical, use a disposable email address. The temporary inbox receives the verification email and then expires, ensuring that your primary address never enters that service's database at all.

For services you do trust and plan to use long-term, consider using a unique email alias for each one. Services like SimpleLogin and AnonAddy create aliases that forward to your real address. If one service is breached, you simply delete that alias, and your primary address remains unaffected. You also know exactly which service leaked your address, because the alias tells you.

No approach eliminates breach risk entirely, because you cannot control the security practices of every service you use. But minimising exposure means that when a breach happens, the damage is limited to a single alias rather than your primary identity.

Sources & further reading

External links are provided for verification and are not endorsements. Reviewed against these sources per our editorial policy.

Achyuth Kumar

Founder & editor, TempMailKit

Achyuth builds privacy tools and writes TempMailKit’s guides on email security, spam, and online privacy. Every article is checked against primary sources and our editorial policy before it is published. Questions or a correction? Get in touch.

Ready to protect your inbox?

Generate a free temporary email address in one click. No sign-up required.

Get a Free Temp Email