Has Your Password Leaked? How to Check and What to Do Next ?
Here's an uncomfortable exercise. Go to haveibeenpwned.com — the breach-notification service run by security researcher Troy Hunt, used by governments and Fortune 500s alike — and type in your main email address. Unless your address is very new, you will get hits: named breaches, with dates, listing exactly what leaked. Email addresses, passwords, sometimes phone numbers and physical addresses, traded in criminal markets for years before anyone tells you.
The point of the exercise isn't despair. It's that "my password leaked" stops being a hypothetical and becomes what it actually is: a routine event with a known response procedure. This is that procedure, in the order that matters.
Phase 1 — Find out what's exposed
Step 1: Check your email addresses. All of them — current, old, work — at haveibeenpwned.com. For each breach listed, note what data classes leaked. "Email addresses" alone is low-grade; "Passwords" means act; "Passwords (plaintext)" means act today.
Step 2: Check the passwords themselves. HIBP's Pwned Passwords page tells you whether a specific password appears in breach corpora — and it's safe to use, because of a clever design called k-anonymity: your browser sends only the first five characters of the password's hash, downloads every match for that prefix, and does the comparison locally. The full password never leaves your machine. Any password with hits is dead to you, everywhere, forever — criminals load these lists into automated tools that try them against every service on the internet (the attack is called credential stuffing, and it's why one leaked password burns every account that shares it).
Step 3: Let your browser snitch. Chrome (Settings → Passwords → Checkup), Edge (Password Monitor), and every serious password manager will cross-reference your entire saved vault against breach data and flag the compromised and the reused. This is the fastest way to see the true blast radius.
Phase 2 — Contain, in strict priority order
Resist the urge to fix accounts in the order you remember them. Order by what an attacker would take first:
Step 4: Email accounts. Before anything else. Your email is the master key — whoever controls it can password-reset their way into everything downstream. New unique password, strongest second factor available (a passkey, ideally — here's my guide), and then two checks people skip: review active sessions and sign out everything you don't recognize, and review forwarding rules and filters. Attackers who've been inside a mailbox routinely plant a quiet rule forwarding your mail (or just the messages containing "password" or "invoice") to themselves — persistence that survives your password change.
Step 5: Financial accounts. Banks, brokerages, PayPal, anything holding a card. Same treatment: unique password, strongest 2FA offered, session review. Skim recent transactions while you're in there.
Step 6: Everything that shared the burned password. This is the tedious one, and it's where Phase 1's Step 3 list earns its keep. Every account flagged as reusing a compromised password gets a fresh unique one. Accept that this takes an evening. It's the evening that ends the problem.
Step 7: The identity layer, if the breach included more than credentials. Leaked SSNs, addresses, or phone numbers (think medical, credit bureau, or telecom breaches) call for a credit freeze with all three bureaus — Equifax, Experian, TransUnion. It's free, it's online, it takes ten minutes per bureau, and it blocks new credit lines being opened in your name, which is the main monetization of identity data. You can thaw it temporarily whenever you legitimately need credit. A leaked phone number also raises your SIM-swap exposure — worth reading my piece on how attackers beat 2FA if that's you.
Phase 3 — Make the next breach boring
The breach wasn't your fault — some company you trusted lost your data. The blast radius, though, was set by your habits. Shrink it:
Get the passwords out of your head. A password manager generating a long random unique password per site converts every future breach from "change forty accounts" to "change one." The built-in browser manager is an acceptable start; a dedicated one (Bitwarden is the free recommendation I give without hesitation) is better. Migration is less painful than it sounds: install it, let it import from the browser, then upgrade passwords opportunistically as you log into things — Step 6 probably did the urgent ones already.
Prefer passkeys wherever they're offered. A passkey can't leak in a server breach in any usable form — the site never holds a secret worth stealing. That's the structural fix to this entire article.
Subscribe to the alarm. HIBP's free Notify Me service emails you when your address surfaces in a future breach — converting the years-late discovery you experienced in Step 1 into same-week response time.
Calibrate, don't catastrophize. An old forum leaking a password you used nowhere else, on an account holding nothing? Change it and move on. The procedure above is escalation-proportional: the heavyweight steps exist for the heavyweight cases. What changes after today is that you know which case you're in within minutes instead of never.