Finding out that a password may have leaked can feel stressful, but the right response is practical and manageable. The goal is to limit damage, replace exposed passwords, and protect the accounts that matter most.
This guide explains what to do first, how to prioritize accounts, and how to avoid turning one leaked password into a wider account takeover problem.
Change the exposed password first
Start with the account connected to the leak. Go directly to the real website or app, not through a link in an email or message. Change the password to a new, unique password that you have never used before.
If the account supports sign-out from all devices, use it. Then review recent account activity, recovery email addresses, phone numbers, connected apps, and active sessions.
- Use a new unique password.
- Sign out other sessions if available.
- Review recovery details and account activity.
Fix reused passwords immediately
The biggest danger is reuse. If the leaked password was used on other accounts, attackers may try it elsewhere. This is often automated and can happen quickly.
Prioritize email, banking, cloud storage, work tools, phone provider, social accounts, hosting, domain registrar, and password manager accounts.
Protect your email account
Email is often the recovery key for many other accounts. If attackers access your email, they may reset passwords, hide alerts, and search for private information.
Use one of your strongest unique passwords on email and enable multi-factor authentication. Review forwarding rules, recovery addresses, and signed-in devices.
- Use a long unique email password.
- Enable multi-factor authentication.
- Remove suspicious forwarding rules or sessions.
Use a safer replacement workflow
Generate each replacement password privately, save it in a trusted password manager, and avoid sending it through chat, email, notes, or documents.
The Pass Key creates passwords in your browser and does not store, log, transmit, or place generated passwords in analytics.
Practical examples
- A shopping site leaked a reused password: change the shopping password, then every other account using the same password.
- Your email password was reused: change email first, enable MFA, then review recovery settings.
- A work login may be exposed: tell the admin team quickly so sessions and connected apps can be reviewed.
- An old account leaked: change or close the account if you no longer need it.
Helpful related tools
FAQ
Should I change every password after one leak?
Change the leaked password and any account that reused it. Also review high-value accounts even if you believe they used different passwords.
What if I do not remember where I reused it?
Start with email, banking, cloud storage, work, social, and shopping accounts. A password manager can help find reused passwords going forward.
Is multi-factor authentication enough after a leak?
It helps, but you should still replace leaked or reused passwords with unique strong passwords.
Conclusion
A password leak is serious, but a calm cleanup works. Replace the exposed password, remove reuse, protect email, and enable multi-factor authentication on important accounts.
The best long-term defense is simple: every account gets its own strong password.