Large credential leaks can expose millions of email and social-media logins at once. Even if you haven’t noticed suspicious activity, leaked passwords are often tested automatically across many services (a technique called credential stuffing). Use the checklist below to secure your accounts quickly and reduce the chance of takeover.

1) Confirm whether you’re at risk (without making it worse)

  • Assume exposure is possible if you reused passwords anywhere—especially across email, social media, shopping, or banking.
  • Avoid typing your password into random “leak checker” sites. Use trusted sources and official account security pages instead.
  • Check your account login history (where available) for unfamiliar devices, locations, or IP addresses.

2) Start with your email account (it’s the master key)

If attackers control your email, they can reset passwords for many other services. Secure it first.

  1. Change your email password immediately to a unique, long passphrase (14+ characters is a good baseline).
  2. Enable multi-factor authentication (MFA/2FA). Prefer an authenticator app or security key over SMS when possible.
  3. Review recovery options: recovery email, phone number, and security questions. Remove anything you don’t recognize.
  4. Sign out of other sessions from the account’s security settings to kick out unknown devices.

3) Change passwords in the right order

Prioritize accounts that can cause the most damage if compromised.

  • Tier 1 (do first): email, password manager, banking/finance, mobile carrier, government/health portals.
  • Tier 2: major social platforms (Facebook, Instagram, X/Twitter), Apple/Google/Microsoft accounts, cloud storage.
  • Tier 3: shopping sites, subscriptions, forums, and older accounts you rarely use.

Rule: every password must be unique. If one site is breached, uniqueness prevents a chain reaction.

4) Turn on 2FA everywhere you can

Changing passwords helps, but 2FA blocks many takeovers even when passwords leak again.

  • Best: hardware security key (FIDO2/WebAuthn).
  • Strong: authenticator app (TOTP) or passkeys if the service supports them.
  • Last resort: SMS (better than nothing, but vulnerable to SIM swapping).

Save backup codes in a secure place (ideally inside a password manager or printed and stored safely).

5) Check for signs of account takeover

  • Password reset emails you didn’t request.
  • New devices/sessions in security settings.
  • Changed profile details (email, phone, username) or unexpected posts/messages.
  • New payment methods or orders you don’t recognize.

If you see any of these, treat it as an active incident: change password, enable 2FA, revoke sessions, and contact support.

6) Use a password manager (this is how you stop repeats)

Leaks are common; what protects you long-term is using unique passwords everywhere.

  • Generate long, random passwords for each site.
  • Store them securely so you don’t fall back to reusing passwords.
  • Run the manager’s built-in security reports (weak/reused passwords) and fix items over time.

7) Monitor and lock down your financial identity

  • Enable alerts for bank/credit card transactions.
  • Check recent statements for small “test” charges.
  • Consider a credit freeze if you suspect identity data may also be involved, not just passwords.

8) Watch for phishing that follows a leak

After a high-profile breach, scammers often send “security alert” emails or texts pretending to be from Gmail, Facebook, Instagram, or other brands.

  • Don’t click links in urgent messages. Navigate to the service directly (type the URL or use the official app).
  • Never share one-time codes with anyone—support teams won’t ask for them.
  • Inspect sender addresses and look for subtle misspellings or mismatched domains.

9) If you reused the leaked password, treat all those accounts as compromised

This is the most important point. If the same password was used on multiple sites, attackers can log into the others even if those sites were never breached. Change them all.

10) Quick “done” checklist

  • Email password changed + 2FA enabled
  • Unique passwords set for high-value accounts
  • 2FA enabled on social, cloud, and shopping accounts
  • Unknown sessions/devices revoked
  • Recovery options reviewed and updated
  • Financial alerts on; statements checked
  • Phishing awareness heightened for the next few weeks

Tip: Set a calendar reminder to review account security again in 2–4 weeks. Attackers often retry after initial password changes, especially if they can trick users with phishing.