Large credential leaks can include emails, passwords, and other account identifiers that attackers use for credential stuffing—trying leaked logins across many sites until something works. If you suspect your accounts may be affected, act quickly and methodically. This guide walks you through the highest-impact steps, in the right order.

1) First, confirm what might be exposed

You don’t need perfect information to start securing accounts, but it helps to know your risk level and which email addresses are involved.

  • List the emails you use for logins (primary inbox, old addresses, work/school accounts, “spam sign-up” email).
  • Identify high-value accounts tied to those emails: email providers, banking/payment apps, Apple/Google accounts, social networks, password manager, cloud storage, and gaming accounts.
  • Assume reuse is compromised: if you reused a password anywhere, treat every account using it as exposed.

2) Secure your email accounts first (they’re the master keys)

If an attacker gets into your email, they can reset passwords on most other services. Start here before changing everything else.

  1. Change your email password to a long, unique passphrase (ideally 16+ characters, but longer is better).
  2. Enable multi-factor authentication (MFA/2FA) using an authenticator app or a hardware key if available. Avoid SMS when better options exist.
  3. Review security settings: recovery email/phone, security questions, and backup codes (store backup codes safely offline).
  4. Check account access: recent logins, active sessions/devices, mailbox forwarding rules, filters, and “delegated access.” Remove anything unfamiliar.

3) Change passwords the safe way (avoid getting re-compromised)

Password changes can fail if malware or a hijacked session is present. Reduce risk before doing bulk changes.

  • Update your devices (OS, browser, and security updates).
  • Run a malware scan and remove suspicious browser extensions.
  • Use a password manager to generate and store unique passwords for every site.

Then, change passwords in this priority order:

  1. Password manager (if you use one) and its MFA
  2. Email accounts (if not already done)
  3. Financial accounts (banking, credit cards, PayPal, payment wallets)
  4. Apple ID/Google/Microsoft accounts
  5. Social platforms (Facebook, Instagram, X, TikTok, etc.)
  6. Shopping and subscriptions (Amazon, app stores, streaming)
  7. Everything else

4) Turn on MFA everywhere it matters

MFA makes leaked passwords far less useful. Enable it at least on email, finance, and major identity providers (Apple/Google/Microsoft), plus social accounts that can be used for scams.

  • Best: hardware security key (FIDO2/WebAuthn)
  • Very good: authenticator app (TOTP) or passkeys
  • Less ideal: SMS (use only if you have no better option)

5) Kick out attackers: end sessions and rotate tokens

Changing a password isn’t always enough if an attacker has an active session or API token.

  • Log out of all devices (most services have “sign out of all sessions”).
  • Revoke app access: remove third-party apps you don’t recognize.
  • Rotate API keys (for developer tools, cloud services, or any account that provides keys/tokens).

6) Watch for financial and identity abuse

After major leaks, the next wave is often phishing and fraud attempts. Add monitoring until things calm down.

  • Enable account alerts for logins, purchases, and password changes.
  • Review transactions and connected payment methods; remove unknown cards/bank accounts.
  • Consider a credit freeze or fraud alert if you suspect identity data may be involved (availability depends on your country).

7) Expect phishing—tighten your defenses

Attackers will use leaked emails to send convincing “security alert” messages.

  • Don’t click links in password-reset or “unusual login” emails. Open the site/app directly.
  • Verify sender details, but remember: display names can be spoofed.
  • Use a unique recovery email and keep it private when possible.

8) Prevent the next incident (long-term habits that work)

  • Unique passwords everywhere via a password manager.
  • Prefer passkeys when offered (they can reduce phishing risk and eliminate password reuse).
  • Keep devices updated and minimize browser extensions.
  • Audit accounts quarterly: remove old services, rotate passwords for critical accounts, and review security settings.

Quick checklist

  • Secure email accounts (password + MFA + remove unknown forwarding/rules)
  • Use a password manager; generate unique passwords
  • Change passwords in priority order (email/finance/identity providers first)
  • Enable MFA everywhere important (prefer passkeys/authenticator/hardware keys)
  • Sign out of all sessions; revoke third-party app access
  • Monitor for fraud and phishing

If you can only do three things today: lock down email, enable MFA, and eliminate password reuse. Those steps dramatically cut the chance of account takeover after a leak.