My email is in a data breach — do I need to change all my passwords?

Not all of them, but more than you think. Definitely change the password on the breached account, and then change it everywhere you reused that same password. Attackers run credential-stuffing attacks: they take the leaked email-and-password pair and try it on hundreds of other sites automatically. If you reused that password on your email, bank, or PayPal, those accounts are exposed too even though they were never breached.

Should I delete my email address after a breach?

Usually no. Deleting your main email is drastic and breaks every account tied to it. A leaked email address by itself is low-risk — it is your password, 2FA, and reused logins that matter. Rotate the password, turn on two-factor authentication, and watch for phishing instead. Only consider retiring an address if it is buried in dozens of breaches and you are starting fresh anyway.

What is an infostealer and why does it matter more than a normal breach?

An infostealer is malware that infects a device and silently exports everything in the browser — saved passwords, session cookies, autofill data, and crypto wallets — into a single log that gets sold on Telegram and dark-web markets. Unlike a single-site breach, an infostealer hit means many of your accounts are exposed at once, and stolen session cookies can let an attacker skip your password and 2FA entirely. If you show up in infostealer logs, treat the infected device as compromised: run a malware scan, change passwords from a clean device, and sign out of all sessions.

Email in a Data Breach? Do These 7 Things Now

Q: How do I know if my email was actually in a breach?

Run your address through a breach checker. PrufAgent's email breach check looks up known breach records plus real infostealer exposure data, so you see both the old database leaks and the newer malware-log hits in one place. If you get a clean result, great — but re-check every few months, because new breaches surface constantly and a clean check today does not stay clean forever.

You got the notification — from a breach checker, a "your data may have been exposed" email, or a news headline about a company you have an account with. Your email address is in a data breach. Take a breath: a leaked email address on its own is rarely a disaster. The damage comes from what was leaked with it, and from passwords you reused elsewhere. The good news is that the response is mechanical. Work the list below in order and you close off the realistic attack paths in under an hour.

One thing to get straight up front: a breach does not "delete itself," and no service can un-leak data that is already copied across the internet. What you can do is make the leaked data worthless — rotate the credentials, lock the doors the attacker would walk through, and watch for the follow-up scams. That is exactly what these seven steps do.

First, Figure Out What Actually Leaked

Before you touch a single password, find out what was in the breach. "Your email was exposed" can mean wildly different things:

Just your email address (and maybe a username) — low risk on its own; mostly means more spam and targeted phishing.
Email + password — this is the dangerous one. Assume that exact password is now public.
Email + personal data (full name, phone, home address, date of birth) — fuel for identity theft and SIM-swap attacks.
Email pulled from an infostealer log — the worst case, because it usually means a device of yours was infected and many credentials leaked at once, possibly with active session cookies.

Run your address through a breach lookup to see which breaches it appears in and what each one exposed. PrufAgent's email breach check pulls known breach records and real infostealer exposure data, so you see both the old database leaks and the newer malware-log hits in one place. The exposure type tells you how hard to go on the rest of this list.

Check what your email is exposed in

See the breaches and infostealer logs tied to your address — known leaks plus live malware-log exposure. Scans start at $9.99.

1. Change the Breached Password — and Kill Every Reuse of It

Start with the account that was actually breached. Log in, change the password to something long and unique, and do not reuse any variation of the old one. Then do the part most people skip: change that same password everywhere else you used it.

This matters because of credential stuffing. Attackers take the leaked email-and-password pair and feed it into automated tools that try the combo on hundreds of major sites — Gmail, Outlook, PayPal, your bank, Amazon, your work login. They are not "hacking" those sites; they are walking in with keys you handed out by reusing a password. If you reused the breached password anywhere, those accounts are exposed even though they were never part of the breach. Prioritize, in order: your primary email (it can reset everything else), your bank and payment apps, then everything else.

2. Get a Password Manager and Stop Memorizing Passwords

You cannot keep a unique 16-character password for 200 accounts in your head — which is exactly why people reuse passwords and end up in step 1. A password manager solves this permanently: it generates and stores a different random password for every account, so a future breach of one site can never cascade into the others.

Solid options in 2026:

Bitwarden — open-source, generous free tier, audited. The default recommendation for most people.
1Password — polished, great family sharing, paid only (~$3/month).
Your browser or phone's built-in manager (iCloud Keychain, Google Password Manager) — far better than reusing passwords, and free if a dedicated app feels like too much.

Pick one, set a strong master password (a long passphrase you have never used anywhere), and migrate your most important logins first. You do not have to do all 200 in one sitting — change them as you log into each site.

3. Turn On Two-Factor Authentication Everywhere That Matters

Two-factor authentication (2FA) means a stolen password alone is not enough to get in — the attacker also needs a second code. This is the single highest-leverage move after rotating passwords. Turn it on for your primary email first, then banking, then primary social and work accounts.

Not all 2FA is equal. In order of strength:

Passkeys / hardware keys (YubiKey) — strongest; phishing-resistant by design.
Authenticator app (Google Authenticator, Authy, or the one built into your password manager) — strong and free. Use this as your default.
SMS text codes — better than nothing, but vulnerable to SIM-swap attacks. Use only where it is the sole option, and never as the 2FA for the phone number itself.

When you enable 2FA, save the backup/recovery codes somewhere safe (your password manager is fine). Losing your second factor without backups can lock you out of your own account.

Not sure how exposed you really are?

One scan surfaces the breaches, infostealer logs, and public profiles tied to your email — so you know exactly what to lock down.

Run your exposure scan on /app →

From $9.99 · results in about a minute · no subscription

4. Check for Infostealer Exposure (This Is the One People Miss)

A normal breach leaks one company's database. An infostealer is different and worse. It is malware — often hidden in a cracked game, a fake installer, a pirated app, or a sketchy browser extension — that infects your device and silently exports everything saved in your browser: stored passwords, autofill data, crypto wallets, and live session cookies. All of it gets bundled into a "log" and sold in bulk on Telegram channels and dark-web markets.

Two reasons this is the scenario to take most seriously:

It is many accounts at once. Not one leaked password — potentially every password your browser ever saved.
Session cookies bypass your defenses. A stolen, still-valid session cookie can let an attacker resume your logged-in session without ever entering your password or your 2FA code.

If a breach check (like PrufAgent's, which surfaces real infostealer exposure) shows your email in infostealer logs, treat one of your devices as compromised: run a full malware scan, then — from a different, clean device — change your important passwords and use the "log out of all sessions / sign out everywhere" option on your email, Google, and social accounts to invalidate any stolen cookies.

5. Brace for the Phishing Wave That Follows a Breach

After a breach, your inbox and phone become targets. Scammers buy the leaked lists and send messages engineered around the breach itself — "Your account was compromised, click here to secure it" — sometimes even referencing the real company that was breached to seem legitimate. Some include a real-looking password reset link that drops you on a fake login page to harvest the new password you just set.

Defensive habits for the next few weeks:

Never act on a link in a security email. If a service claims there is a problem, open a fresh tab and type the address yourself, or use the app. Do not click through.
Treat urgency as a red flag. "Act in 24 hours or your account is deleted" is a manipulation tactic, not a real policy.
Watch for breach-themed extortion. Emails claiming "we have your password" that quote an old reused password are just reading it off a public leak — they have no real access. Ignore and delete; rotate that password if you somehow still use it.
Slow down on the phone too. Leaked phone numbers feed scam-call lists. If a caller is a scam, our guide on spotting a scam phone number walks through the tells.

6. Freeze Your Credit If Sensitive Data Leaked

If the breach exposed identity-grade data — full name, date of birth, address, SSN/SIN, or government ID numbers — assume someone could try to open accounts in your name. A credit freeze is the strongest, and free, defense: it blocks new lenders from pulling your credit report, which stops most fraudulent account openings cold.

In the US: freeze at all three bureaus — Equifax, Experian, and TransUnion. It is free by law, takes a few minutes each online, and you temporarily "thaw" it when you legitimately apply for credit.
In Canada: place a fraud alert / freeze with Equifax Canada and TransUnion Canada (availability varies by province; a fraud alert is available nationwide).

While you are at it, set up free transaction alerts in your banking app and skim your statements for the next few months. The earlier you catch a fraudulent charge, the easier it is to reverse.

7. See Your Full Public Exposure — Then Shrink It

The breach is one piece. The bigger picture is everything else tied to your email and phone that a stranger — or a scammer building a profile on you — can find: reused usernames, old public accounts, and especially data-broker / people-search listings that publish your name, address, and relatives.

Two moves to round this out:

Audit what is public about you. Run a scan on your own email to see the public profiles, reused usernames, and breach exposure attached to it. Checking your own digital footprint shows you what a stranger sees.
Get off the people-search sites. Data brokers republish your personal details and feed the next round of phishing. Our guide to removing your info from people-search sites has the real opt-out steps, and the Spokeo opt-out walkthrough covers one of the biggest offenders directly.

A quick honest note on what a scan does and does not do: PrufAgent searches 250+ public sources and checks real breach and infostealer exposure to show you where you are exposed. It does not log into your accounts, it cannot delete listings on your behalf, and it will tell you plainly when there are no strong matches. The value is clarity — knowing exactly which doors to lock, instead of guessing.

Run a $9.99 breach + exposure scan

Enter your email. We check known breaches, real infostealer logs, and 250+ public sources, then show you what to lock down. Single scans from $9.99.

The 10-Minute Version

If you only have a few minutes today, do these four and come back for the rest:

Change your primary email password to something unique, and turn on 2FA for it. Your email is the master key to everything else.
Change any account where you reused the breached password.
Check for infostealer exposure — if you are in a malware log, scan your devices and sign out everywhere from a clean one.
Freeze your credit if identity data leaked.

A breach feels like something was done to you, and it was — but the recovery is entirely in your hands and almost entirely free. Rotate the credentials, lock the doors, stay sharp on phishing for a few weeks, and the leaked data quietly loses its value. Start by finding out exactly what is exposed, then work the list.