"Your email appeared in a data breach": what it means and what to do in the next hour
The alert lands from your browser, your phone, or a breach-notification service: your email address appeared in a data breach. It reads like "you've been hacked", and the instinct is either panic or a shrug. Both are the wrong response. This page explains what the notification actually means, what an hour of focused work fixes, and how to make the next one of these a non-event, because there will be a next one.
Last reviewed: 18 July 2026
What the notification means (and doesn't)
A breach notification means a website or company you gave your details to was compromised, and a copy of their customer database is now in criminals' hands. Your email address was in that database, probably alongside a password: the one you used on that site.
What it does not mean:
- Your inbox has not been hacked. Nobody read your email. The breach happened at the other company, not at your email provider.
- Your computer is not infected. No scan needed; nothing is "on" your machine because of this.
- You are not being personally targeted. Your address was one row among millions.
What it does mean: the password you used on that site should be treated as public. And every other account where you reused that password just inherited the problem.
Why reused passwords are the real blast radius
The stolen list itself is boring. What criminals do with it is not: they feed those email-and-password pairs into automated tools that try them against hundreds of other services, from banks and email providers to PayPal, Amazon and airline programs. The industry calls it credential stuffing. It costs an attacker almost nothing, and it works for one reason only: people reuse passwords.
So the question that decides whether this breach matters is not "how bad was the breach?" It is: where else did I use that password, or something close to it? "Close to it" counts: "Sunshine2019!" and "Sunshine2024!" are the same password to cracking tools.
Breaches also age like unexploded ordnance. Lists get traded, merged, and re-run for years, which is why a breach from 2019 can produce a takeover attempt in 2026. "That was ages ago" is not protection; if the password is still in service anywhere, it's still live ammunition.
The next hour: triage in the right order
Work through these in order. The order matters because your email account can reset every other password you own.
- Your email account first (10 minutes). If the breached password, or anything resembling it, is also your email password, change your email password now, to something long and new. Then check the settings an intruder touches first: forwarding rules, filters, and recovery contacts. Turn on two-factor authentication if it isn't on. Your email is the master key; secure it before anything else.
- Banking and money second (15 minutes). Bank, PayPal, and anything holding a saved card. Change any that shared the breached password. While you're in each one, glance at recent transactions. If money has actually moved, stop and call your bank on the number printed on your card, not a number from any email.
- The breached site itself (5 minutes). Change that password to something unique, or if you don't use the service any more, close the account entirely. Fewer accounts, smaller future blast radius.
- Everything else that shared the password (rest of the hour). Shopping, streaming, social, forums. Work from memory and from your browser's saved-passwords list, which will show you exactly where that password lurks. Prioritise anything with a card attached or that could impersonate you.
If the breach notice says identity documents were included, passport, driver licence or Medicare, that is a bigger problem than passwords. IDCARE is Australia's identity support service and the right first call; the breached company's notice should also spell out what was exposed.
What to ignore
Expect a wave of opportunistic scams referencing the breach: emails claiming to be the breached company asking you to "verify your account", texts with reset links, even calls. The breach itself told criminals you're a customer, and that makes their phishing more convincing. Go to sites by typing the address yourself; never through a link in a message you didn't ask for. Report scam contact to Scamwatch, and actual account compromise through ReportCyber at cyber.gov.au.
Extortion emails quoting an old password of yours ("we have footage of you, pay in Bitcoin") are running the same play: the password came from a breach list, not from your webcam. Delete them.
Make the next breach a non-event
You can't stop companies losing your data. You can make it not matter:
- A password manager. One strong, unique password per site means a breach at one company burns one password, and it opens nothing else. This single change dissolves the entire credential-stuffing threat.
- Two-factor authentication on email, banking, and anything you'd genuinely miss. Even a correct stolen password then fails on its own. Our 2FA setup guide covers doing this without locking yourself out.
- A breach-notification service so you hear early. Getting these alerts is a good sign: it means you'll know when to act.
- Prune dead accounts when you meet them. Data you've deleted can't leak.
Once that's in place, the next "your email appeared in a breach" alert becomes a two-minute chore: change one password, carry on with your day.
The short version: A breach notification means a company you signed up with leaked its user list. Your inbox wasn't hacked, but the password you used on that site is now public, and criminals will try it everywhere else for years. Spend the next hour on triage in order: email account first, banking second, the breached site, then everything sharing that password. Then move to a password manager and 2FA so future breaches burn one unique password and nothing more.
General guidance only. If money has moved or identity documents were exposed, contact your bank and the official support services directly.