What to Do After a Data Breach

Discovering that your data has appeared in a breach can be disorienting. Whether you are an individual who received a breach notification or an organization that identified exposed credentials during a routine scan, the response process follows the same structured logic: contain, assess, remediate, and monitor.

The first hours after discovery are the most critical. Credentials exposed in a breach are often tested against other services almost immediately. Automated tools cycle through stolen username-password combinations at scale, and the window between exposure and exploitation continues to narrow.

Immediate Containment

Begin with the affected accounts. Change passwords on every account that used the compromised credentials. If you reused the same password across multiple services, each of those accounts must be treated as potentially compromised. Enable multi-factor authentication on every account that supports it, prioritizing email, financial services, and any systems that store personal or business data.

For organizations, this extends to corporate systems. If employee credentials appeared in a breach, review VPN access logs, cloud service activity, and email forwarding rules. Threat actors frequently establish persistence by creating mail forwarding rules or adding secondary authentication methods to compromised accounts before the original password is changed.

Assessment

Determine the scope of the breach. Identify which service was compromised, what data types were included, and when the breach occurred. A credential exposure event that includes only email addresses and hashed passwords carries different risk than one that includes plaintext passwords, security questions, or financial information.

For businesses, conduct a domain-level exposure check to understand the full scope. A single breach notification may only reveal part of the picture. Multiple employees may be affected, and the organization's domain may appear in breach datasets beyond the one that triggered the initial discovery.

Regulatory Considerations

Organizations in Canada operating under PIPEDA have mandatory breach reporting obligations when a breach creates a real risk of significant harm to individuals. This includes notifying affected individuals and reporting to the Office of the Privacy Commissioner. In the United States, breach notification requirements are governed at the state level, and most states have enacted legislation requiring notification within specific timeframes.

Document every action taken from the point of discovery. This record serves both as evidence of due diligence and as the basis for any required regulatory reporting. Include timestamps, the personnel involved, and the specific remediation steps completed.

Long-Term Monitoring

A single breach response is not the end of the process. Breach data is redistributed, combined with other datasets, and resurfaces over time. Credentials exposed in an incident today may appear in new compilations months or years later. Continuous monitoring provides ongoing visibility into whether your data appears in newly disclosed breaches or aggregated datasets.

Establishing a monitoring program shifts the organization from reactive to proactive. Rather than learning about exposure through incident reports or customer complaints, continuous monitoring surfaces new exposures as they are identified, enabling response before exploitation occurs.