So your data has been leaked. Now what?

Tom Golden
Tom Golden

So you've entered your email into haveibeenpwned.com and your information has been compromised.

How do you fix the problem?


Let's be clear - there is now nothing you can do to prevent your already leaked personal data being used by others.

There is no way to prevent already leaked data from being used.

Your intention should now be to reduce the impact of the data that has been released, and prevent future leaks.


This breakdown aims to give you more context on each type of breached data means for you.

  • Banking data

    Your finances are at major risk. You should immediately close your bank account and open a new one. If this is impossible, at the very least you should change all your banking logins and replace your leaked cards.

  • Dates of birth

    Dates of birth are a common way to help you identify who you are. If this information is leaked, then you can't really do anything, except avoid using services that ask you for your birthdate (where possible). You can also use fake birthdates with most services that won't check for valid identification, but require a birthdate for signup, for instance.

  • Email addresses, Phone numbers

    Email addresses are the most annoying thing to have exposed, as it makes you more likely to be spammed, and they are often used in place of usernames for logins, making some services easier to attack.

    With emails, it is quite easy to fix - new emails can be created quickly and for free - changing it is annoying, but you can use email forwarding during the transition period to a new email address.

    With phone numbers, you may want to get a new number. Make sure to keep the old SIM card (for login verfication using your old phone number) update everyone in your contacts with your new one. Burner numbers may be something to explore.

  • Genders

    Genders are fortunately not used in many methods of identification. An attacker with knowledge of your gender may find it easier to give a passable impersonation on phone calls.

  • Geographic locations, Physical addresses

    Together with banking details, this is probably the information you want breached least. Simply put, if you are an individual who doesn't want to be found by someone in particular (witness/victim of a crime, for example) and this gets leaked, you should relocate. The information is available to anyone determined enough.

  • IP addresses

    An IP address is available to any website you visit. The owner of the website may be able to identify more about who you are by cross-referencing your IP address with other leaked data. An IP can be masked using VPN services.

  • Names

    Names don't make for a great unique identifier (as names are not unique) - meaning they're rarely used in login forms, but are occasionally used when resetting a forgotten password. An attacker with knowledge of your name will find it much easier to give a passable impersonation on phone calls.

  • Passwords

    If your password is available in plaintext, a person will find it much easier to login to your account. Even if it was leaked in a form that has a special one way encoding (called a hash), it makes it a lot easier to guess your password. If the hacker knows the hash function and the inputs, they can check millions of passwords quickly. Use howsecureismypassword.org to give you an estimate of how long it would take a normal computer to guess it in this (very common) scenario.

    If you use a password that has been sensibly hashed (which it is the majority of the time), and the howsecureismypassword.org website says your password would take 1000+ years to solve, your password is still very safe.

  • Social media profiles

    This allows hackers to immediately have accounts to target for login attacks - a successful attack can also be used to log into other applications that use single sign on with that account (i.e. accounts that you registered using Sign Up With Facebook/Google etc). Facebook Payments may allow a hacker to send your money to them (though only to a friend, so beware of random friend requests).

  • Usernames

    Same as emails, with the exception of being sent spam. A lot of spam is a good sign that your email was leaked, but there's no way to see this with usernames, so using different ones for different services is advisable.


Websites will be hacked. It is hard to protect a website from all possible hacks, and there are thousands of websites that can contain our sensitive data. It should be expected that some websites containing our data to be hacked.

The best protection we can have therefore is to ensure that any data we have on a hacked website cannot be used to hack us on other websites.

The way to do this is, in highest priority to lowest priority, is to:

  1. Ensure that services holding the most important data use strong passwords not used elsewhere.

At minimum, update the following: - Financial services (banks, electronic payment services (e.g. PayPal)) - Google (contains your entire location history, your address, your work address, your current location, plus much more) - Facebook (payments, impersonation, identity fraud) - Phone network service provider (incl. any PINs) (to ensure the effectiveness of 2 Factor Authentication, i.e. when you get a text to confirm a login)

An example of a strong password is 4 random dictionary words.

You should check your password's strength at howsecureismypassword.net. 2. Use a password manager to store and change all passwords to randomly generated passwords. This will help keep logging into things a straightforward process, and remember all your weird random passwords for you.

My personal recommendation is Bitwarden (free) and Bitwarden Premium (pretty cheap) tells you when a password has been leaked. https://bitwarden.com

Dashlane is probably the best money-no-object option, but is very expensive. https://www.dashlane.com


I'm switching back to Linux

Does this mean I'm part of the PC Master Race?

Sometimes flex-direction: row is better for columns

No clickbait subtitle will ever get you to read this